Re: [OpenDaylight Discuss] [release] Certificate changes

Thu, 30 Mar 2017 17:26:14 -0700 

+1.

Regards,

Ryan Goulding

On Thu, Mar 30, 2017 at 6:12 PM, Ed Warnicke <[email protected]> wrote:

> I think it's also probably worth noting that we are basically talking
> about less than $80 a year and a small number of minutes to solve
> this problem:
>
> https://ssl.comodo.com/landing/ssl/index-new03.php?af=7697&key1sk1=sem&ap=
> CUCSEM2017&gclid=Cj0KEQjw2fLGBRDopP-vg7PLgvsBEiQAUOnIXA9GgtA5W0JH7o0_
> Wt7EGiajYLoSUAxbkydr78bfzi4aAnm78P8HAQ
>
> Its not like its expensive or hard.
>
> Ed
>
> On Thu, Mar 30, 2017 at 10:09 AM, FREEMAN, BRIAN D <[email protected]> wrote:
>
>> This type of change is really terrible from my perspective. We have
>> developers working on production features and we cant have a situation
>> where they simply can’t get their job done because of something as simple
>> as a certificate update. This is not a research project where a few people
>> just need to see the note on the coffee machine that they should use  joe’s
>> email to update their environment.
>>
>>
>>
>> We need to make sure that we don’t break the build process for
>> developers. I also agree that reducing barriers to entry for the community
>> needs to be lower not higher.
>>
>>
>>
>> My two cents is to fix the problem and put a certificate in that actually
>> is widely accepted by our tools. Down the road when the certificate
>> authority is available in the predominant tools being used a different
>> answer might be possible.
>>
>>
>>
>> Brian
>>
>>
>>
>>
>>
>>
>>
>> *From:* [email protected] [mailto:
>> [email protected]] *On Behalf Of *Colin Dixon
>> *Sent:* Thursday, March 30, 2017 12:51 PM
>> *To:* Ed Warnicke <[email protected]>
>> *Cc:* OpenDaylight Discuss <[email protected]>;
>> [email protected]; OpenDaylight Infrastructure <
>> [email protected]>; Vishal Thapar <
>> [email protected]>; Mohamed ElSerngawy <[email protected]>;
>> Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco) <
>> [email protected]>
>>
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>> I'm somewhat on Ed's side here. A huge number of developers use Macs.
>> Most people will have Oracle JDKs of some kind turned on. Reasonably recent
>> ones aren't working. Despite this whole thread, I still don't have
>> instructions that have gotten the build to work on my Mac. I'll put some
>> more cycles into it later, but at this point I've personally lost ~2 hours
>> to the problem and I haven't seen clear instructions on how to fix it. :-(
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Thu, Mar 30, 2017 at 12:39 PM, Ed Warnicke <[email protected]> wrote:
>>
>> The question is... how many people *don't* find help and just *presume*
>> we are broken out of the box (literally don't build for reasons that are
>> not obvious to most people).
>>
>>
>>
>> Ed
>>
>>
>>
>> On Thu, Mar 30, 2017 at 9:05 AM, Vishal Thapar <
>> [email protected]> wrote:
>>
>> I helped someone else using Win7 resolve. He too got it working by
>> getting the certificate via browser than though commandline. One thing we
>> noticed that fingerprint of the two [browser vs cli] was different. I too
>> confirmed the same in my own setup.
>>
>>
>>
>> Would it be possible to share certificate fingerprint so all can confirm
>> if they got it correct or not?
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Colin Dixon [mailto:[email protected]]
>> *Sent:* 30 March 2017 21:30
>> *To:* Mohamed ElSerngawy <[email protected]>
>> *Cc:* Vishal Thapar <[email protected]>; Ed Warnicke <
>> [email protected]>; OpenDaylight Discuss <[email protected]>;
>> [email protected]; OpenDaylight Infrastructure <
>> [email protected]>; Daniel Malachovsky -X (dmalacho
>> - PANTHEON TECHNOLOGIES at Cisco) <[email protected]>
>>
>>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> I haven't had more time to debug it since I found the issue. Hopefully
>> I'll have some time today.
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Fri, Mar 24, 2017 at 11:04 AM, Mohamed ElSerngawy <
>> [email protected]> wrote:
>>
>> Hi Colin,
>>
>>
>>
>> I have the same issue and tried all the suggested fixes but didn't work.
