[
https://issues.apache.org/jira/browse/BROOKLYN-280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298645#comment-15298645
]
ASF GitHub Bot commented on BROOKLYN-280:
-----------------------------------------
GitHub user johnmccabe opened a pull request:
https://github.com/apache/brooklyn-client/pull/21
fix BROOKLYN-280, add --skipSslChecks flag to work with self-signed certs
- defaults to false, ie existing behaviour
- setting to true disables certificate chain and hostname verificiation
(see `InsecureSkipVerify` in https://golang.org/pkg/crypto/tls/)
- persisted to ~/.brooklyn_cli
- also bumped version to `0.10.0-SNAPSHOT`
```
bash-4.3$ br login https://10.10.10.100:8443/ admin password
Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed
by unknown authority
bash-4.3$ br app
Get https://10.10.10.100:8443/v1/applications: x509: certificate signed by
unknown authority
bash-4.3$ br --skipSslChecks login https://10.10.10.100:8443/ admin password
Connected to Brooklyn version 0.10.0-20160513.2042 at
https://10.10.10.100:8443
bash-4.3$ br app
Id Name Status Location
```
*Note*: I'd no apps running on this system so the empty table is ok,
catalog returns as expected.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/johnmccabe/brooklyn-client fix_BROOKLYN-280
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/brooklyn-client/pull/21.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #21
----
commit 7dc9b3f009d1b7dc7197622f81a84fcd191c731f
Author: John McCabe <[email protected]>
Date: 2016-05-24T18:09:06Z
fix BROOKLYN-280, add --skipSslChecks flag
- defaults to false, ie existing behaviour
- setting to true disables certificate chain and hostname verificiation
(see `InsecureSkipVerify` in https://golang.org/pkg/crypto/tls/)
- persisted to ~/.brooklyn_cli
```
bash-4.3$ br login https://10.10.10.100:8443/ admin password
Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed
by unknown authority
bash-4.3$ br app
Get https://10.10.10.100:8443/v1/applications: x509: certificate signed by
unknown authority
bash-4.3$ br --skipSslChecks login https://10.10.10.100:8443/ admin password
Connected to Brooklyn version 0.10.0-20160513.2042 at
https://10.10.10.100:8443
bash-4.3$ br app
Id Name Status Location
```
----
> br cli fails to login to brooklyn instances with self-signed SSL certs
> ----------------------------------------------------------------------
>
> Key: BROOKLYN-280
> URL: https://issues.apache.org/jira/browse/BROOKLYN-280
> Project: Brooklyn
> Issue Type: Bug
> Reporter: John McCabe
> Assignee: John McCabe
>
> Attempt to log into Brooklyn with a cert generated following the instructions
> on {{ops/brooklyn_properties}}, results in the following error:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate
> certificate for 10.10.10.100 because it doesn't contain any IP SANs
> {code}
> Adding the IP SAN (add {{-ext san=IP:10.10.10.100}} to the {{keytool}}
> invocation on JDK 1.7+) then results in:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by
> unknown authority
> {code}
> I suspect we may need to be tolerate of self-signed certs without a
> trustchain, but do so via a flag that the user must set explicitly, for
> example:
> {code}
> br login --trustall https://10.10.10.100 admin mypassword
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
