Hi Manjunath, Thanks for the pointers, we will try the suggested approach, but changing the Root CA is going to invite some more work.
Also, just for your information. It seems like the AAF-SMS certificate *aaf-sms.pub *did not use the CA root certificate *aaf_root_ca.cer* to sing. I am not sure. # Looks like the Root CA is not used to sign aaf-sms.pub the below command fails. *$ openssl verify -CAfile aaf_root_ca.cer aaf-sms.pub* aaf-sms.pub: CN = aaf-sms, emailAddress = , OU = [email protected], OU = OSAAF, O = ONAP, C = US error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify aaf-sms.pub aaf-sms.pub: CN = aaf-sms, emailAddress = , OU = [email protected], OU = OSAAF, O = ONAP, C = US error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl x509 -in aaf-sms.pub -noout -issuer issuer= /C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_9 $ openssl x509 -in aaf-sms.pub -noout -subject subject= /CN=aaf-sms/emailAddress=/OU= [email protected]/OU=OSAAF/O=ONAP/C=US $ openssl verify aaf_root_ca.cer aaf_root_ca.cer: OU = OSAAF, O = ONAP, C = US error 18 at 0 depth lookup:self signed certificate OK $ openssl x509 -in aaf_root_ca.cer -noout -issuer issuer= /OU=OSAAF/O=ONAP/C=US $ openssl x509 -in aaf_root_ca.cer -noout -subject subject= /OU=OSAAF/O=ONAP/C=US Regards Vivek On Wed, Jun 10, 2020 at 7:41 PM Ranganathaiah, Manjunath < [email protected]> wrote: > It was issued by AAF team originally, they can help you to generate the > new key and cert I guess. If you change the private key that the sms cert > is signed with, then all the clients that use the SMS service also needs to > be updated with new root cert. > > > > Once you have new key and cert you can also use this method to override > the built-in certs of SMS and no need to rebuild the image. > > > > > https://wiki.onap.org/display/DW/Modifying+SMS+helm+Charts+to+override+the+builtin+certificates > > > > Thanks, > > -Manjunath > > > > > > *From:* Vivekanandan Muthukrishnan <[email protected]> > *Sent:* Wednesday, June 10, 2020 5:39 AM > *To:* [email protected]; Ranganathaiah, Manjunath < > [email protected]> > *Subject:* Re: [onap-discuss] AAF-SMS SSL certificate expiry issue > > > > Hi Manjunath, > > > > The idea is to regenerate the *aaf-sms.pub* file using the AAF CA Root ( > *aaf_root_ca.cer*) and this requires the private key of Root CA > certificate. I couldn't get it from AAF source code. > > > > Regards > > Vivek > > > > On Wed, Jun 10, 2020 at 2:50 PM Vivekanandan Muthukrishnan < > [email protected]> wrote: > > Hi Manjunath, > > > > Thanks for the quick response. I guess, building a new docker image for > Dublin and Elalto will not be possible to support our existing deployments. > > > > Could you please let us know, where do we keep the Root CA certificate > *aaf_root_ca.cer* *private key file*? We don't see it under AAF SMS > containers. I guess this will help us to regenerate the expired SMS server > certificate. We see that the Root CA used by all AAF SMS clients to make > the REST API calls. > > > > I guess Kiran has checked in the Root CA certificate *aaf_root_ca.cer* > file. I am including him in CC to see if we can get the Root CA private key > file. > > > > Regards > > Vivek > > > > > > > > > > On Wed, Jun 10, 2020 at 12:17 AM Ranganathaiah, Manjunath < > [email protected]> wrote: > > Hi Vivek, > > > > One option is to get the new set of aaf-sms.pr and aaf-sms.pub pair, > signed by the private key of aaf_root_ca.cer and replace them in > ~sms/sms-service/src/sms/certs and rebuild the image. > > > > Thanks, > > -Manjunath > > > > > > > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Vivekanandan Muthukrishnan > *Sent:* Tuesday, June 9, 2020 11:12 AM > *To:* [email protected] > *Subject:* [onap-discuss] AAF-SMS SSL certificate expiry issue > > > > Hi AAF team, > > > > We are blocked due to AAF-SMS self signed certificate expiry in Dublin & > ElAlto . We did try to regenerate the SSL certificates but the quorum does > not get formed due to the following exceptions. > > > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed > by unknown authority > > > > I guess we are missing some steps. We would appreciate any quick help to > resolve this one to continue with our Dublin & ElAlto deployments. > > > > Here is the step by step workaround that we tried. > > > > Regards > > Vivek > > > > > > 1. Download the following files from AAF-SMS Container from /sms/certs > folder > > aaf_root_ca.cer, aaf-sms.pr, aaf-sms.pub > > > > Password : secretmanagementservicesecretpassword > > > > > > # It seems like the aaf-sms service uses the first self signed > certificate from aaf-sms.pub > > # file. This one expired on June/03/2020 > > > > # Not sure