This type of change is really terrible from my perspective. We have developers working on production features and we cant have a situation where they simply can’t get their job done because of something as simple as a certificate update. This is not a research project where a few people just need to see the note on the coffee machine that they should use joe’s email to update their environment.
We need to make sure that we don’t break the build process for developers. I also agree that reducing barriers to entry for the community needs to be lower not higher. My two cents is to fix the problem and put a certificate in that actually is widely accepted by our tools. Down the road when the certificate authority is available in the predominant tools being used a different answer might be possible. Brian From: [email protected] [mailto:[email protected]] On Behalf Of Colin Dixon Sent: Thursday, March 30, 2017 12:51 PM To: Ed Warnicke <[email protected]> Cc: OpenDaylight Discuss <[email protected]>; [email protected]; OpenDaylight Infrastructure <[email protected]>; Vishal Thapar <[email protected]>; Mohamed ElSerngawy <[email protected]>; Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco) <[email protected]> Subject: Re: [OpenDaylight Discuss] [release] Certificate changes I'm somewhat on Ed's side here. A huge number of developers use Macs. Most people will have Oracle JDKs of some kind turned on. Reasonably recent ones aren't working. Despite this whole thread, I still don't have instructions that have gotten the build to work on my Mac. I'll put some more cycles into it later, but at this point I've personally lost ~2 hours to the problem and I haven't seen clear instructions on how to fix it. :-( --Colin On Thu, Mar 30, 2017 at 12:39 PM, Ed Warnicke <[email protected]<mailto:[email protected]>> wrote: The question is... how many people *don't* find help and just *presume* we are broken out of the box (literally don't build for reasons that are not obvious to most people). Ed On Thu, Mar 30, 2017 at 9:05 AM, Vishal Thapar <[email protected]<mailto:[email protected]>> wrote: I helped someone else using Win7 resolve. He too got it working by getting the certificate via browser than though commandline. One thing we noticed that fingerprint of the two [browser vs cli] was different. I too confirmed the same in my own setup. Would it be possible to share certificate fingerprint so all can confirm if they got it correct or not? Regards, Vishal. From: Colin Dixon [mailto:[email protected]<mailto:[email protected]>] Sent: 30 March 2017 21:30 To: Mohamed ElSerngawy <[email protected]<mailto:[email protected]>> Cc: Vishal Thapar <[email protected]<mailto:[email protected]>>; Ed Warnicke <[email protected]<mailto:[email protected]>>; OpenDaylight Discuss <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; OpenDaylight Infrastructure <[email protected]<mailto:[email protected]>>; Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco) <[email protected]<mailto:[email protected]>> Subject: Re: [release] [OpenDaylight Discuss] Certificate changes I haven't had more time to debug it since I found the issue. Hopefully I'll have some time today. --Colin On Fri, Mar 24, 2017 at 11:04 AM, Mohamed ElSerngawy <[email protected]<mailto:[email protected]>> wrote: Hi Colin, I have the same issue and tried all the suggested fixes but didn't work. I'm using Mac and java 8, did u succeed to fix it ? Thanks On Fri, Mar 24, 2017 at 5:58 AM, Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco) <[email protected]<mailto:[email protected]>> wrote: Hi, When I followed Anil’s how-to, I had problems too. Then I saved certificate manually via browser in Base-64 encoded X.509 format and ran keytool command Anil sent. Everything worked. On Windows 7. dano From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Vishal Thapar Sent: 24. marca 2017 5:13 To: Colin Dixon; Ed Warnicke Cc: OpenDaylight Discuss; [email protected]<mailto:[email protected]>; OpenDaylight Infrastructure Subject: Re: [release] [OpenDaylight Discuss] Certificate changes Colin, Did you confirm the fingerprint of the certificate to make sure it is added to keystore correctly? BTW, I have added ‘-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts’ to my MAVEN_OPTS so I don’t need to give it manually everytime. Also, I’m using Windows, not Linux. Regards, Vishal. From: Colin Dixon [mailto:[email protected]] Sent: 24 March 2017 02:05 To: Ed Warnicke <[email protected]<mailto:[email protected]>> Cc: Vishal Thapar <[email protected]<mailto:[email protected]>>; OpenDaylight Discuss <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; OpenDaylight Infrastructure <[email protected]<mailto:[email protected]>> Subject: Re: [release] [OpenDaylight Discuss] Certificate changes (Dropping TSC.) Actually, I'm still working my way through this. I cannot seem to get my Mac to trust the new ODL nexus cert. Even following Anil's suggestions above and then trying it with -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts and I still get lots of errors like: [WARNING] Could not transfer metadata org.opendaylight.netconf:netconf-client:1.2.