Thanks Dave, I am pasting the keys through the Manange SSL Keys -> Paste Existing Keys screen.
Below is the output of the curl commands: $ curl -k "https://admin:[email protected]: 8088/buckets/ssl/keys?keys=true" {"keys":["ynet-images-5","ynet-images-latest","ynet- images-4","ynet-images-3"]} $ curl -k "https://admin:[email protected]: 8088/riak/ssl/xmlid-latest" not found Nir On Wed, Jan 18, 2017 at 4:56 PM, Dave Neuman <[email protected]> wrote: > That sucks that it still doesn't work :( > > Lets start with the config. You said you had to set ` > listener.https.internal= 0.0.0.0:8088`, we have that configured with the > IP > of the riak server, but if you can successfully make curl requests from the > traffic_ops server, then I guess that is ok. > > As for the error you are getting...that error is basically saying that Riak > cannot find the SSL Keys that you are looking for. > > Which endpoint are you using when you get that error? Are you going > through the Manange SSL Keys -> Paste Existing Keys screen? Or are you > hitting an API? > > You should be able to see if the keys exist by running `curl -k > "https://admin:password@riakURL:8088/buckets/ssl/keys?keys=true"` and > looking for XMLID-latest in the list of keys; you could also run `curl -k > "https://admin:password@riakURL:8088/riak/ssl/xmlid-latest"` > > Thanks, > Dave > > On Tue, Jan 17, 2017 at 1:57 PM, Nir Sopher <[email protected]> wrote: > > > Thank you Dave:) > > > > Indeed I was using Riak 2.2 with TC 1.7. > > I moved now to Riak 2.1.3 (same traffic ops, just replaced the vault). > > I see the same issues. The only change is the added log messages in > traffic > > ops log during certificate generation: > > > > [2017-01-17 20:29:58,119] [ERROR] Active Server Severe Error: 404 - > > vault-int.nirs-tc1.tc-dev.qwilt.com:8088 - not found > > > > Nir > > > > On Tue, Jan 17, 2017 at 6:56 PM, Dave Neuman <[email protected]> wrote: > > > > > Hey Nir, > > > I think I can help here. First of all, what version of Traffic Control > > are > > > you running and which version of Riak are you running? We have seen > > issues > > > using newer versions of Riak with Traffic Control 1.7 and 1.8. Those > > > issues should be resolved in the next release. For now we recommend > you > > > use Riak 2.1.x and not 2.2.x > > > > > > Once I know that we can start digging deeper. > > > > > > Thanks, > > > Dave > > > > > > On Tue, Jan 17, 2017 at 9:44 AM, Nir Sopher <[email protected]> wrote: > > > > > > > Hi, > > > > > > > > I am trying to launch a traffic vault and connect it to my > traffic-ops > > > > server. > > > > I followed the instructions in the admin guide > > > > <http://traffic-control-cdn.net/docs/latest/admin/traffic_vault.html > >, > > > > installing riak <http://goog_1273226474>2.2.0-1 > > > > <http://s3.amazonaws.com/downloads.basho.com/riak/2.2/ > > > > 2.2.0/rhel/6/riak-2.2.0-1.el6.x86_64.rpm> > > > > working with a self signed certificate (created via the instructions > in > > > > this > > > > <http://www.akadia.com/services/ssh_test_certificate.html> link) > > > > > > > > I had to deviate from the document in a few places in order to > > progress: > > > > > > > > - Replacing the host part in the riak listener configuration with > > > > 0.0.0.0. Using real hostname made riak to fail. e.g. > > > > listener.https.internal > > > > = 0.0.0.0:8088 > > > > - Setting ssl.cacertfile to point at the server.crt (as this is a > > self > > > > signed certificate): ssl.cacertfile = /etc/riak/certs/server.crt > > Note > > > > that I assume that this certificate is only used for "traffic > vault > > > > https" > > > > connections. > > > > - In traffic ops, I initially set the "tcp port" to "8098" and > > "https > > > > port" to "8088". When traffic ops tried to connect the vault it > did > > it > > > > via > > > > port "8098", so I changed the "tcp port" to "8088" in order for > > https > > > > to be > > > > used. > > > > > > > > > > > > Validating the installation using curl -kvs "https://admin > > > > :password@riakserver:8088/search/query/sslkeys?wt=json&q=cdn:mycdn" > > > > Produced the below output: > > > > < HTTP/1.1 200 OK > > > > < Server: MochiWeb/1.1 WebMachine/1.10.9 (cafe not found) > > > > < Date: Wed, 11 Jan 2017 12:26:07 GMT > > > > < Content-Type: application/json; charset=UTF-8 > > > > < Content-Length: 571 > > > > < > > > > {"responseHeader":{"status":0,"QTime":176,"params":{"shards":" > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093/internal_solr/sslkeys > > > > ","q":"cdn:nirs-tc1-cdn","wt":"json"," > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093":"(_yz_pn:62 AND > > (_yz_fpn:62)) > > > OR > > > > _yz_pn:61 OR _yz_pn:58 OR _yz_pn:55 OR _yz_pn:52 OR _yz_pn:49 OR > > > _yz_pn:46 > > > > OR _yz_pn:43 OR _yz_pn:40 OR _yz_pn:37 OR _yz_pn:34 OR _yz_pn:31 OR > > > > _yz_pn:28 OR _yz_pn:25 OR _yz_pn:22 OR _yz_pn:19 OR _yz_pn:16 OR > > > _yz_pn:13 > > > > OR _yz_pn:10 OR _yz_pn:7 OR _yz_pn:4 OR > _yz_pn:1"}},"response":{"numFo > > > > und":0,"start":0,"maxScore":0.0,"docs":[]}} > > > > * Connection #0 to host vault-int.nirs-tc1.tc-dev.qwilt.com left > > intact > > > > * Closing connection # > > > > > > > > However, when I created a delivery-service and tried to "generate" a > > > > certificate via traffic-ops, I got the below message: > > > > SSL keys for <ds> could not be created. Response was: Error creating > > key > > > > and csr. Result is -1 > > > > No log message found int traffic_ops log or in the riak log, to > explain > > > the > > > > issue. > > > > > > > > When pasting a certificate (self signed, including the "----" headers > > and > > > > footers), the operation succeed. However, when the traffic servers > > tried > > > to > > > > pull this configuration, I got the below message: > > > > ERROR result for > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > nirs-tc1-cdn/sslkeys.json > > > > is: ...{"message":"No SSL certificates found for nirs-tc1-cdn"}... > > > > FATAL > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > nirs-tc1-cdn/sslkeys.json > > > > returned HTTP 404! > > > > > > > > Any idea what may cause these issues? > > > > Any experience in debugging similar issues? > > > > > > > > Thanks, > > > > Nir > > > > > > > > > >