about the reason why there is certificate in aaf-sms.pub which > will expire on > > # Aug 17 18:51:37 2023 GMT. Maybe the developer forgot to overwrite the > previous one. > > > > 2. Created CSR from existing certificate > > > > openssl x509 -x509toreq -in aaf-sms.pub -out aaf-sms.csr -signkey > aaf-sms.pr > > > > 3. Created 509v3 extensions file since the above command does > not copy the v3 extensions > > > > cat v3.ext > > > > subjectAltName = DNS:aaf-sms, DNS:aaf-sms-db.onap, DNS: > aaf-sms.api.simpledemo.onap.org, DNS:aaf-sms.onap, DNS: > aaf-sms.simpledemo.onap.org > > basicConstraints = CA:FALSE > > subjectKeyIdentifier = hash > > keyUsage = critical,digitalSignature, keyEncipherment, > nonRepudiation > > extendedKeyUsage = clientAuth, serverAuth > > authorityKeyIdentifier = keyid, issuer > > > > > > *Not sure, is this the right approach? * > > > > 4. Generated new self signed certificate with > > > > openssl x509 -signkey aaf-sms.pr -in aaf-sms.csr -req -days 1825 -out > aaf-sms-new.cert -extfile v3.ext > > > > 5. Copied the above file aaf-sms-new.cert to > ~/oom/kubernetes/aaf/charts/aaf-sms/resources/config/aaf-sms.pub > > > > > > 6. Updated the AAF-SMS > ~/oom/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml . Please > refer to the attached git diff file *aaf-sms-deployment.yaml.diff*. > > > > 7. AAF-SMS SSL certificate is updated, please refer the > attached openssl command output log file > *aaf-sms-logs-after-ssl-patch.txt* > > > > # It is having the valid dates > > Not Before: Jun 9 17:32:50 2020 GMT > > Not After : Jun 8 17:32:50 2025 GMT > > > > > > 8. Redeployed AAF again but still AAF-SMS jobs are failing > with some other SSL exception and the quorum is not forming for SMS vault. > Looks like we are missing some steps. > > > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > get pods -n onap | grep aaf- > > dev-aaf-aaf-cass-76c8c584f-xp6kr 1/1 > Running 0 69s > > dev-aaf-aaf-cm-6d7959c65-9rsnp 1/1 > Running 0 69s > > dev-aaf-aaf-fs-9898d569-kfsp9 1/1 > Running 0 69s > > dev-aaf-aaf-gui-586484467-kfx84 1/1 > Running 0 69s > > dev-aaf-aaf-locate-6867c7fb9d-pzq4r 1/1 > Running 0 68s > > dev-aaf-aaf-oauth-59cb84d56d-2t5z4 1/1 > Running 0 68s > > dev-aaf-aaf-service-5c598d6fb-4np26 1/1 > Running 0 68s > > dev-aaf-aaf-sms-6f5f8c57b-cgbvw 1/1 > Running 0 68s > > dev-aaf-aaf-sms-preload-dxnwv 1/1 > Running 0 68s > > dev-aaf-aaf-sms-quorumclient-0 1/1 > Running 0 68s > > dev-aaf-aaf-sms-quorumclient-1 1/1 > Running 0 58s > > dev-aaf-aaf-sms-quorumclient-2 1/1 > Running 0 47s > > dev-aaf-aaf-sms-vault-0 2/2 > Running 1 68s > > dev-aaf-aaf-sshsm-distcenter-xvxkv 0/1 > Completed 0 68s > > dev-aaf-aaf-sshsm-testca-qkwcp 0/1 > Completed 0 68s > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > logs -n onap dev-aaf-aaf-sms-preload-dxnwv > > Processing /preload/config/has.json > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > Waiting for SMS to accept requests... > > Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate > signed by unknown authority > > Waiting for SMS to accept requests... > > > > onap@workstation:~/oom/kubernetes/aaf/charts/aaf-sms/templates$ kubectl > logs -n onap dev-aaf-aaf-sms-quorumclient-0 > > INFO: 2020/06/09 17:55:01 quorumclient.go:77: Starting Log for Quorum > Client > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:86: Read ID: open > auth/dev-aaf-aaf-sms-quorumclient-0/id: no such file or directory > > WARNING: 2020/06/09 17:55:01 quorumclient.go:87: Unable to find an ID for > this client. Generating... > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:99: Read Shard: open > auth/dev-aaf-aaf-sms-quorumclient-0/shard: no such file or directory > > WARNING: 2020/06/09 17:55:01 quorumclient.go:100: Unable to find a shard > file. Registering with SMS... > > ERROR: 2020/06/09 17:55:01 auth.go:226: Read from file: open > auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory > > ERROR: 2020/06/09 17:55:01 quorumclient.go:40: LoadPGP Private Key: open > auth/dev-aaf-aaf-sms-quorumclient-0/prkey: no such file or directory > > INFO: 2020/06/09 17:55:01 quorumclient.go:41: No Private Key found. > Generating... > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection timed out > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed > by unknown authority > > ERROR: 2020/06/09 17:57:21 quorumclient.go:176: Connect to SMS: Get > https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp > 10.43.161.118:10443: connect: connection refused > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21312): https://lists.onap.org/g/onap-discuss/message/21312 Mute This Topic: https://lists.onap.org/mt/74780453/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
