search

sara-nl / irods-msi-persistent-id

iRODS microservices for managing EPIC PIDs
Other
0 stars 0 forks source link

new parameter cacert #12

Open cookie33 opened 5 years ago

cookie33 commented 5 years ago

There is a new parameter cacert in the sections: handle and lookup. It can be used when the parameter insecure is set to false

Before (with the epic client) we could set it to:

/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

This does not work with the msipid. There it has to be:

/etc/pki/ca-trust/source/anchors/TERENA-SSL-CA-3.pem

Is this intentional?

The error is otherwise:

Mar 20 11:28:26 pid:13405 NOTICE: Agent process 14658 started for puser=robertv and cuser=robertv from <bla>
* About to connect() to <fqdn> port 8003 (#0)
*   Trying x.y.z.q..
* Connected to <fqdn> (x.y.z.q) port 8003 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
  CApath: none
* Server certificate:
*       subject: CN=<fqdn>,OU=OSD,O=SURFsara B.V.,L=Amsterdam,C=NL
*       start date: Oct 17 00:00:00 2018 GMT
*       expire date: Oct 21 12:00:00 2020 GMT
*       common name: <fqdn>
*       issuer: CN=TERENA SSL CA 3,O=TERENA,L=Amsterdam,ST=Noord-Holland,C=NL
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
Mar 20 11:28:26 pid:14658 ERROR: failed to delete handle: caused by: execMicroService3: error when executing microservice
Mar 20 11:28:26 pid:14658 ERROR: http code: 0 (Unknown Error)
curl code: 60 (Peer certificate cannot be authenticated with given CA certificates)
success:   0
hdl resp:  0 (Unknown)
success:   0
jsonError: 1
handle:
Mar 20 11:28:26 pid:14658 NOTICE: readAndProcClientMsg: received disconnect msg from client
Mar 20 11:28:26 pid:14658 NOTICE: Agent exiting with status = 0
stefan-wolfsheimer commented 5 years ago

Two possible solutions:

First solution: reformat CRT to PEM files Split bundle into multiple crt files and convert them to pem:

 mkdir cabundles
 mkdir pembundles
 awk '/BEGIN/ { i++; } /BEGIN/, /END/ { print > "cabundles/"i".extracted.crt" }' ca-bundle.trust.crt
 cd cabundles
 for i in $( ls *.crt ); do openssl x509 -in $i -inform pem -outform pem -out ../pembundles/$i.pem; done
 cat pembundles/*.pem > ca-bundle.trust.pem

(Note: I also added the option to choose the a path to cert files, not yet commited though)

Link Microservice against libcurl with openssl as SSL engine NSS (default on CentOS) does not support crt files. It worked on ubuntu when I install libcurl-openssl. Unfortunately there seems to be no official CentOS package with libcurl and openssl backend. The CLI handle tool seems to work when linking against this unofficial package https://linuxsoft.cern.ch/cern/centos/7/cern/x86_64/repoview/libcurl-openssl.html I still don't know if it will be easy to link the microservice against it (because it is a shared library that loaded by iRODS). Furthermore it is not desiderable to depend on unofficial packages.

stefan-wolfsheimer commented 5 years ago

@cookie33 as discussed, we won't fix it. Please adjust the documenation and close the issue.