The second curl would be: curl -k " https://admin:[email protected]:8088/riak/ssl/ynet-images-latest "
If that works from your traffic_ops host then it should also work when you go into the paste keys screen. Turning on Debug logging might also help. You can set log4perl.rootLogger = ERROR, SCREEN, FILE in traffic_ops/app/conf/production/log4perl.conf Try that out and send me what, if anything, you see in the log. Thanks, Dave On Wed, Jan 18, 2017 at 9:14 AM, Nir Sopher <[email protected]> wrote: > Thanks Dave, > I am pasting the keys through the Manange SSL Keys -> Paste Existing Keys > screen. > > Below is the output of the curl commands: > > $ curl -k "https://admin:[email protected]: > 8088/buckets/ssl/keys?keys=true" > {"keys":["ynet-images-5","ynet-images-latest","ynet- > images-4","ynet-images-3"]} > > $ curl -k "https://admin:[email protected]: > 8088/riak/ssl/xmlid-latest" > not found > > Nir > > On Wed, Jan 18, 2017 at 4:56 PM, Dave Neuman <[email protected]> wrote: > > > That sucks that it still doesn't work :( > > > > Lets start with the config. You said you had to set ` > > listener.https.internal= 0.0.0.0:8088`, we have that configured with the > > IP > > of the riak server, but if you can successfully make curl requests from > the > > traffic_ops server, then I guess that is ok. > > > > As for the error you are getting...that error is basically saying that > Riak > > cannot find the SSL Keys that you are looking for. > > > > Which endpoint are you using when you get that error? Are you going > > through the Manange SSL Keys -> Paste Existing Keys screen? Or are you > > hitting an API? > > > > You should be able to see if the keys exist by running `curl -k > > "https://admin:password@riakURL:8088/buckets/ssl/keys?keys=true"` and > > looking for XMLID-latest in the list of keys; you could also run `curl -k > > "https://admin:password@riakURL:8088/riak/ssl/xmlid-latest"` > > > > Thanks, > > Dave > > > > On Tue, Jan 17, 2017 at 1:57 PM, Nir Sopher <[email protected]> wrote: > > > > > Thank you Dave:) > > > > > > Indeed I was using Riak 2.2 with TC 1.7. > > > I moved now to Riak 2.1.3 (same traffic ops, just replaced the vault). > > > I see the same issues. The only change is the added log messages in > > traffic > > > ops log during certificate generation: > > > > > > [2017-01-17 20:29:58,119] [ERROR] Active Server Severe Error: 404 - > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8088 - not found > > > > > > Nir > > > > > > On Tue, Jan 17, 2017 at 6:56 PM, Dave Neuman <[email protected]> > wrote: > > > > > > > Hey Nir, > > > > I think I can help here. First of all, what version of Traffic > Control > > > are > > > > you running and which version of Riak are you running? We have seen > > > issues > > > > using newer versions of Riak with Traffic Control 1.7 and 1.8. Those > > > > issues should be resolved in the next release. For now we recommend > > you > > > > use Riak 2.1.x and not 2.2.x > > > > > > > > Once I know that we can start digging deeper. > > > > > > > > Thanks, > > > > Dave > > > > > > > > On Tue, Jan 17, 2017 at 9:44 AM, Nir Sopher <[email protected]> wrote: > > > > > > > > > Hi, > > > > > > > > > > I am trying to launch a traffic vault and connect it to my > > traffic-ops > > > > > server. > > > > > I followed the instructions in the admin guide > > > > > <http://traffic-control-cdn.net/docs/latest/admin/traffic_ > vault.html > > >, > > > > > installing riak <http://goog_1273226474>2.2.0-1 > > > > > <http://s3.amazonaws.com/downloads.basho.com/riak/2.2/ > > > > > 