>> I'm using Mac and java 8, did u succeed to fix it ?
>>
>>
>>
>> Thanks
>>
>>
>>
>> On Fri, Mar 24, 2017 at 5:58 AM, Daniel Malachovsky -X (dmalacho -
>> PANTHEON TECHNOLOGIES at Cisco) <[email protected]> wrote:
>>
>> Hi,
>>
>>
>>
>> When I followed Anil’s how-to, I had problems too.
>>
>> Then I saved certificate manually via browser in Base-64 encoded X.509
>> format and ran keytool command Anil sent. Everything worked.
>> On Windows 7.
>>
>>
>>
>> dano
>>
>>
>>
>> *From:* [email protected] [mailto:
>> [email protected]] *On Behalf Of *Vishal Thapar
>> *Sent:* 24. marca 2017 5:13
>> *To:* Colin Dixon; Ed Warnicke
>> *Cc:* OpenDaylight Discuss; [email protected]; OpenDaylight
>> Infrastructure
>>
>>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Colin,
>>
>>
>>
>> Did you confirm the fingerprint of the certificate to make sure it is
>> added to keystore correctly?
>>
>>
>>
>> BTW, I have added ‘-Djavax.net.ssl.trustStore=$J
>> AVA_HOME/jre/lib/security/cacerts’ to my MAVEN_OPTS so I don’t need to
>> give it manually everytime.
>>
>>
>>
>> Also, I’m using Windows, not Linux.
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Colin Dixon [mailto:[email protected] <[email protected]>]
>> *Sent:* 24 March 2017 02:05
>> *To:* Ed Warnicke <[email protected]>
>> *Cc:* Vishal Thapar <[email protected]>; OpenDaylight Discuss <
>> [email protected]>; [email protected];
>> OpenDaylight Infrastructure <[email protected]>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> (Dropping TSC.)
>>
>>
>>
>> Actually, I'm still working my way through this. I cannot seem to get my
>> Mac to trust the new ODL nexus cert. Even following Anil's suggestions
>> above and then trying it with -Djavax.net.ssl.trustStor
>> e=$JAVA_HOME/jre/lib/security/cacerts and I still get lots of errors
>> like:
>>
>> [WARNING] Could not transfer metadata org.opendaylight.netconf:netco
>> nf-client:1.2.0-SNAPSHOT/maven-metadata.xml from/to
>> opendaylight-snapshot (https://nexus.opendaylight.or
>> g/content/repositories/opendaylight.snapshot/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=zhOZWSM-XsqNSaDYfUWAZ5QqiUfF_TkX6rN3oAtaYbo&e=>):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>>
>>
>> I'll keep shaving the Yak for a bit. I suspect moving to Linux and
>> OpenJDK would fix it.
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke <[email protected]> wrote:
>>
>> Do we know what the root cause is of having to use that?
>>
>>
>>
>> Ed
>>
>>
>>
>> On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon <[email protected]>
>> wrote:
>>
>> While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
>> option fixes the problem, it feels like the "wrong" answer. Is there a
>> right answer?
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <
>> [email protected]> wrote:
>>
>> Thank you Ivan, this worked for me.
>>
>>
>>
>> *From:* Ivan Hraško [mailto:[email protected]]
>> *Sent:* 20 March 2017 15:44
>> *To:* Vishal Thapar <[email protected]>; Anil Belur <
>> [email protected]>
>> *Cc:* [email protected]; OpenDaylight Discuss <
>> [email protected]>; [email protected];
>> OpenDaylight Infrastructure <[email protected]>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi
>>
>>
>>
>> you can try:
>>
>>
>>
>> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME
>> /jre/lib/security/cacerts
>>
>>
>>
>> maybe it helps
>> ------------------------------
>>
>> *Od:* Vishal Thapar <[email protected]>
>> *Odoslané:* 20. marca 2017 11:04
>> *Komu:* Anil Belur
>> *Kópia:* [email protected]; OpenDaylight Discuss;
>> [email protected]; OpenDaylight Infrastructure
>> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi Anil,
>>
>>
>>
>> I got the certificate downloaded and checked my cert store to confirm
>> also, but still getting the same error.
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Anil Belur [mailto:[email protected]
>> <[email protected]>]
>> *Sent:* 20 March 2017 14:48
>> *To:* Vishal Thapar <[email protected]>
>> *Cc:* Andrew Grimberg <[email protected]>; OpenDaylight
>> Discuss <[email protected]>; OpenDaylight Infrastructure <
>> [email protected]>; [email protected];
>> [email protected]
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <
