Hi Manjunath, The idea is to regenerate the *aaf-sms.pub* file using the AAF CA Root ( *aaf_root_ca.cer*) and this requires the private key of Root CA certificate. I couldn't get it from AAF source code.
Regards Vivek On Wed, Jun 10, 2020 at 2:50 PM Vivekanandan Muthukrishnan < [email protected]> wrote: > Hi Manjunath, > > Thanks for the quick response. I guess, building a new docker image for > Dublin and Elalto will not be possible to support our existing deployments. > > Could you please let us know, where do we keep the Root CA certificate > *aaf_root_ca.cer* *private key file*? We don't see it under AAF SMS > containers. I guess this will help us to regenerate the expired SMS server > certificate. We see that the Root CA used by all AAF SMS clients to make > the REST API calls. > > I guess Kiran has checked in the Root CA certificate *aaf_root_ca.cer* > file. I am including him in CC to see if we can get the Root CA private key > file. > > Regards > Vivek > > > > > On Wed, Jun 10, 2020 at 12:17 AM Ranganathaiah, Manjunath < > [email protected]> wrote: > >> Hi Vivek, >> >> >> >> One option is to get the new set of aaf-sms.pr and aaf-sms.pub pair, >> signed by the private key of aaf_root_ca.cer and replace them in >> ~sms/sms-service/src/sms/certs and rebuild the image. >> >> >> >> Thanks, >> >> -Manjunath >> >> >> >> >> >> >> >> >> >> *From:* [email protected] <[email protected]> *On >> Behalf Of *Vivekanandan Muthukrishnan >> *Sent:* Tuesday, June 9, 2020 11:12 AM >> *To:* [email protected] >> *Subject:* [onap-discuss] AAF-SMS SSL certificate expiry issue >> >> >> >> Hi AAF team, >> >> >> >> We are blocked due to AAF-SMS self signed certificate expiry in Dublin & >> ElAlto . We did try to regenerate the SSL certificates but the quorum does >> not get formed due to the following exceptions. >> >> >> >> Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate >> signed by unknown authority >> >> >> >> ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get >> https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate >> signed by unknown authority >> >> >> >> I guess we are missing some steps. We would appreciate any quick help to >> resolve this one to continue with our Dublin & ElAlto deployments. >> >> >> >> Here is the step by step workaround that we tried. >> >> >> >> Regards >> >> Vivek >> >> >> >> >> >> 1. Download the following files from AAF-SMS Container from >> /sms/certs folder >> >> aaf_root_ca.cer, aaf-sms.pr, aaf-sms.pub >> >> >> >> Password : secretmanagementservicesecretpassword >> >> >> >> >> >> # It seems like the aaf-sms service uses the first self >> signed certificate from aaf-sms.pub >> >> # file. This one expired on June/03/2020 >> >> >> >> # Not sure about the reason why there is certificate in aaf-sms.pub which >> will expire on >> >> # Aug 17 18:51:37 2023 GMT. Maybe the developer forgot to overwrite the >> previous one. >> >> >> >> 2. Created CSR from existing certificate >> >> >> >> openssl x509 -x509toreq -in aaf-sms.pub -out aaf-sms.csr -signkey >> aaf-sms.pr >> >> >> >> 3. Created 509v3 extensions file since the above command does >> not copy the v3 extensions >> >> >> >> cat v3.ext >> >> >> >> subjectAltName = DNS:aaf-sms, DNS:aaf-sms-db.onap, DNS: >> aaf-sms.api.simpledemo.onap.org, DNS:aaf-sms.onap, DNS: >> aaf-sms.simpledemo.onap.org >> >> basicConstraints = CA:FALSE >> >> subjectKeyIdentifier = hash >> >> keyUsage = critical,digitalSignature, keyEncipherment, >> nonRepudiation >> >> extendedKeyUsage = clientAuth, serverAuth >> >> authorityKeyIdentifier = keyid, issuer >> >> >> >> >> >> *Not sure, is this the right approach? * >> >> >> >> 4. Generated new self signed certificate with >> >> >> >> openssl x509 -signkey aaf-sms.pr -in aaf-sms.csr -req -days 1825 -out >> aaf-sms-new.cert -extfile v3.ext >> >> >> >> 5. Copied the above file aaf-sms-new.cert to >> ~/oom/kubernetes/aaf/charts/aaf-sms/resources/config/aaf-sms.pub >> >> >> >> >> >> 6. Updated the AAF-SMS >> ~/oom/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml . Please >> refer to the attached git diff file *aaf-sms-deployment.yaml.diff*. >> >> >> >> 7. AAF-SMS SSL certificate is updated, please refer