It was issued by AAF team originally, they can help you to generate the new key and cert I guess. If you change the private key that the sms cert is signed with, then all the clients that use the SMS service also needs to be updated with new root cert.
Once you have new key and cert you can also use this method to override the built-in certs of SMS and no need to rebuild the image. https://wiki.onap.org/display/DW/Modifying+SMS+helm+Charts+to+override+the+builtin+certificates Thanks, -Manjunath From: Vivekanandan Muthukrishnan <[email protected]> Sent: Wednesday, June 10, 2020 5:39 AM To: [email protected]; Ranganathaiah, Manjunath <[email protected]> Subject: Re: [onap-discuss] AAF-SMS SSL certificate expiry issue Hi Manjunath, The idea is to regenerate the aaf-sms.pub file using the AAF CA Root (aaf_root_ca.cer) and this requires the private key of Root CA certificate. I couldn't get it from AAF source code. Regards Vivek On Wed, Jun 10, 2020 at 2:50 PM Vivekanandan Muthukrishnan <[email protected]<mailto:[email protected]>> wrote: Hi Manjunath, Thanks for the quick response. I guess, building a new docker image for Dublin and Elalto will not be possible to support our existing deployments. Could you please let us know, where do we keep the Root CA certificate aaf_root_ca.cer private key file? We don't see it under AAF SMS containers. I guess this will help us to regenerate the expired SMS server certificate. We see that the Root CA used by all AAF SMS clients to make the REST API calls. I guess Kiran has checked in the Root CA certificate aaf_root_ca.cer file. I am including him in CC to see if we can get the Root CA private key file. Regards Vivek On Wed, Jun 10, 2020 at 12:17 AM Ranganathaiah, Manjunath <[email protected]<mailto:[email protected]>> wrote: Hi Vivek, One option is to get the new set of aaf-sms.pr<http://aaf-sms.pr> and aaf-sms.pub pair, signed by the private key of aaf_root_ca.cer and replace them in ~sms/sms-service/src/sms/certs and rebuild the image. Thanks, -Manjunath From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Vivekanandan Muthukrishnan Sent: Tuesday, June 9, 2020 11:12 AM To: [email protected]<mailto:[email protected]> Subject: [onap-discuss] AAF-SMS SSL certificate expiry issue Hi AAF team, We are blocked due to AAF-SMS self signed certificate expiry in Dublin & ElAlto . We did try to regenerate the SSL certificates but the quorum does not get formed due to the following exceptions. Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority I guess we are missing some steps. We would appreciate any quick help to resolve this one to continue with our Dublin & ElAlto deployments. Here is the step by step workaround that we tried. Regards Vivek 1. Download the following files from AAF-SMS Container from /sms/certs folder aaf_root_ca.cer, aaf-sms.pr<http://aaf-sms.pr>, aaf-sms.pub Password : secretmanagementservicesecretpassword # It seems like the aaf-sms service uses the first self signed certificate from aaf-sms.pub # file. This one expired on June/03/2020 # Not sure about the reason why there is certificate in aaf-sms.pub which will expire on # Aug 17 18:51:37 2023 GMT. Maybe the developer forgot to overwrite the previous one. 2. Created CSR from existing certificate openssl x509 -x509toreq -in aaf-sms.pub -out aaf-sms.csr -signkey aaf-sms.pr<http://aaf-sms.pr> 3. Created 509v3 extensions file since the above command does not copy the v3 extensions cat v3.ext subjectAltName = DNS:aaf-sms, DNS:aaf-sms-db.onap, DNS:aaf-sms.api.simpledemo.onap.org<http://aaf-sms.api.simpledemo.onap.org>, DNS:aaf-sms.onap, DNS:aaf-sms.simpledemo.onap.org<http://aaf-sms.simpledemo.onap.org> basicConstraints = CA:FALSE subjectKeyIdentifier = hash keyUsage = critical,digitalSignature, keyEncipherment, nonRepudiation extendedKeyUsage = clientAuth, serverAuth authorityKeyIdentifier = keyid, issuer Not sure, is this the right approach? 4. Generated new self signed certificate with openssl x509 -signkey aaf-sms.pr<http://aaf-sms.pr> -in aaf-sms.csr -req -days 1825 -out aaf-sms-new.cert -extfile v3.ext 5. Copied the above file aaf-sms-new.cert to ~/oom/kubernetes/aaf/charts/aaf-sms/resources/config/aaf-sms.pub 6. Updated the AAF-SMS ~/oom/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml . Please refer to the attached git diff file aaf-sms-deployment.yaml.diff. 7. AAF-SMS SSL certificate is updated, please refer the attached openssl command output log file aaf-sms-logs-after-ssl-patch.txt # It is having the valid dates Not Before: Jun 9 17:32:50 2020 GMT Not After : Jun 8 17:32:50 2025 GMT 8. Redeployed AAF again but still AAF-SMS jobs are failing with some other SSL exception and the quorum is not forming for SMS vault. Looks like we are missing some steps. onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl get pods -n onap | grep aaf- dev-aaf-aaf-cass-76c8c584f-xp6kr 1/1 Running 0 69s dev-aaf-aaf-cm-6d7959c65-9rsnp 1/1 Running 0 69s dev-aaf-aaf-fs-9898d569-kfsp9 1/1 Running 0 69s dev-aaf-aaf-gui-586484467-kfx84 1/1 Running 0 69s dev-aaf-aaf-locate-6867c7fb9d-pzq4r 1/1 Running 0 68s dev-aaf-aaf-oauth-59cb84d56d-2t5z4 1/1 Running 0 68s dev-aaf-aaf-service-5c598d6fb-4np26 1/1 Running 0 68s dev-aaf-aaf-sms-6f5f8c57b-cgbvw 1/1 Running 0 68s dev-aaf-aaf-sms-preload-dxnwv 1/1 Running 0 68s dev-aaf-aaf-sms-quorumclient-0 1/1 Running 0 68s dev-aaf-aaf-sms-quorumclient-1 1/1 Running 0 58s dev-aaf-aaf-sms-quorumclient-2 1/1 Running 0 47s dev-aaf-aaf-sms-vault-0 2/2 Running 1 68s dev-aaf-aaf-sshsm-distcenter-xvxkv 0/1 Completed 0 68s dev-aaf-aaf-sshsm-testca-qkwcp 0/1 Completed 0 68s onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl logs -n onap dev-aaf-aaf-sms-preload-dxnwv Processing /preload/config/has.json Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority Waiting for SMS to accept requests... onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl logs -n onap dev-aaf-aaf-sms-quorumclient-0 INFO: 2020/06/09 17:55:01 quorumclient.go:77: Starting Log for Quorum Client ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:86: Read ID: open auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory WARNING: 2020/06/09 17:55:01 quorumclient.go:87: Unable to find an ID for this client. Generating... ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:99: Read Shard: open auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory WARNING: 2020/06/09 17:55:01 quorumclient.go:100: Unable to find a shard file. Registering with SMS... ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory ERROR: 2020/06/09 17:55:01 quorumclient.go:40: LoadPGP Private Key: open auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory INFO: 2020/06/09 17:55:01 quorumclient.go:41: No Private Key found. Generating... ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection timed out ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.43.161.118:10443<http://10.43.161.118:10443>: connect: connection refused -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21307): https://lists.onap.org/g/onap-discuss/message/21307 Mute This Topic: https://lists.onap.org/mt/74780453/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
