ningyougang commented on a change in pull request #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#discussion_r134138730
########## File path: ansible/roles/nginx/files/genssl.sh ########## @@ -56,7 +56,7 @@ else openssl req -new \ -key "$SCRIPTDIR/openwhisk-client-key.pem" \ -passin pass:$PASSWORD \ - -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=guest" \ + -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=whisk.system" \ Review comment: * Why make this change. answer: the `guest` user has no permission on do the action : `$WSK_CLI -i --apihost "$APIHOST" package update $AUTH --shared no "$NAMESPACE/apimgmt"`,so i should change the `guest` to `whisk.system`. * Is it to install catalog? answer: i added the below configuration to `ansible/group_vars/all` ``` #The catalog_cert_file and catalog_key_file is used to authenticate the openwhisk service when nginx ssl configuration is opened. catalog_cert_file: "{{ openwhisk_home }}/ansible/roles/nginx/files/openwhisk-client-cert.pem" catalog_key_file: "{{ openwhisk_home }}/ansible/roles/nginx/files/openwhisk-client-key.pem" ``` I just follow the below style in `ansible/group_vars/all` which will be used in `installRouiteMgmt.sh` ``` # The catalog_auth_key is used to determine the secret key to authenticate the openwhisk service. # The value for this variable can be set to either the secret key itself or the file, which # saves the secret key. # By default, we take the key from {{ openwhisk_home }}/ansible/files/auth.whisk.system. catalog_auth_key: "{{ openwhisk_home }}/ansible/files/auth.whisk.system" ``` So it is used to install standard actions by pass client certificate when use client ceriticate to auth. * Do we need to generate two? generate `CN=whisk.system` is enough. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services