#9603 TLS certs/config for fedora-messaging and CentOS Stream kojihub notifications
Closed: Fixed 3 years ago by arrfab. Opened 3 years ago by arrfab.

The CentOS infra team was tasked to plumb fedora-messaging notifications from our kojihub, so I already had a quick look at rebuilding/tagging fedora-messaging itself (for 8-stream) but we need TLS certs for authentication.
As we'd like to first test ansible role in our staging environment, can you (securely , through gpg encrypted mail) send us the TLS key/cert/CA and also the config to use ?

Would be good to also have someone confirming that messages payload are landing correctly


Tracked also in internal tracker CPE-1032 (fyi)

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-trouble, medium-gain, ops, websites-general

3 years ago

What name would you like to use for this? The name of the cert is also the username in rabbitmq and the queue (I assume you are sending messages also?)

That's a very good question, @bstinson or Mohan would probably be able to help with this.
Don't have details but it would be indeed publishing build notifications for new Stream infra, but we'd need to setup a test environment for this in dev/stg first (and have our role rolled out there to confirm that it works)

Created centos-koji certs and given to @bstinson

Metadata Update from @mohanboddu:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @arrfab:
- Issue status updated to: Open (was: Closed)

3 years ago

Just need some info : fedora-messaging itself contains some CA certs : cacert.pem and stg-cacert.pem

the one we got is only for prod :

openssl verify -CAfile cacert.pem centos-koji.crt 
centos-koji.crt: OK

What about staging for testing ? do you confirm for our dev/stg we can send to prod directly ? Or do we need (as initially requested) another cert signed by stg-cacert.pem (aka "Subject: CN = RabbitMQ STAGING CA")

Thanks for confirmation before I use the prod one to incorrect queue

Got confirmation that it works on both (.stg. rabbitmqt exposes prod CA)

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Done