#8638 fedora-messaging cert (stg|prod) for monitor_gating
Closed: Fixed a month ago by pingou. Opened 2 months ago by pingou.

I would like to start deploying in our openshift the monitor_gating project: https://pagure.io/fedora-ci/monitor-gating
The project will report its output via fedora-messaging for this it needs certificates.

For fedmsg there was a script/README in the repo on how to generate these certificates, could we add a similar one for the fedora-messaging certs?

So, basically in ansible-private there is a files/rabbitmq/ dir. In that is a production and a staging subdir.

Go to the staging subdir and run:

/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass

(note that for stg we always make the name .stg so that ansible scripts work with it)

Then, go to the production dir and:

/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating nopass

(note: no .stg here).

git add .
git commit -s -a -m 'Added fedora-messaging certs for monitor-gating' and push. Done.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Thanks for fixing the ticket and describing the fix btw :)

Metadata Update from @pingou:
- Issue status updated to: Open (was: Closed)

a month ago

Ok, it looks like the staging certs do not exist.

I've tried to generate them myself and this is the outcome:

/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8'
Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'monitor-gating.stg'
Certificate is to be certified until Feb  9 14:52:07 2023 GMT (1080 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

[pingou@batcave01 staging{master}] git s
 M pki/.rnd
 D pki/extensions.temp
 M pki/safessl-easyrsa.cnf
 M pki/serial
?? pki/private/monitor-gating.stg.key
?? pki/reqs/monitor-gating.stg.req

So the .key and .req are being created but not the .crt.

Any idea?

Are you in the ansible-private/files/rabbitmq/staging dir when you run the command?

Note: if you check the git show <hash> --stat of the commit in which you made the production certs, there are some changes related to staging.

I think I've fixed it, so the issue was exactly:

failed to update database
TXT_DB error number 2

Some research led me to find: https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/ which explains the problem.
I then did a git grep monitor-gating, found that it was mentioned in the index.txt (and its .old). Removing the line from these two files and re-running the command led to the correct creation of the certificate.

Closing this one again :)

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.