Add support MongoDB SSL connections

Kitware / HPCCloud-deploy

VM Deploy for HPC-Cloud

Apache License 2.0

18 stars 4 forks source link

Add support MongoDB SSL connections #97

Closed cjh1 closed 7 years ago

TristanWright commented 7 years ago

Do I need to vagrant destroy && up?

cjh1 commented 7 years ago

Yes, it would be good if you could test with a PEM file as well. Following can be used to generate a self-signed cert.

openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

Then set the ansible variable mongodb_ssl_pem_path to point to it and set mongodb_ssl_self_signed: yes. These variables can be added to the all file.

TristanWright commented 7 years ago

With those ansible variables set I got the VM up. I had to run provision afterwards, kept getting this error when girder was starting up:

TASK [Wait for Girder to start] ************************************************
task path: /Users/tristan/Envs/girder/HPCCloud-deploy/ansible/site.yml:105
fatal: [hpccloud-vm]: FAILED! => {"changed": false, "elapsed": 300, "failed": true, "msg": "Timeout when waiting for 127.0.0.1:8080"}

NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @ansible/site.retry

PLAY RECAP *********************************************************************
hpccloud-vm                : ok=100  changed=63   unreachable=0    failed=1   

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

Looks ok though, is there a way to validate that we're using ssl between the mongodb or is that unnecessary?

cjh1 commented 7 years ago

@TristanWright There should be no ansible errors, the fact that girder can't start is not a good sign. Let do a little debug when you get in.

cjh1 commented 7 years ago

@TristanWright Thanks for the typo fixes

TristanWright commented 7 years ago

I'm getting a new error when trying to get paraview:

TASK [paraview : Download ParaView] ********************************************
task path: /Users/tristan/Envs/girder/HPCCloud-deploy/demo/roles/paraview/tasks/main.yml:20
fatal: [hpccloud-vm]: FAILED! => {"changed": false, "failed": true, "msg": "SSL Certificate does not belong to www.paraview.org.  Make sure the url has a certificate that belongs to it or use validate_certs=False (insecure)"}

NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @demo/site.retry

PLAY RECAP *********************************************************************
hpccloud-vm                : ok=13   changed=0    unreachable=0    failed=1   

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

I've gotten this several times now on up and provision.
DEMO=1 is set, I haven't gotten the original error above again though, I think this could be merged?

TristanWright commented 7 years ago

Ran again and not seeing the paraview download error anymore. huh.