What error are you getting in ORT?
On Wed, Jan 18, 2017 at 11:57 AM, Nir Sopher <[email protected]> wrote:
> OK.
> I called the command from traffic op and got the below output, which looks
> ok to me.
> So now I know that adding a certificate via the "paste" screen works (and
> not only say "success").
> Still, pulling the configuration via the ort script fails.
>
> Regarding the log, no message during the certificate paste. My log cfg is
> also paste below.
>
> 10x,
> Nir
>
> $ cat /opt/traffic_ops/app/conf/production/log4perl.conf
> log4perl.rootLogger = ERROR, SCREEN, FILE
> log4perl.appender.FILE = Log::Log4perl::Appender::File
> log4perl.appender.FILE.layout = PatternLayout
> log4perl.appender.FILE.layout.ConversionPattern = [%d{ISO8601}] [%p] %m%n
> log4perl.appender.FILE.filename = /var/log/traffic_ops/traffic_ops.log
>
> log4perl.appender.SCREEN = Log::Log4perl::Appender::Screen
> log4perl.appender.SCREEN.layout = PatternLayout
> log4perl.appender.SCREEN.layout.ConversionPattern = [%d{ISO8601}] [%p]
> %m%n
>
>
>
> $ curl -k "https://admin:[email protected]:
> 8088/riak/ssl/ynet-images-latest"
> {"cdn":"nirs-tc1-cdn","deliveryservice":"ynet-images"
> ,"certificate":{"csr":"
> LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0NCk1JSUI2REND
> QVZFQ0FRQXdnYWN4\nQ3pBSkJnTlZCQVlUQWtsTU1ROHdEU
> VlEVlFRSURBWkpjM0poWld3eEZEQVMNCkJnTlZCQWNNQzBo\
> ndlpFaGhjMmhoY205dU1RNHdEQVlEVlFRS0RBVlJkMmxzZERFTE1Ba0dBMVV
> FQ3d3Q1VVTXgNCk5U\nQXpCZ05WQkFNTUxDb3VlVzVsZEMxc
> GJXRm5aWE11Ym1seWN5MTBZekV0WTJSdUxuUmpMV1JsZGk1\
> namNXeHYNCmRXUXVZMjl0TVIwd0d3WUpLb1pJaHZjTkFRa0JGZzV1YVhKelF
> IRjNhV3gwTG1OdmJU\nQ0JuekFOQmdrcWhraUcNCjl3MEJBU
> UVGQUFPQmpRQXdnWWtDZ1lFQTAxVWZnbzZrcEJOMGNQOEV5\
> nVXY4MW9WNFB2WlJoM2V5dmViNjBaZnQNCldjblZ0Zk53N1ZJRW52Q1ByU0J
> 6b25MajI4NGoyUGcv\nQkhQQ3Rudmc2N2N5bXRKT2pJVU4rZ
> XoyRXkvSUxnUXYNCkdjZFQ0RmErTGZmcXFudUc3Y3gxcDRU\
> nR3k2aGpYdFNPZ2R0YklyNFhEajJiWlBIVTVxTFlkak1QSXZXc2M5aGkNCmV
> QY0NBd0VBQWFBQU1B\nMEdDU3FHU0liM0RRRUJCUVVBQTRHQ
> kFDRGJQUlFSM1RkNWh1QmtQMUg3V0l4ejdjNU8NCnJsYnpn\
> nWHlxcEpjRFg2Q3RJaEd1d1orYkxIa3Y4dXdsMUoyZm5QTWM3TlB4UGxjbXY
> 0RWU3RXpJQ3dJTzBr\ncTMNClFvdksraEp1MDJLTE1peUp5b
> HZpT1VEeWlldEtPdEpDNlVKelNhZEpjWjVnSmJzNjNiRk83\
> nWmlpbDQ0UmdKaFYNCklBMSsyYUwwU0hmeTY4R2cNCi0tLS0tRU5EIENFUlR
