Hi Andreas/Raghu/Community, The ONAP Intermediate CA has expired and we would need someone with Private Key of Root Certificate (which is still valid until 2038) to generate another Intermediate CA if we want to use the same certificate chain. Following articles have some relevant info: https://wiki.onap.org/display/DW/AAF+Environment+-+Beijing#AAFEnvironmentBeijing-RootCertificate https://wiki.onap.org/display/DW/Bootstrapping+AAF+Components
It looks like ONAP AT&T team members have been re-generating the certificates historically and should have the Root CA key. Hello Catherine/Gervais, can you please see if it would be possible to align someone for this. Other possibility would be to re-generate Root + Intermediate certs to build a totally independent chain and consume in respective ONAP deployment; but that may be a long shot; beware of the effort and risks involved. Regards Girish From: [email protected] <[email protected]> On Behalf Of Andreas Geissler Sent: Tuesday, August 22, 2023 8:37 PM To: [email protected]; [email protected] Subject: Re: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509 [**EXTERNAL EMAIL**] Hi Raghu, we are facing the same issue. Reason seem to be an outdated root certificates in the truststore deployed by the cert-wrapper: https://git.onap.org/oom/tree/kubernetes/common/cert-wrapper/resources?h=kohn&id=599764901bdf353c358be66fca47a41f3382b56e Last time Sylvain recreated it 2021 (https://git.onap.org/oom/commit/kubernetes/common/cert-wrapper/resources?h=kohn&id=77598b11c9c7bde715b324b91fbabb1b7b3c2ac9) But I don't find any instructions how to do that. If anyone has an idea, I could create a patch for OOM in the Kohn branch. In London we do not use AAF anymore... Best regards Andreas Von: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Im Auftrag von Raghu via lists.onap.org Gesendet: Dienstag, 22. August 2023 05:47 An: [email protected]<mailto:[email protected]> Betreff: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509 Hi, When I tried to redeploy sdc-be component, I am getting this error - "/!\ certificates retrieval failed". In the error trace I see below errors: org.onap.aaf.misc.env.APIException: Cannot connect to 'https://aaf-locate.onap:8095/configure/[email protected]/aaf' (Root URI: 'https://aaf-locate.onap:8095') Caused by: javax.net.ssl.SSLHandshakeException: NotAfter: Thu Aug 17 18:51:37 GMT 2023 Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Aug 17 18:51:37 GMT 2023 cat: can't open '/opt/app/osaaf/local/org.onap.sdc.props': No such file or directory Looks like the AAF certificate has expired on 17-Aug-2023. Does anybody know how to renew this certificate or overcome this issue? Thanks, Raghu. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#24520): https://lists.onap.org/g/onap-discuss/message/24520 Mute This Topic: https://lists.onap.org/mt/100888379/21656 Mute #aaf:https://lists.onap.org/g/onap-discuss/mutehashtag/aaf Mute #sdc:https://lists.onap.org/g/onap-discuss/mutehashtag/sdc Mute #x509:https://lists.onap.org/g/onap-discuss/mutehashtag/x509 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