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/<https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=zhOZWSM-XsqNSaDYfUWAZ5QqiUfF_TkX6rN3oAtaYbo&e=>): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I'll keep shaving the Yak for a bit. I suspect moving to Linux and OpenJDK would fix it. --Colin On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke <[email protected]<mailto:[email protected]>> wrote: Do we know what the root cause is of having to use that? Ed On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon <[email protected]<mailto:[email protected]>> wrote: While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts option fixes the problem, it feels like the "wrong" answer. Is there a right answer? --Colin On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <[email protected]<mailto:[email protected]>> wrote: Thank you Ivan, this worked for me. From: Ivan Hraško [mailto:[email protected]<mailto:[email protected]>] Sent: 20 March 2017 15:44 To: Vishal Thapar <[email protected]<mailto:[email protected]>>; Anil Belur <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; OpenDaylight Discuss <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; OpenDaylight Infrastructure <[email protected]<mailto:[email protected]>> Subject: Re: [release] [OpenDaylight Discuss] Certificate changes Hi you can try: mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts maybe it helps ________________________________ Od: Vishal Thapar <[email protected]<mailto:[email protected]>> Odoslané: 20. marca 2017 11:04 Komu: Anil Belur Kópia: [email protected]<mailto:[email protected]>; OpenDaylight Discuss; [email protected]<mailto:[email protected]>; OpenDaylight Infrastructure Predmet: Re: [release] [OpenDaylight Discuss] Certificate changes Hi Anil, I got the certificate downloaded and checked my cert store to confirm also, but still getting the same error. Regards, Vishal. From: Anil Belur [mailto:[email protected]] Sent: 20 March 2017 14:48 To: Vishal Thapar <[email protected]<mailto:[email protected]>> Cc: Andrew Grimberg <[email protected]<mailto:[email protected]>>; OpenDaylight Discuss <[email protected]<mailto:[email protected]>>; OpenDaylight Infrastructure <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [OpenDaylight Discuss] [release] Certificate changes On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <[email protected]<mailto:[email protected]>> wrote: Hi Andrew, I am facing cert issues when trying to build locally. Does this require any specific version of Java? Do I need to manually update certificates? This is what I have: $ java -version java version "1.8.0_60" Java(TM) SE Runtime Environment (build 1.8.0_60-b27) Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode) This is the error I am getting: Downloading: https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/maven-metadata.xml<https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_org_opendaylight_neutron_model_0.8.0-2DSNAPSHOT_maven-2Dmetadata.xml&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=_7EA3wBrVPgD5fyf_Y4VexAtPVbSCSrOhFsW7C5C9Mg&e=> [WARNING] Could not transfer metadata org.opendaylight.neutron:model:0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (https://nexus.opendaylight.org/content/reposit ories/opendaylight.snapshot/<https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=zhOZWSM-XsqNSaDYfUWAZ5QqiUfF_TkX6rN3oAtaYbo&e=>): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali d certification path to requested target Hello Vishal, This possibly looks like the cert chain may not be imported into your $JAVA_HOME key store. For fixing this, I would try downloading the cert file and using keytool to import the certificate{s}. --[cut]-- openssl s_client -connect nexus.opendaylight.org:443<https://urldefense.proofpoint.com/v2/url?u=http-3A__nexus.opendaylight.org-3A443&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=FH6_t1pVsbX1PZCJpHvmC0iMppF7orclbkhXkcEIImU&e=> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt <JAVA_HOME>/bin/keytool -import -alias nexus.opendaylight.org:443<https://urldefense.proofpoint.com/v2/url?u=http-3A__nexus.opendaylight.org-3A443&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=FH6_t1pVsbX1PZCJpHvmC0iMppF7orclbkhXkcEIImU&e=> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt --[/cut]-- Thanks, Anil _______________________________________________ Discuss mailing list [email protected]<mailto:[email protected]> https://lists.opendaylight.org/mailman/listinfo/discuss<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_discuss&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=abifMKRwH1nJqdg1D9d172UBoV3C3T6A8sWAEkSMizE&e=> _______________________________________________ release mailing list [email protected]<mailto:[email protected]> https://lists.opendaylight.org/mailman/listinfo/release<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_release&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=Zn_VBQtg6Bmv-j4_Ns-Ooaek88SPuH0vVtZ0boGsXec&e=> _______________________________________________ release mailing list [email protected]<mailto:[email protected]> https://lists.opendaylight.org/mailman/listinfo/release<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_release&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=Zn_VBQtg6Bmv-j4_Ns-Ooaek88SPuH0vVtZ0boGsXec&e=>
_______________________________________________ Discuss mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/discuss