> JRklDQVRFIFJFUVVF\nU1QtLS0tLQ==","crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS
> 0tLS0tDQpNSUlDeHpDQ0FqQUNDUURvZlNRcTJpcnQ4REFO\
> nQmdrcWhraUc5dzBCQVFVRkFEQ0JwekVMTUFrR0ExVUVCaE1DDQpTVXd4RHp
> BTkJnTlZCQWdNQmts\nemNtRmxiREVVTUJJR0ExVUVCd3dMU
> 0c5a1NHRnphR0Z5YjI0eERqQU1CZ05WDQpCQW9NQlZGM2FX\
> neDBNUXN3Q1FZRFZRUUxEQUpSUXpFMU1ETUdBMVVFQXd3c0tpNTVibVYwTFd
> sdFlXZGxjeTV1DQph\nWEp6TFhSak1TMWpaRzR1ZEdNdFpHV
> jJMbU54Ykc5MVpDNWpiMjB4SFRBYkJna3Foa2lHOXcwQkNR\
> nRVdEbTVwDQpjbk5BY1hkcGJIUXVZMjl0TUI0WERURTNNREV4TmpFeE5UQTB
> NbG9YRFRFNE1ERXhO\nakV4TlRBME1sb3dnYWN4DQpDekFKQ
> mdOVkJBWVRBa2xNTVE4d0RRWURWUVFJREFaSmMzSmhaV3d4\
> nRkRBU0JnTlZCQWNNQzBodlpFaGhjMmhoDQpjbTl1TVE0d0RBWURWUVFLREF
> WUmQybHNkREVMTUFr\nR0ExVUVDd3dDVVVNeE5UQXpCZ05WQ
> kFNTUxDb3VlVzVsDQpkQzFwYldGblpYTXVibWx5Y3kxMFl6\
> nRXRZMlJ1TG5SakxXUmxkaTVqY1d4dmRXUXVZMjl0TVIwd0d3WUpLb1pJDQp
> odmNOQVFrQkZnNXVh\nWEp6UUhGM2FXeDBMbU52YlRDQm56Q
> U5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDDQpnWUVB\
> nMDFVZmdvNmtwQk4wY1A4RXlVdjgxb1Y0UHZaUmgzZXl2ZWI2MFpmdFdjblZ
> 0Zk53N1ZJRW52Q1By\nU0J6DQpvbkxqMjg0ajJQZy9CSFBDd
> G52ZzY3Y3ltdEpPaklVTitlejJFeS9JTGdRdkdjZFQ0RmEr\
> nTGZmcXFudUc3Y3gxDQpwNFRHeTZoalh0U09nZHRiSXI0WERqMmJaUEhVNXF
> MWWRqTVBJdldzYzlo\naWVQY0NBd0VBQVRBTkJna3Foa2lHD
> Qo5dzBCQVFVRkFBT0JnUUJha0tKaTNrN1hOUDljWTZ0K05i\
> nT0hNVWJPWVI0WWE2Y2xKN3cyYU1CSTNYdjNZMUcyDQo5K1ZxajA1cDZXaU8
> xWVNGWWRBb2QxSnRD\nNDRieUt4NWRBbTNKdnZrUWZNNU8xb
> 09zNG8yWnhrMXRmZmVqN3NkDQpCSDBKOGdqSkhYbmg0TWFm\
> neHhzR09KSXhOSXI3aDA5cTZYUENaTlVVaTROQnRrRzVVM2dsUnB0YWlnPT0
> NCi0tLS0tRU5EIENF\nUlRJRklDQVRFLS0tLS0=","key":"
> LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJQ1hRSUJBQUtC
> Z1FEVFZSK0NqcVNr\nRTNSdy93VEpTL3pXaFhnKzlsR0hkN
> 0s5NXZyUmwrMVp5ZFcxODNEdA0KVWdTZThJK3RJSE9pY3VQ\
> nYnppUFkrRDhFYzhLMmUrRHJ0ekthMGs2TWhRMzU3UFlUTDhndUJDOFp4MVB
> nVnI0dA0KOStxcWU0\nYnR6SFduaE1iTHFHTmUxSTZCMjFza
> XZoY09QWnRrOGRUbW90aDJNdzhpOWF4ejJHSjQ5d0lEQVFB\
> nQg0KQW9HQkFNQmpSL0pGQldGUlRMbnBqMlBweDExTDJISUpMNk9SdHFqbTl
> BT0d1Yzc1elpKODhw\nczZCWGJrTFFoQQ0KK01RMHIzYlZMU
> kZDdmF2Qjdzck43NjdtOGlzU3JMWGZWK09MeGlQU2NGMHZk\
> nck5Zd1k4YlREMnl5SnpnM0hYcA0KUFVvZDBMQzlzMmdlcW5kRU1ha21BYkJ
> 2T1ZHNkxKMTF1NXVU\nV1FBdWhPYmg0NzN4QWtFQS9ValN6a
> jVxUVk2bA0KeVJ2eVh2enM4S0RWVjZCc3k4eHNIaUJjNUg3\
> ndEdiL3B3WGZaZ0RDQ0xkaUlBSzdVZ0lmOHZlbDkxNEM1dFB0Zg0KdEhxZEd