>> [email protected]> wrote:
>>
>> Hi Andrew,
>>
>> I am facing cert issues when trying to build locally. Does this require
>> any specific version of Java? Do I need to manually update certificates?
>>
>> This is what I have:
>> $ java -version
>> java version "1.8.0_60"
>> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
>> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>>
>> This is the error I am getting:
>>
>> Downloading: https://nexus.opendaylight.org/content/repositories/opendayl
>> ight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/
>> maven-metadata.xml
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_org_opendaylight_neutron_model_0.8.0-2DSNAPSHOT_maven-2Dmetadata.xml&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=_7EA3wBrVPgD5fyf_Y4VexAtPVbSCSrOhFsW7C5C9Mg&e=>
>> [WARNING] Could not transfer metadata org.opendaylight.neutron:model
>> :0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
>> https://nexus.opendaylight.org/content/reposit
>> ories/opendaylight.snapshot/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nexus.opendaylight.org_content_repositories_opendaylight.snapshot_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=zhOZWSM-XsqNSaDYfUWAZ5QqiUfF_TkX6rN3oAtaYbo&e=>):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find vali
>> d certification path to requested target
>>
>>
>>
>> Hello Vishal,
>>
>>
>>
>> This possibly looks like the cert chain may not be imported into your
>> $JAVA_HOME key store. For fixing this, I would try downloading the cert
>> file and using keytool to import the certificate{s}.
>>
>>
>>
>> --[cut]--
>>
>> openssl s_client -connect nexus.opendaylight.org:443
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__nexus.opendaylight.org-3A443&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=FH6_t1pVsbX1PZCJpHvmC0iMppF7orclbkhXkcEIImU&e=>
>> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >
>> public.crt
>>
>> <JAVA_HOME>/bin/keytool -import -alias nexus.opendaylight.org:443
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__nexus.opendaylight.org-3A443&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=FH6_t1pVsbX1PZCJpHvmC0iMppF7orclbkhXkcEIImU&e=>
>>  -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt
>>
>> --[/cut]--
>>
>>
>>
>> Thanks,
>>
>> Anil
>>
>>
>>
>> _______________________________________________
>> Discuss mailing list
>> [email protected]
>> https://lists.opendaylight.org/mailman/listinfo/discuss
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_discuss&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=abifMKRwH1nJqdg1D9d172UBoV3C3T6A8sWAEkSMizE&e=>
>>
>>
>>
>>
>>
>> _______________________________________________
>> release mailing list
>> [email protected]
>> https://lists.opendaylight.org/mailman/listinfo/release
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_release&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=Zn_VBQtg6Bmv-j4_Ns-Ooaek88SPuH0vVtZ0boGsXec&e=>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> release mailing list
>> [email protected]
>> https://lists.opendaylight.org/mailman/listinfo/release
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.opendaylight.org_mailman_listinfo_release&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=e3d1ehx3DI5AoMgDmi2Fzw&m=uBj55npKdZzmknZBH8T6rA_mnkjvhm46lTDniL9KvBM&s=Zn_VBQtg6Bmv-j4_Ns-Ooaek88SPuH0vVtZ0boGsXec&e=>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> release mailing list
> [email protected]
> https://lists.opendaylight.org/mailman/listinfo/release
>
>

_______________________________________________
Discuss mailing list
[email protected]
https://lists.opendaylight.org/mailman/listinfo/discuss
          • ... Vishal Thapar
          • ... Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco)
          • ... Mohamed ElSerngawy
          • ... Colin Dixon
          • ... Vishal Thapar
          • ... Ed Warnicke
          • ... Colin Dixon
          • ... Colin Dixon
          • ... FREEMAN, BRIAN D
          • ... Ed Warnicke
          • ... Ryan Goulding
          • ... Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco)
          • ... Ed Warnicke
          • ... Lori Jakab
  • Re: [Ope... Anil Belur

Reply via email to