Re: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509

Andreas Geissler Tue, 19 Sep 2023 07:02:38 -0700

Hi again,

with my patch so far the AAF component is up and running.
But the clients using the cert-initializer (e.g. SO, SDC, CDS) still fail.
The aaf-config container logs show valid certificates:


#### Validate Configuration and Certificate with live call
2023-09-19T13:41:50.219+0000 INIT [cadi] cadi_keyfile points to 
/opt/app/osaaf/local/org.onap.sdc.keyfile
2023-09-19T13:41:50.255+0000 INIT [cadi] https.protocols set by cadi_protocols 
in CADI Properties
2023-09-19T13:41:50.256+0000 INIT [cadi] jdk.tls.client.protocols set from 
Default Protocols
Validating Configuration...
2023-09-19T13:41:51.209+0000 INIT [cadi] X509 Chain
  0)
    Subject: C=US, O=ONAP, OU=OSAAF, OU=s...@sdc.onap.org:DEV, CN=sdc
    Issuer : CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
    Expires: Thu Sep 19 13:41:49 GMT 2024
  1)
    Subject: CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
    Issuer : C=US, O=ONAP, OU=OSAAF, CN=RootCA
    Expires: Sun Sep 03 15:34:33 GMT 2028

but later the connection to aaf-locate fails with “No trusted certificate 
found”:

2023-09-19T13:41:51.436+0000 DEBUG [cadi] Root URI: 
https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1
2023-09-19T13:41:51.530+0000 INFO [cadi] AAFLocator enabled using 
https://aaf-locate.onap:8095
2023-09-19T13:41:51.811+0000: Error connecting 
https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1 for location.
org.onap.aaf.misc.env.APIException: Cannot connect to 
'https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1' (Root URI: 
'https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1')
      at org.onap.aaf.cadi.http.HClient.send(HClient.java:159)
      at org.onap.aaf.cadi.aaf.v2_0.AAFLocator.refresh(AAFLocator.java:145)
      at 
org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator._refresh(AbsAAFLocator.java:176)
      at 
org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator.hasItems(AbsAAFLocator.java:213)
      at org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator.best(AbsAAFLocator.java:238)
      at org.onap.aaf.cadi.http.HMangr.best(HMangr.java:161)
      at org.onap.aaf.cadi.aaf.v2_0.AAFConHttp.best(AAFConHttp.java:180)
      at org.onap.aaf.cadi.configure.Agent.validate(Agent.java:1139)
      at org.onap.aaf.cadi.configure.Agent.main(Agent.java:342)
Caused by: javax.net.ssl.SSLHandshakeException: No trusted certificate found
…

Any idea, what changes might be required in the cert-initializer template?
Best regards
Andreas


Von: Geissler, Andreas
Gesendet: Montag, 18. September 2023 15:49
An: onap-discuss@lists.onap.org; gamerslo...@gmail.com; Raghu 
<raghavendra...@ril.com>
Betreff: AW: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509

Hi all,

thanks to your great fixes I now tried to create a patch in OOM to solve the 
issue without touching the aaf_config image.
https://gerrit.onap.org/r/c/oom/+/135975?usp=search

I used Louis’s solution and mounted the updates files to the aaf_config 
container.
I will test it in my Lab….

Best regards
Andreas

Von: onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> 
<onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>> Im Auftrag 
von gamerslo...@gmail.com<mailto:gamerslo...@gmail.com>
Gesendet: Donnerstag, 7. September 2023 09:37
An: Raghu <raghavendra...@ril.com<mailto:raghavendra...@ril.com>>; 
onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>
Betreff: Re: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509


Hi all,
I want to share a temporary solution to fix this issue.
You can follow this instruction to issue new certificates: Create AAF CA 
certificates - Developer Wiki - Confluence 
(onap.org)<https://wiki.onap.org/display/DW/Create+AAF+CA+certificates?focusedCommentId=188514380&refresh=1693858440010#comment-188514380>
Or if you are using oom and single node K8s, you can follow this one to quickly 
fix oom: Create AAF CA certificates - Developer Wiki - Confluence 
(onap.org)<https://wiki.onap.org/display/DW/Create+AAF+CA+certificates?refresh=1694070257325&refresh=1694070642436&refresh=1694070686230&focusedCommentId=188514501&refresh=1694070998132#comment-188514501>

Hope this can be of some help.

Regards,
Louis.



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#24552): https://lists.onap.org/g/onap-discuss/message/24552
Mute This Topic: https://lists.onap.org/mt/100888379/21656
Mute #aaf:https://lists.onap.org/g/onap-discuss/mutehashtag/aaf
Mute #sdc:https://lists.onap.org/g/onap-discuss/mutehashtag/sdc
Mute #x509:https://lists.onap.org/g/onap-discuss/mutehashtag/x509
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509

Reply via email to