> 5bXJ1d0pCQU5XWktB\nT2dXN0VZVXJ3OWFTdjlKM0Z3dHp4W
> E9NZURpTnNtbW40OXJ5dmN2bmR6dEVlVA0KOWVybVJsM0N3\
> nSE1uZ0ZIS2VYVmJ1dENoWlkvZDZaKy83ZlVDUUZPaUlEbUowbndqSmdycDk
> zWDEvaWJXZEp1aQ0K\nbFVvV0RmMUVvbWV3b1luSEhPQ05Pb
> nhoaUJxclRQMHN2VzVUZU5rY3FEam9nR21LTjJmWXROZXJR\
> ndEVDUUJWZQ0KM25jR2EwWWJ0ZU5wallVK0xkMFd0dTZObDN1MnVGR2MyaVk
> 1UzdacXZvKzYvdFdP\nZ3pNK1dObjJxMFNhTmlkNA0KeDVBc
> lhsU1RZVkwway9STXdxVUNRUUR6SFoyT0JRbHJEdmFyWWIy\
> nek1KZkFpMjRmV0lCQ1VTM2tuSmNzZGt3bA0Kc1BseVFZRndDRUMySzh6Y01
> DaFVTcVRuZ0NlWWpK\nenJNbXU4Qkp1M1VCNmENCi0tLS0tR
> U5EIFJTQSBQUklWQVRFIEtFWS0tLS0t"},"version":"5","hostname":"*.
> ynet-images.nirs-tc1-cdn.tc-dev.qwilt.com","key":"ynet-images"}
>
> On Wed, Jan 18, 2017 at 8:01 PM, Dave Neuman <[email protected]> wrote:
>
> > The second curl would be: curl -k "
> > https://admin:[email protected]:8
> > 088/riak/ssl/ynet-images-latest
> > "
> >
> > If that works from your traffic_ops host then it should also work when
> you
> > go into the paste keys screen.
> >
> > Turning on Debug logging might also help. You can set
> log4perl.rootLogger =
> > ERROR, SCREEN, FILE in traffic_ops/app/conf/production/log4perl.conf
> >
> > Try that out and send me what, if anything, you see in the log.
> >
> > Thanks,
> >
> > Dave
> >
> >
> > On Wed, Jan 18, 2017 at 9:14 AM, Nir Sopher <[email protected]> wrote:
> >
> > > Thanks Dave,
> > > I am pasting the keys through the Manange SSL Keys -> Paste Existing
> Keys
> > > screen.
> > >
> > > Below is the output of the curl commands:
> > >
> > > $ curl -k "https://admin:[email protected]:
> > > 8088/buckets/ssl/keys?keys=true"
> > > {"keys":["ynet-images-5","ynet-images-latest","ynet-
> > > images-4","ynet-images-3"]}
> > >
> > > $ curl -k "https://admin:[email protected]:
> > > 8088/riak/ssl/xmlid-latest"
> > > not found
> > >
> > > Nir
> > >
> > > On Wed, Jan 18, 2017 at 4:56 PM, Dave Neuman <[email protected]>
> wrote:
> > >
> > > > That sucks that it still doesn't work :(
> > > >
> > > > Lets start with the config. You said you had to set `
> > > > listener.https.internal= 0.0.0.0:8088`, we have that configured with
> > the
> > > > IP
> > > > of the riak server, but if you can successfully make curl requests
> from
> > > the
> > > > traffic_ops server, then I guess that is ok.
