Hi Manjunath, Thanks for the quick response. I guess, building a new docker image for Dublin and Elalto will not be possible to support our existing deployments.
Could you please let us know, where do we keep the Root CA certificate *aaf_root_ca.cer* *private key file*? We don't see it under AAF SMS containers. I guess this will help us to regenerate the expired SMS server certificate. We see that the Root CA used by all AAF SMS clients to make the REST API calls. I guess Kiran has checked in the Root CA certificate *aaf_root_ca.cer* file. I am including him in CC to see if we can get the Root CA private key file. Regards Vivek On Wed, Jun 10, 2020 at 12:17 AM Ranganathaiah, Manjunath < manjunath.ranganatha...@intel.com> wrote: > Hi Vivek, > > > > One option is to get the new set of aaf-sms.pr and aaf-sms.pub pair, > signed by the private key of aaf_root_ca.cer and replace them in > ~sms/sms-service/src/sms/certs and rebuild the image. > > > > Thanks, > > -Manjunath > > > > > > > > > > *From:* onap-discuss@lists.onap.org <onap-discuss@lists.onap.org> *On > Behalf Of *Vivekanandan Muthukrishnan > *Sent:* Tuesday, June 9, 2020 11:12 AM > *To:* onap-discuss@lists.onap.org > *Subject:* [onap-discuss] AAF-SMS SSL certificate expiry issue > > > > Hi AAF team, > > > > We are blocked due to AAF-SMS self signed certificate expiry in Dublin & > ElAlto . We did try to regenerate the SSL certificates but the quorum does > not get formed due to the following exceptions. > > > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed > by unknown authority > > > > I guess we are missing some steps. We would appreciate any quick help to > resolve this one to continue with our Dublin & ElAlto deployments. > > > > Here is the step by step workaround that we tried. > > > > Regards > > Vivek > > > > > > 1. Download the following files from AAF-SMS Container from /sms/certs > folder > > aaf_root_ca.cer, aaf-sms.pr, aaf-sms.pub > > > > Password : secretmanagementservicesecretpassword > > > > > > # It seems like the aaf-sms service uses the first self > signed certificate from aaf-sms.pub > > # file. This one expired on June/03/2020 > > > > # Not sure about the reason why there is certificate in aaf-sms.pub which > will expire on > > # Aug 17 18:51:37 2023 GMT. Maybe the developer forgot to overwrite the > previous one. > > > > 2. Created CSR from existing certificate > > > > openssl x509 -x509toreq -in aaf-sms.pub -out aaf-sms.csr -signkey > aaf-sms.pr > > > > 3. Created 509v3 extensions file since the above command does > not copy the v3 extensions > > > > cat v3.ext > > > > subjectAltName = DNS:aaf-sms, DNS:aaf-sms-db.onap, DNS: > aaf-sms.api.simpledemo.onap.org, DNS:aaf-sms.onap, DNS: > aaf-sms.simpledemo.onap.org > > basicConstraints = CA:FALSE > > subjectKeyIdentifier = hash > > keyUsage = critical,digitalSignature, keyEncipherment, > nonRepudiation > > extendedKeyUsage = clientAuth, serverAuth > > authorityKeyIdentifier = keyid, issuer > > > > > > *Not sure, is this the right approach? * > > > > 4. Generated new self signed certificate with > > > > openssl x509 -signkey aaf-sms.pr -in aaf-sms.csr -req -days 1825 -out > aaf-sms-new.cert -extfile v3.ext > > > > 5. Copied the above file aaf-sms-new.cert to > ~/oom/kubernetes/aaf/charts/aaf-sms/resources/config/aaf-sms.pub > > > > > > 6. Updated the AAF-SMS > ~/oom/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml . Please > refer to the attached git diff file *aaf-sms-deployment.yaml.diff*. > > > > 7. AAF-SMS SSL certificate is updated, please refer the > attached openssl command output log file > *aaf-sms-logs-after-ssl-patch.txt* > > > > # It is having the valid dates > > Not Before: Jun 9 17:32:50 2020 GMT > > Not After : Jun 8 17:32:50 2025 GMT > > > > > > 8. Redeployed AAF again but still AAF-SMS jobs are failing > with some other SSL exception and the quorum is not forming for SMS vault. > Looks like we are missing some steps. > > > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > get pods -n onap | grep aaf- > > dev-aaf-aaf-cass-76c8c584f-xp6kr 1/1 > Running 0 69s > > dev-aaf-aaf-cm-6d7959c65-9rsnp 1/1 > Running 0 69s > > dev-aaf-aaf-fs-9898d569-kfsp9 1/1 > Running 0 69s > > dev-aaf-aaf-gui-586484467-kfx84 1/1 > Running 0 69s > > dev-aaf-aaf-locate-6867c7fb9d-pzq4r 1/1 > Running 0 68s > > dev-aaf-aaf-oauth-59cb84d56d-2t5z4 1/1 > Running 0 68s > > dev-aaf-aaf-service-5c598d6fb-4np26 1/1 > Running 0 68s > > dev-aaf-aaf-sms-6f5f8c57b-cgbvw 1/1 > Running 0 68s > > dev-aaf-aaf-sms-preload-dxnwv 1/1 > Running 0 68s > > dev-aaf-aaf-sms-quorumclient-0 1/1 > Running 0 68s > > dev-aaf-aaf-sms-quorumclient-1 1/1 > Running 0 58s > > dev-aaf-aaf-sms-quorumclient-2 1/1 > Running 0 47s > > dev-aaf-aaf-sms-vault-0 2/2 > Running 1 68s > > dev-aaf-aaf-sshsm-distcenter-xvxkv 0/1 > Completed 0 68s > > dev-aaf-aaf-sshsm-testca-qkwcp 0/1 > Completed 0 68s > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > logs -n onap dev-aaf-aaf-sms-preload-dxnwv > > Processing /preload/config/has.json > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > Waiting for SMS to accept requests... > > > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > logs -n onap dev-aaf-aaf-sms-quorumclient-0 > > INFO: 2020/06/09 17:55:01 quorumclient.go:77: Starting Log for Quorum > Client > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:86: Read ID: open > auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory > > WARNING: 2020/06/09 17:55:01 quorumclient.go:87: Unable to find an ID for > this client. Generating... > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:99: Read Shard: open > auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory > > WARNING: 2020/06/09 17:55:01 quorumclient.go:100: Unable to find a shard > file. Registering with SMS... > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:40: LoadPGP Private Key: open > auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory > > INFO: 2020/06/09 17:55:01 quorumclient.go:41: No Private Key found. > Generating... > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection timed out > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed > by unknown authority > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21302): https://lists.onap.org/g/onap-discuss/message/21302 Mute This Topic: https://lists.onap.org/mt/74780453/21656 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-