ningyougang commented on a change in pull request #2427: Support client
certificate on cli and nginx
URL:
https://github.com/apache/incubator-openwhisk/pull/2427#discussion_r125246082
##########
File path: ansible/roles/nginx/files/genssl.sh
##########
@@ -8,22 +8,71 @@ if [ "$#" -ne 1 ]; then
echo "usage: $0 [common name: host or ip]"
fi
CN=$1
+TYPE=$2
+PASSWORD="openwhisk"
## generates a (self-signed) certificate
## uncomment to regenerate the key
-#openssl genrsa -out "$SCRIPTDIR/openwhisk-key.pem" 2048
+#openssl genrsa -out "$SCRIPTDIR/openwhisk-server-key.pem" 2048
-echo generating certificate request
-openssl req -new \
- -key "$SCRIPTDIR/openwhisk-key.pem" \
- -nodes \
+if [ "$TYPE" == "server" ]; then
+ echo generating server certificate request
+ openssl req -new \
+ -key "$SCRIPTDIR/openwhisk-server-key.pem" \
Review comment:
@jeremiaswerner @style95 , i think there has no need to pass `{{
nginx.ssl.cert}}` parameter to genssh.sh script. Becuase for here's server
certificate and client certificate, they are all untrusted, they just example.
If user wants to use their own trusted certificate, its name can't be equal
with
`openwhisk-server-cert.pem` (for server certificate) and
`openwhisk-client-ca-cert.pem` (for client certificate), and copy their own
trusted certificate under roles/nginx/file directory before deploy openwhisk.
please refer here:
https://github.com/ningyougang/incubator-openwhisk/blob/support-client-certificate/ansible/setup.yml#L35
, if doesn't meets the condition, the ansible task will not be executed. So
uses just don't keep the name equal with it, users can use their trusted
certificate.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
