brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-280) br cli fails to login to brooklyn instances with self-signed SSL certs
Date Tue, 24 May 2016 18:12:12 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298645#comment-15298645
] 

ASF GitHub Bot commented on BROOKLYN-280:
-----------------------------------------

GitHub user johnmccabe opened a pull request:

    https://github.com/apache/brooklyn-client/pull/21

    fix BROOKLYN-280, add --skipSslChecks flag to work with self-signed certs

    - defaults to false, ie existing behaviour
    - setting to true disables certificate chain and hostname verificiation (see `InsecureSkipVerify`
in https://golang.org/pkg/crypto/tls/)
    - persisted to ~/.brooklyn_cli
    - also bumped version to `0.10.0-SNAPSHOT`
    
    ```
    bash-4.3$ br login https://10.10.10.100:8443/ admin password
    Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by unknown authority
    bash-4.3$ br app
    Get https://10.10.10.100:8443/v1/applications: x509: certificate signed by unknown authority
    
    bash-4.3$ br --skipSslChecks login https://10.10.10.100:8443/ admin password
    Connected to Brooklyn version 0.10.0-20160513.2042 at https://10.10.10.100:8443
    bash-4.3$ br app
    Id   Name   Status   Location
    ```
    *Note*: I'd no apps running on this system so the empty table is ok, catalog returns as
expected.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/johnmccabe/brooklyn-client fix_BROOKLYN-280

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/brooklyn-client/pull/21.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #21
    
----
commit 7dc9b3f009d1b7dc7197622f81a84fcd191c731f
Author: John McCabe <john@johnmccabe.net>
Date:   2016-05-24T18:09:06Z

    fix BROOKLYN-280, add --skipSslChecks flag
    - defaults to false, ie existing behaviour
    - setting to true disables certificate chain and hostname verificiation (see `InsecureSkipVerify`
in https://golang.org/pkg/crypto/tls/)
    - persisted to ~/.brooklyn_cli
    
    ```
    bash-4.3$ br login https://10.10.10.100:8443/ admin password
    Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by unknown authority
    bash-4.3$ br app
    Get https://10.10.10.100:8443/v1/applications: x509: certificate signed by unknown authority
    
    bash-4.3$ br --skipSslChecks login https://10.10.10.100:8443/ admin password
    Connected to Brooklyn version 0.10.0-20160513.2042 at https://10.10.10.100:8443
    bash-4.3$ br app
    Id   Name   Status   Location
    
    ```

----


> br cli fails to login to brooklyn instances with self-signed SSL certs
> ----------------------------------------------------------------------
>
>                 Key: BROOKLYN-280
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-280
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: John McCabe
>            Assignee: John McCabe
>
> Attempt to log into Brooklyn with a cert generated following the instructions on {{ops/brooklyn_properties}},
results in the following error:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: cannot validate certificate for
10.10.10.100 because it doesn't contain any IP SANs
> {code}
> Adding the IP SAN (add {{-ext san=IP:10.10.10.100}} to the {{keytool}} invocation on
JDK 1.7+) then results in:
> {code}
> # br login https://10.10.10.100:8443 admin mypassword
> Get https://10.10.10.100:8443/v1/server/version: x509: certificate signed by unknown
authority
> {code}
> I suspect we may need to be tolerate of self-signed certs without a trustchain, but do
so via a flag that the user must set explicitly, for example:
> {code}
> br login --trustall https://10.10.10.100 admin mypassword
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message