2.2.0/rhel/6/riak-2.2.0-1.el6.x86_64.rpm> > > > > > working with a self signed certificate (created via the > instructions > > in > > > > > this > > > > > <http://www.akadia.com/services/ssh_test_certificate.html> link) > > > > > > > > > > I had to deviate from the document in a few places in order to > > > progress: > > > > > > > > > > - Replacing the host part in the riak listener configuration > with > > > > > 0.0.0.0. Using real hostname made riak to fail. e.g. > > > > > listener.https.internal > > > > > = 0.0.0.0:8088 > > > > > - Setting ssl.cacertfile to point at the server.crt (as this is > a > > > self > > > > > signed certificate): ssl.cacertfile = /etc/riak/certs/server.crt > > > Note > > > > > that I assume that this certificate is only used for "traffic > > vault > > > > > https" > > > > > connections. > > > > > - In traffic ops, I initially set the "tcp port" to "8098" and > > > "https > > > > > port" to "8088". When traffic ops tried to connect the vault it > > did > > > it > > > > > via > > > > > port "8098", so I changed the "tcp port" to "8088" in order for > > > https > > > > > to be > > > > > used. > > > > > > > > > > > > > > > Validating the installation using curl -kvs "https://admin > > > > > :password@riakserver:8088/search/query/sslkeys?wt=json& > q=cdn:mycdn" > > > > > Produced the below output: > > > > > < HTTP/1.1 200 OK > > > > > < Server: MochiWeb/1.1 WebMachine/1.10.9 (cafe not found) > > > > > < Date: Wed, 11 Jan 2017 12:26:07 GMT > > > > > < Content-Type: application/json; charset=UTF-8 > > > > > < Content-Length: 571 > > > > > < > > > > > {"responseHeader":{"status":0,"QTime":176,"params":{"shards":" > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093/internal_solr/sslkeys > > > > > ","q":"cdn:nirs-tc1-cdn","wt":"json"," > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093":"(_yz_pn:62 AND > > > (_yz_fpn:62)) > > > > OR > > > > > _yz_pn:61 OR _yz_pn:58 OR _yz_pn:55 OR _yz_pn:52 OR _yz_pn:49 OR > > > > _yz_pn:46 > > > > > OR _yz_pn:43 OR _yz_pn:40 OR _yz_pn:37 OR _yz_pn:34 OR _yz_pn:31 OR > > > > > _yz_pn:28 OR _yz_pn:25 OR _yz_pn:22 OR _yz_pn:19 OR _yz_pn:16 OR > > > > _yz_pn:13 > > > > > OR _yz_pn:10 OR _yz_pn:7 OR _yz_pn:4 OR > > _yz_pn:1"}},"response":{"numFo > > > > > und":0,"start":0,"maxScore":0.0,"docs":[]}} > > > > > * Connection #0 to host vault-int.nirs-tc1.tc-dev.qwilt.com left > > > intact > > > > > * Closing connection # > > > > > > > > > > However, when I created a delivery-service and tried to "generate" > a > > > > > certificate via traffic-ops, I got the below message: > > > > > SSL keys for <ds> could not be created. Response was: Error > creating > > > key > > > > > and csr. Result is -1 > > > > > No log message found int traffic_ops log or in the riak log, to > > explain > > > > the > > > > > issue. > > > > > > > > > > When pasting a certificate (self signed, including the "----" > headers > > > and > > > > > footers), the operation succeed. However, when the traffic servers > > > tried > > > > to > > > > > pull this configuration, I got the below message: > > > > > ERROR result for > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > > nirs-tc1-cdn/sslkeys.json > > > > > is: ...{"message":"No SSL certificates found for nirs-tc1-cdn"}... > > > > > FATAL > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/ > > > > > nirs-tc1-cdn/sslkeys.json > > > > > returned HTTP 404! > > > > > > > > > > Any idea what may cause these issues? > > > > > Any experience in debugging similar issues? > > > > > > > > > > Thanks, > > > > > Nir > > > > > > > > > > > > > > >
