I would like to start deploying in our openshift the monitor_gating project: https://pagure.io/fedora-ci/monitor-gating The project will report its output via fedora-messaging for this it needs certificates.
For fedmsg there was a script/README in the repo on how to generate these certificates, could we add a similar one for the fedora-messaging certs?
So, basically in ansible-private there is a files/rabbitmq/ dir. In that is a production and a staging subdir.
Go to the staging subdir and run:
/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass
(note that for stg we always make the name .stg so that ansible scripts work with it)
Then, go to the production dir and:
/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating nopass
(note: no .stg here).
git add . git commit -s -a -m 'Added fedora-messaging certs for monitor-gating' and push. Done.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Documented in: https://pagure.io/Fedora-Infra/howtos/blob/master/f/fedora_messaging_certificates.md
Thanks for fixing the ticket and describing the fix btw :)
Metadata Update from @pingou: - Issue status updated to: Open (was: Closed)
Ok, it looks like the staging certs do not exist.
I've tried to generate them myself and this is the outcome:
/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .+++ .....+++ writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8' ----- Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'monitor-gating.stg' Certificate is to be certified until Feb 9 14:52:07 2023 GMT (1080 days) failed to update database TXT_DB error number 2 Easy-RSA error: signing failed (openssl output above may have more detail) [pingou@batcave01 staging{master}] git s M pki/.rnd D pki/extensions.temp M pki/safessl-easyrsa.cnf M pki/serial ?? pki/private/monitor-gating.stg.key ?? pki/reqs/monitor-gating.stg.req
So the .key and .req are being created but not the .crt.
.key
.req
.crt
Any idea?
Are you in the ansible-private/files/rabbitmq/staging dir when you run the command?
@kevin yes :(
Note: if you check the git show <hash> --stat of the commit in which you made the production certs, there are some changes related to staging.
git show <hash> --stat
I think I've fixed it, so the issue was exactly:
failed to update database TXT_DB error number 2
Some research led me to find: https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/ which explains the problem. I then did a git grep monitor-gating, found that it was mentioned in the index.txt (and its .old). Removing the line from these two files and re-running the command led to the correct creation of the certificate.
git grep monitor-gating
index.txt
.old
Closing this one again :)
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.