> > > >
> > > > As for the error you are getting...that error is basically saying
> that
> > > Riak
> > > > cannot find the SSL Keys that you are looking for.
> > > >
> > > > Which endpoint are you using when you get that error? Are you going
> > > > through the Manange SSL Keys -> Paste Existing Keys screen? Or are
> you
> > > > hitting an API?
> > > >
> > > > You should be able to see if the keys exist by running `curl -k
> > > > "https://admin:password@riakURL:8088/buckets/ssl/keys?keys=true"`
> and
> > > > looking for XMLID-latest in the list of keys; you could also run
> `curl
> > -k
> > > > "https://admin:password@riakURL:8088/riak/ssl/xmlid-latest"`
> > > >
> > > > Thanks,
> > > > Dave
> > > >
> > > > On Tue, Jan 17, 2017 at 1:57 PM, Nir Sopher <[email protected]> wrote:
> > > >
> > > > > Thank you Dave:)
> > > > >
> > > > > Indeed I was using Riak 2.2 with TC 1.7.
> > > > > I moved now to Riak 2.1.3 (same traffic ops, just replaced the
> > vault).
> > > > > I see the same issues. The only change is the added log messages in
> > > > traffic
> > > > > ops log during certificate generation:
> > > > >
> > > > > [2017-01-17 20:29:58,119] [ERROR] Active Server Severe Error: 404 -
> > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8088 - not found
> > > > >
> > > > > Nir
> > > > >
> > > > > On Tue, Jan 17, 2017 at 6:56 PM, Dave Neuman <[email protected]>
> > > wrote:
> > > > >
> > > > > > Hey Nir,
> > > > > > I think I can help here. First of all, what version of Traffic
> > > Control
> > > > > are
> > > > > > you running and which version of Riak are you running? We have
> > seen
> > > > > issues
> > > > > > using newer versions of Riak with Traffic Control 1.7 and 1.8.
> > Those
> > > > > > issues should be resolved in the next release. For now we
> > recommend
> > > > you
> > > > > > use Riak 2.1.x and not 2.2.x
> > > > > >
> > > > > > Once I know that we can start digging deeper.
> > > > > >
> > > > > > Thanks,
> > > > > > Dave
> > > > > >
> > > > > > On Tue, Jan 17, 2017 at 9:44 AM, Nir Sopher <[email protected]>
> > wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I am trying to launch a traffic vault and connect it to my
> > > > traffic-ops
> > > > > > > server.
> > > > > > > I followed the instructions in the admin guide
> > > > > > > <http://traffic-control-cdn.net/docs/latest/admin/traffic_
> > > vault.html
> > > > >,
> > > > > > > installing riak <http://goog_1273226474>2.2.0-1
> > > > > > > <http://s3.amazonaws.com/downloads.basho.com/riak/2.2/
> > > > > > > 2.2.0/rhel/6/riak-2.2.0-1.el6.x86_64.rpm>
> > > > > > > working with a self signed certificate (created via the
> > > instructions
> > > > in
> > > > > > > this
> > > > > > > <http://www.akadia.com/services/ssh_test_certificate.html>
> link)
> > > > > > >
> > > > > > > I had to deviate from the document in a few places in order to
> > > > > progress:
> > > > > > >
> > > > > > > - Replacing the host part in the riak listener configuration
> > > with
> > > > > > > 0.0.0.0. Using real hostname made riak to fail. e.g.
> > > > > > > listener.https.internal
> > > > > > > = 0.0.0.0:8088
> > > > > > > - Setting ssl.cacertfile to point at the server.crt (as this
> > is
> > > a
> > > > > self
> > > > > > > signed certificate): ssl.cacertfile =
> > /etc/riak/certs/server.crt
> > > > > Note
> > > > > > > that I assume that this certificate is only used for
> "traffic
> > > > vault
> > > > > > > https"
> > > > > > > connections.