the >> attached openssl command output log file >> *aaf-sms-logs-after-ssl-patch.txt* >> >> >> >> # It is having the valid dates >> >> Not Before: Jun 9 17:32:50 2020 GMT >> >> Not After : Jun 8 17:32:50 2025 GMT >> >> >> >> >> >> 8. Redeployed AAF again but still AAF-SMS jobs are failing >> with some other SSL exception and the quorum is not forming for SMS vault. >> Looks like we are missing some steps. >> >> >> >> onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl >> get pods -n onap | grep aaf- >> >> dev-aaf-aaf-cass-76c8c584f-xp6kr 1/1 >> Running 0 69s >> >> dev-aaf-aaf-cm-6d7959c65-9rsnp 1/1 >> Running 0 69s >> >> dev-aaf-aaf-fs-9898d569-kfsp9 1/1 >> Running 0 69s >> >> dev-aaf-aaf-gui-586484467-kfx84 1/1 >> Running 0 69s >> >> dev-aaf-aaf-locate-6867c7fb9d-pzq4r 1/1 >> Running 0 68s >> >> dev-aaf-aaf-oauth-59cb84d56d-2t5z4 1/1 >> Running 0 68s >> >> dev-aaf-aaf-service-5c598d6fb-4np26 1/1 >> Running 0 68s >> >> dev-aaf-aaf-sms-6f5f8c57b-cgbvw 1/1 >> Running 0 68s >> >> dev-aaf-aaf-sms-preload-dxnwv 1/1 >> Running 0 68s >> >> dev-aaf-aaf-sms-quorumclient-0 1/1 >> Running 0 68s >> >> dev-aaf-aaf-sms-quorumclient-1 1/1 >> Running 0 58s >> >> dev-aaf-aaf-sms-quorumclient-2 1/1 >> Running 0 47s >> >> dev-aaf-aaf-sms-vault-0 2/2 >> Running 1 68s >> >> dev-aaf-aaf-sshsm-distcenter-xvxkv 0/1 >> Completed 0 68s >> >> dev-aaf-aaf-sshsm-testca-qkwcp 0/1 >> Completed 0 68s >> >> onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl >> logs -n onap dev-aaf-aaf-sms-preload-dxnwv >> >> Processing /preload/config/has.json >> >> Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate >> signed by unknown authority >> >> Waiting for SMS to accept requests... >> >> Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp >> 10.43.161.118:10443: connect: connection refused >> >> Waiting for SMS to accept requests... >> >> Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp >> 10.43.161.118:10443: connect: connection refused >> >> Waiting for SMS to accept requests... >> >> Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate >> signed by unknown authority >> >> Waiting for SMS to accept requests... >> >> >> >> onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl >> logs -n onap dev-aaf-aaf-sms-quorumclient-0 >> >> INFO: 2020/06/09 17:55:01 quorumclient.go:77: Starting Log for Quorum >> Client >> >> ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open >> auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory >> >> ERROR: 2020/06/09 17:55:01 quorumclient.go:86: Read ID: open >> auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory >> >> WARNING: 2020/06/09 17:55:01 quorumclient.go:87: Unable to find an ID for >> this client. Generating... >> >> ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open >> auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory >> >> ERROR: 2020/06/09 17:55:01 quorumclient.go:99: Read Shard: open >> auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory >> >> WARNING: 2020/06/09 17:55:01 quorumclient.go:100: Unable to find a shard >> file. Registering with SMS... >> >> ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open >> auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory >> >> ERROR: 2020/06/09 17:55:01 quorumclient.go:40: LoadPGP Private Key: open >> auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory >> >> INFO: 2020/06/09 17:55:01 quorumclient.go:41: No Private Key found. >> Generating... >> >> ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get >> https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp >> 10.43.161.118:10443: connect: connection timed out >> >> ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get >> https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate >> signed by unknown authority >> >> ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get >> https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp >> 10.43.161.118:10443: connect: connection refused >> >> >> >> >> >> >> > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21304): https://lists.onap.org/g/onap-discuss/message/21304 Mute This Topic: https://lists.onap.org/mt/74780453/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
