[
https://issues.apache.org/jira/browse/BROOKLYN-280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John McCabe updated BROOKLYN-280:
---------------------------------
Description:
Attempt to log into Brooklyn with a cert generated following the instructions
on {{ops/brooklyn_properties}}, results in the following error:
{code}
# br login https://10.10.10.100:8443 admin mypassword
Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate
certificate for 10.10.10.100 because it doesn't contain any IP SANs
{code}
Adding the IP SAN (add {{-ext san=IP:10.10.10.100}} to the {{keytool}}
invocation on JDK 1.7+) then results in:
{code}
# br login https://10.10.10.100:8443 admin mypassword
Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by
unknown authority
{code}
I suspect we may need to be tolerate of self-signed certs without a trustchain,
but do so via a flag that the user must set explicitly, for example:
{code}
br login --trustall https://10.10.10.100 admin mypassword
{code}
was:
Attempt to log into Brooklyn with a cert generated following the instructions
on {{ops/brooklyn_properties}}, results in the following error:
{code}
# br login https://10.10.10.100:8443 admin mypassword
Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate
certificate for 10.10.10.100 because it doesn't contain any IP SANs
{code}
We either need to update the {{br}} util to be more tolerant of such certs, or
update the instructions in {{ops/brooklyn_properties}} to describe how to
create certs containing the correct IP SAN for the secured server.
I'm torn on which option is best, I'd be inclined to do both, document the
creation of a cert with a populated IP SAN *and* add a flag to {{br}} to
tolerate servers without such a cert rather than accepting them silently (if
thats possible with the golang crypto libs).
> br cli fails to login to brooklyn instances with self-signed SSL certs
> ----------------------------------------------------------------------
>
> Key: BROOKLYN-280
> URL: https://issues.apache.org/jira/browse/BROOKLYN-280
> Project: Brooklyn
> Issue Type: Bug
> Reporter: John McCabe
>
> Attempt to log into Brooklyn with a cert generated following the instructions
> on {{ops/brooklyn_properties}}, results in the following error:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate
> certificate for 10.10.10.100 because it doesn't contain any IP SANs
> {code}
> Adding the IP SAN (add {{-ext san=IP:10.10.10.100}} to the {{keytool}}
> invocation on JDK 1.7+) then results in:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by
> unknown authority
> {code}
> I suspect we may need to be tolerate of self-signed certs without a
> trustchain, but do so via a flag that the user must set explicitly, for
> example:
> {code}
> br login --trustall https://10.10.10.100 admin mypassword
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
