search

RedHat-Middleware-Workshops / dayinthelife-integration

Day in the Life Agile Integration Workshop
73 stars 93 forks source link

Certs applied seems to be self-signed. #182

Open weimeilin79 opened 5 years ago

weimeilin79 commented 5 years ago

The certs on this URL https://location-userX-api-staging.amp.dil1.opentry.me/locations eg. https://location-user1-api-staging.amp.dil1.opentry.me/locations seems to self-signed, and untrusted by browser, causing issue when calling via javascript.

screen shot 2018-10-31 at 10 47 59 pm screen shot 2018-10-31 at 10 47 53 pm

@jasonmadigan @aidenkeating

jasonmadigan commented 5 years ago

@pmccarthy

pmccarthy commented 5 years ago

@weimeilin79 @jasonmadigan Both DIL and DIL1 have been updated with valid certs for the 3scale wildcard route, see below:

curl -v https://location-user1-api-staging.amp.dil.opentry.me/locations
...
* Server certificate:
*  subject: CN=amp.dil.opentry.me
*  start date: Nov  1 09:24:30 2018 GMT
*  expire date: Jan 30 09:24:30 2019 GMT
*  subjectAltName: host "location-user1-api-staging.amp.dil.opentry.me" matched cert's "*.amp.dil.opentry.me"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
...

curl -v https://location-user1-api-staging.amp.dil1.opentry.me/locations
...
* Server certificate:
*  subject: CN=amp.dil1.opentry.me
*  start date: Nov  1 09:22:50 2018 GMT
*  expire date: Jan 30 09:22:50 2019 GMT
*  subjectAltName: host "location-user1-api-staging.amp.dil1.opentry.me" matched cert's "*.amp.dil1.opentry.me"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
...
VinayBhalerao commented 5 years ago

Looks like the issue is back

Date: Nov 21st, 2018
Cluster: opentry.dil.me
username: user65

Screenshot

international_inc_-_locations

pmccarthy commented 5 years ago

@VinayBhalerao This issue should now be resolved. Adding valid certificates to the wildcard route is a manual task that needs to be performed by the Integreatly SRE team. While re-provisioning the DIL environment we must have missed this step. I've updated our internal SOP documents to include this step so that this doesn't happen again. We'll also ensure that this change makes it on to the DIL1 environment also.

Validation

curl -v https://location-user1-api-staging.amp.dil.opentry.me/locations

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=amp.dil.opentry.me
*  start date: Nov  1 09:24:30 2018 GMT
*  expire date: Jan 30 09:24:30 2019 GMT
*  subjectAltName: host "location-user1-api-staging.amp.dil.opentry.me" matched cert's "*.amp.dil.opentry.me"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
VinayBhalerao commented 5 years ago

The issue is reproducible on dil.opentry.me

Date: Jan14th, 2019
Cluster: opentry.dil.me
username: user70

Screenshot

international_inc_-_locations