[
https://issues.apache.org/jira/browse/BROOKLYN-280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John McCabe updated BROOKLYN-280:
---------------------------------
Summary: br cli fails to login to brooklyn instances with self-signed SSL
certs (was: br cli fails to login to brooklyn instances whose SSL certs don't
have any IP SANs)
> br cli fails to login to brooklyn instances with self-signed SSL certs
> ----------------------------------------------------------------------
>
> Key: BROOKLYN-280
> URL: https://issues.apache.org/jira/browse/BROOKLYN-280
> Project: Brooklyn
> Issue Type: Bug
> Reporter: John McCabe
>
> Attempt to log into Brooklyn with a cert generated following the instructions
> on {{ops/brooklyn_properties}}, results in the following error:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate
> certificate for 10.10.10.100 because it doesn't contain any IP SANs
> {code}
> We either need to update the {{br}} util to be more tolerant of such certs,
> or update the instructions in {{ops/brooklyn_properties}} to describe how to
> create certs containing the correct IP SAN for the secured server.
> I'm torn on which option is best, I'd be inclined to do both, document the
> creation of a cert with a populated IP SAN *and* add a flag to {{br}} to
> tolerate servers without such a cert rather than accepting them silently (if
> thats possible with the golang crypto libs).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
