Hi Vivek, One option is to get the new set of aaf-sms.pr and aaf-sms.pub pair, signed by the private key of aaf_root_ca.cer and replace them in ~sms/sms-service/src/sms/certs and rebuild the image.
Thanks, -Manjunath From: [email protected] <[email protected]> On Behalf Of Vivekanandan Muthukrishnan Sent: Tuesday, June 9, 2020 11:12 AM To: [email protected] Subject: [onap-discuss] AAF-SMS SSL certificate expiry issue Hi AAF team, We are blocked due to AAF-SMS self signed certificate expiry in Dublin & ElAlto . We did try to regenerate the SSL certificates but the quorum does not get formed due to the following exceptions. Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority I guess we are missing some steps. We would appreciate any quick help to resolve this one to continue with our Dublin & ElAlto deployments. Here is the step by step workaround that we tried. Regards Vivek 1. Download the following files from AAF-SMS Container from /sms/certs folder aaf_root_ca.cer, aaf-sms.pr<http://aaf-sms.pr>, aaf-sms.pub Password : secretmanagementservicesecretpassword # It seems like the aaf-sms service uses the first self signed certificate from aaf-sms.pub # file. This one expired on June/03/2020 # Not sure about the reason why there is certificate in aaf-sms.pub which will expire on # Aug 17 18:51:37 2023 GMT. Maybe the developer forgot to overwrite the previous one. 2. Created CSR from existing certificate openssl x509 -x509toreq -in aaf-sms.pub -out aaf-sms.csr -signkey aaf-sms.pr<http://aaf-sms.pr> 3. Created 509v3 extensions file since the above command does not copy the v3 extensions cat v3.ext subjectAltName = DNS:aaf-sms, DNS:aaf-sms-db.onap, DNS:aaf-sms.api.simpledemo.onap.org<http://aaf-sms.api.simpledemo.onap.org>, DNS:aaf-sms.onap, DNS:aaf-sms.simpledemo.onap.org<http://aaf-sms.simpledemo.onap.org> basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = critical,digitalSignature, keyEncipherment, nonRepudiation extendedKeyUsage = clientAuth, serverAuth authorityKeyIdentifier = keyid, issuer Not sure, is this the right approach? 4. Generated new self signed certificate with openssl x509 -signkey aaf-sms.pr<http://aaf-sms.pr> -in aaf-sms.csr -req -days 1825 -out aaf-sms-new.cert -extfile v3.ext 5. Copied the above file aaf-sms-new.cert to ~/oom/kubernetes/aaf/charts/aaf-sms/resources/config/aaf-sms.pub 6. Updated the AAF-SMS ~/oom/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml . Please refer to the attached git diff file aaf-sms-deployment.yaml.diff. 7. AAF-SMS SSL certificate is updated, please refer the attached openssl command output log file aaf-sms-logs-after-ssl-patch.txt # It is having the valid dates Not Before: Jun 9 17:32:50 2020 GMT Not After : Jun 8 17:32:50 2025 GMT 8. Redeployed AAF again but still AAF-SMS jobs are failing with some other SSL exception and the quorum is not forming for SMS vault. Looks like we are missing some steps. onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl get pods -n onap | grep aaf- dev-aaf-aaf-cass-76c8c584f-xp6kr 1/1 Running 0 69s dev-aaf-aaf-cm-6d7959c65-9rsnp 1/1 Running 0 69s dev-aaf-aaf-fs-9898d569-kfsp9 1/1 Running 0 69s dev-aaf-aaf-gui-586484467-kfx84 1/1 Running 0 69s dev-aaf-aaf-locate-6867c7fb9d-pzq4r 1/1 Running 0 68s dev-aaf-aaf-oauth-59cb84d56d-2t5z4 1/1 Running 0 68s dev-aaf-aaf-service-5c598d6fb-4np26 1/1 Running 0 68s dev-aaf-aaf-sms-6f5f8c57b-cgbvw 1/1 Running 0 68s dev-aaf-aaf-sms-preload-dxnwv 1/1 Running 0 68s dev-aaf-aaf-sms-quorumclient-0 1/1 Running 0 68s dev-aaf-aaf-sms-quorumclient-1 1/1 Running 0 58s dev-aaf-aaf-sms-quorumclient-2 1/1 Running 0 47s dev-aaf-aaf-sms-vault-0 2/2 Running 1 68s dev-aaf-aaf-sshsm-distcenter-xvxkv 0/1 Completed 0 68s dev-aaf-aaf-sshsm-testca-qkwcp 0/1 Completed 0 68s onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl logs -n onap dev-aaf-aaf-sms-preload-dxnwv Processing /preload/config/has.json Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority Waiting for SMS to accept requests... onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl logs -n onap dev-aaf-aaf-sms-quorumclient-0 INFO: 2020/06/09 17:55:01 quorumclient.go:77: Starting Log for Quorum Client ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:86: Read ID: open auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory WARNING: 2020/06/09 17:55:01 quorumclient.go:87: Unable to find an ID for this client. Generating... ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:99: Read Shard: open auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory WARNING: 2020/06/09 17:55:01 quorumclient.go:100: Unable to find a shard file. Registering with SMS... ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:40: LoadPGP Private Key: open auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory INFO: 2020/06/09 17:55:01 quorumclient.go:41: No Private Key found. Generating... ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection timed out ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21299): https://lists.onap.org/g/onap-discuss/message/21299 Mute This Topic: https://lists.onap.org/mt/74780453/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
