I have to correct myself, also the AAF services have the same problems, e.g. aaf-sms-preload:
Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: dial tcp 10.233.57.27:10443: connect: connection refused Waiting for SMS to accept requests... Get https://aaf-sms.onap:10443/v1/sms/quorum/status: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "intermediateCA_9") Von: Geissler, Andreas Gesendet: Dienstag, 19. September 2023 16:02 An: onap-discuss@lists.onap.org; gamerslo...@gmail.com; Raghu <raghavendra...@ril.com> Betreff: AW: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509 Hi again, with my patch so far the AAF component is up and running. But the clients using the cert-initializer (e.g. SO, SDC, CDS) still fail. The aaf-config container logs show valid certificates: #### Validate Configuration and Certificate with live call 2023-09-19T13:41:50.219+0000 INIT [cadi] cadi_keyfile points to /opt/app/osaaf/local/org.onap.sdc.keyfile 2023-09-19T13:41:50.255+0000 INIT [cadi] https.protocols set by cadi_protocols in CADI Properties 2023-09-19T13:41:50.256+0000 INIT [cadi] jdk.tls.client.protocols set from Default Protocols Validating Configuration... 2023-09-19T13:41:51.209+0000 INIT [cadi] X509 Chain 0) Subject: C=US, O=ONAP, OU=OSAAF, OU=s...@sdc.onap.org:DEV<mailto:OU=s...@sdc.onap.org:DEV>, CN=sdc Issuer : CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US Expires: Thu Sep 19 13:41:49 GMT 2024 1) Subject: CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US Issuer : C=US, O=ONAP, OU=OSAAF, CN=RootCA Expires: Sun Sep 03 15:34:33 GMT 2028 but later the connection to aaf-locate fails with “No trusted certificate found”: 2023-09-19T13:41:51.436+0000 DEBUG [cadi] Root URI: https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1 2023-09-19T13:41:51.530+0000 INFO [cadi] AAFLocator enabled using https://aaf-locate.onap:8095 2023-09-19T13:41:51.811+0000: Error connecting https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1 for location. org.onap.aaf.misc.env.APIException: Cannot connect to 'https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1' (Root URI: 'https://aaf-locate.onap:8095/locate/onap.org.osaaf.aaf.service:2.1') at org.onap.aaf.cadi.http.HClient.send(HClient.java:159) at org.onap.aaf.cadi.aaf.v2_0.AAFLocator.refresh(AAFLocator.java:145) at org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator._refresh(AbsAAFLocator.java:176) at org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator.hasItems(AbsAAFLocator.java:213) at org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator.best(AbsAAFLocator.java:238) at org.onap.aaf.cadi.http.HMangr.best(HMangr.java:161) at org.onap.aaf.cadi.aaf.v2_0.AAFConHttp.best(AAFConHttp.java:180) at org.onap.aaf.cadi.configure.Agent.validate(Agent.java:1139) at org.onap.aaf.cadi.configure.Agent.main(Agent.java:342) Caused by: javax.net.ssl.SSLHandshakeException: No trusted certificate found … Any idea, what changes might be required in the cert-initializer template? Best regards Andreas Von: Geissler, Andreas Gesendet: Montag, 18. September 2023 15:49 An: onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>; gamerslo...@gmail.com<mailto:gamerslo...@gmail.com>; Raghu <raghavendra...@ril.com<mailto:raghavendra...@ril.com>> Betreff: AW: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509 Hi all, thanks to your great fixes I now tried to create a patch in OOM to solve the issue without touching the aaf_config image. https://gerrit.onap.org/r/c/oom/+/135975?usp=search I used Louis’s solution and mounted the updates files to the aaf_config container. I will test it in my Lab…. Best regards Andreas Von: onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> <onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>> Im Auftrag von gamerslo...@gmail.com<mailto:gamerslo...@gmail.com> Gesendet: Donnerstag, 7. September 2023 09:37 An: Raghu <raghavendra...@ril.com<mailto:raghavendra...@ril.com>>; onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> Betreff: Re: [onap-discuss] /!\ certificates retrieval failed #aaf #sdc #x509 Hi all, I want to share a temporary solution to fix this issue. You can follow this instruction to issue new certificates: Create AAF CA certificates - Developer Wiki - Confluence (onap.org)<https://wiki.onap.org/display/DW/Create+AAF+CA+certificates?focusedCommentId=188514380&refresh=1693858440010#comment-188514380> Or if you are using oom and single node K8s, you can follow this one to quickly fix oom: Create AAF CA certificates - Developer Wiki - Confluence (onap.org)<https://wiki.onap.org/display/DW/Create+AAF+CA+certificates?refresh=1694070257325&refresh=1694070642436&refresh=1694070686230&focusedCommentId=188514501&refresh=1694070998132#comment-188514501> Hope this can be of some help. Regards, Louis. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#24553): https://lists.onap.org/g/onap-discuss/message/24553 Mute This Topic: https://lists.onap.org/mt/100888379/21656 Mute #aaf:https://lists.onap.org/g/onap-discuss/mutehashtag/aaf Mute #sdc:https://lists.onap.org/g/onap-discuss/mutehashtag/sdc Mute #x509:https://lists.onap.org/g/onap-discuss/mutehashtag/x509 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-