> > > > > > > - In traffic ops, I initially set the "tcp port" to "8098"
> and
> > > > > "https
> > > > > > > port" to "8088". When traffic ops tried to connect the vault
> > it
> > > > did
> > > > > it
> > > > > > > via
> > > > > > > port "8098", so I changed the "tcp port" to "8088" in order
> > for
> > > > > https
> > > > > > > to be
> > > > > > > used.
> > > > > > >
> > > > > > >
> > > > > > > Validating the installation using curl -kvs "https://admin
> > > > > > > :password@riakserver:8088/search/query/sslkeys?wt=json&
> > > q=cdn:mycdn"
> > > > > > > Produced the below output:
> > > > > > > < HTTP/1.1 200 OK
> > > > > > > < Server: MochiWeb/1.1 WebMachine/1.10.9 (cafe not found)
> > > > > > > < Date: Wed, 11 Jan 2017 12:26:07 GMT
> > > > > > > < Content-Type: application/json; charset=UTF-8
> > > > > > > < Content-Length: 571
> > > > > > > <
> > > > > > > {"responseHeader":{"status":0,"QTime":176,"params":{"shards":"
> > > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093/internal_solr/sslkeys
> > > > > > > ","q":"cdn:nirs-tc1-cdn","wt":"json","
> > > > > > > vault-int.nirs-tc1.tc-dev.qwilt.com:8093":"(_yz_pn:62 AND
> > > > > (_yz_fpn:62))
> > > > > > OR
> > > > > > > _yz_pn:61 OR _yz_pn:58 OR _yz_pn:55 OR _yz_pn:52 OR _yz_pn:49
> OR
> > > > > > _yz_pn:46
> > > > > > > OR _yz_pn:43 OR _yz_pn:40 OR _yz_pn:37 OR _yz_pn:34 OR
> _yz_pn:31
> > OR
> > > > > > > _yz_pn:28 OR _yz_pn:25 OR _yz_pn:22 OR _yz_pn:19 OR _yz_pn:16
> OR
> > > > > > _yz_pn:13
> > > > > > > OR _yz_pn:10 OR _yz_pn:7 OR _yz_pn:4 OR
> > > > _yz_pn:1"}},"response":{"numFo
> > > > > > > und":0,"start":0,"maxScore":0.0,"docs":[]}}
> > > > > > > * Connection #0 to host vault-int.nirs-tc1.tc-dev.qwilt.com
> left
> > > > > intact
> > > > > > > * Closing connection #
> > > > > > >
> > > > > > > However, when I created a delivery-service and tried to
> > "generate"
> > > a
> > > > > > > certificate via traffic-ops, I got the below message:
> > > > > > > SSL keys for <ds> could not be created. Response was: Error
> > > creating
> > > > > key
> > > > > > > and csr. Result is -1
> > > > > > > No log message found int traffic_ops log or in the riak log, to
> > > > explain
> > > > > > the
> > > > > > > issue.
> > > > > > >
> > > > > > > When pasting a certificate (self signed, including the "----"
> > > headers
> > > > > and
> > > > > > > footers), the operation succeed. However, when the traffic
> > servers
> > > > > tried
> > > > > > to
> > > > > > > pull this configuration, I got the below message:
> > > > > > > ERROR result for
> > > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/
> > > > > > > nirs-tc1-cdn/sslkeys.json
> > > > > > > is: ...{"message":"No SSL certificates found for
> > nirs-tc1-cdn"}...
> > > > > > > FATAL
> > > > > > > http://ops.nirs-tc1.tc-dev.qwilt.com/api/1.2/cdns/name/
> > > > > > > nirs-tc1-cdn/sslkeys.json
> > > > > > > returned HTTP 404!
> > > > > > >
> > > > > > > Any idea what may cause these issues?
> > > > > > > Any experience in debugging similar issues?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Nir
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
