stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricardo Carvalho <Ricardo.Carva...@identity.pt>
Subject Re: Cartridge deployment can't access private git repository with custom CA certificate
Date Fri, 27 Mar 2015 10:25:37 GMT
Hi everyone.


So I ended up solving this problem, and it had nothing to do with certificates or credentials.
I double-checked the cartridge agent log, and noticed that at least the username credential
was being passed correctly, but the AsyncDataPublisher was having trouble connecting to the
main Apache Stratos instance.


So back  in the main Apache Stratos instance,  I noticed in the wso2carbon.log that the CEP
agent had never started at all, because of this exception:


java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available


Turns out I was running IBM Java, so I switched to Oracle Java and all the problems went away.
Should have paid more attention to my logs.


Thank you for all your help

Ricardo Carvalho

________________________________
De: Imesh Gunaratne <imesh@apache.org>
Enviado: 27 de março de 2015 03:48
Para: dev
Assunto: Re: Cartridge deployment can't access private git repository with custom CA certificate

Hi Ricardo,

This is how we send Git credentials to the instance:

- We do not send Git credentials in the payload due to security reasons.
- Git password is encrypted using an auto-generated key.
- The above key is sent in the payload.
- Git credentials are sent in the Artifact Updated event.
- Cartridge agent listen to above event and execute the Git clone/pull.

If you could share the cartridge agent log which might be located in /var/logs/apache-stratos/
folder, we should be able to investigate this further.

Thanks

On Thu, Mar 26, 2015 at 3:33 PM, Ricardo Carvalho <Ricardo.Carvalho@identity.pt<mailto:Ricardo.Carvalho@identity.pt>>
wrote:

Hi Chamila


Thanks for the suggestion, but the access is configured for HTTPS. The problem now is that
I can't find the repo credentials anywhere in the payload, even when I try submiting them
both through the web interface and the CLI tool. I also tried manually adding them to the
.git/config file, but since that folder is constantly being overwritten by the Artifact Coordenator,
all changes are overwritten.


Any help is appreciated.

Ricardo Carvalho

________________________________
De: Chamila De Alwis <chamilad@wso2.com<mailto:chamilad@wso2.com>>
Enviado: 25 de março de 2015 15:36

Para: dev
Assunto: Re: Cartridge deployment can't access private git repository with custom CA certificate

Hi Ricardo,

AFAIR in Stratos 4.0.0, only git clone over HTTPS is supported with Username and Password
credentials. If it is possible please configure the git server for access over HTTPS.


Regards,
Chamila de Alwis
Software Engineer | WSO2 | +94772207163<tel:%2B94772207163>
Blog: code.chamiladealwis.com<http://code.chamiladealwis.com>



On Wed, Mar 25, 2015 at 6:38 PM, Ricardo Carvalho <Ricardo.Carvalho@identity.pt<mailto:Ricardo.Carvalho@identity.pt>>
wrote:

Hi Imesh


Now that you mention it, I noticed there were no credentials in the payload, both when I subscribed
through the web interface and when I used "subscribe-cartridge" in the command-line tool.


Should I just add them to the launch-params file in the cartridge instance? Or am I missing
something in configuring Apache Stratos?


Thank you for your support

Ricardo Carvalho

________________________________
De: Imesh Gunaratne <imesh@apache.org<mailto:imesh@apache.org>>
Enviado: 25 de março de 2015 00:31
Para: dev
Assunto: Re: Cartridge deployment can't access private git repository with custom CA certificate

Hi Ricardo,

It's nice to hear that you are trying to use Stratos 4.0.0.

I cannot recall whether we used a certificate to talk to the private Git repository from Cartridge
Agent but I know for sure that we need Git repository credentials. Can you please check whether
the Cartridge Agent has received Git repository credentials in the payload?

Thanks

On Tue, Mar 24, 2015 at 11:19 PM, Ricardo Carvalho <Ricardo.Carvalho@identity.pt<mailto:Ricardo.Carvalho@identity.pt>>
wrote:

Hi everyone.


I've followed the 4.0.0 installation guide and have managed to successfully deploy several
php and load balancer cartridges on an Openstack environment. However, a custom certificate
is needed to access the private git repo I indicated as the artifact source  when deploying,
and the cartridge agent is failing when trying to access this git repo.


I added the certificate to /etc/ssl/certs/ca-certificates.crt, and can then use git clone
directly inside the cartridge instance with no problems. I tried adding the same certificate
to the client-truststore.jks keystore and even to the wso2carbon.jks in the Apache Stratos
VM, but I still get the following errors:


INFO CartridgeAgent Executing git checkout
2015-03-24 15:47:34,849 [-] [Thread-4]  INFO GitBasedArtifactRepository Initializing git context.
2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository local path /var/www/
2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository remote url <private
repo URL redacted>
2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository tenant -1234
2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository Repo path returned
: /var/www/
2015-03-24 15:47:34,935 [-] [Thread-4]  INFO GitBasedArtifactRepository caching repo context
2015-03-24 15:47:35,584 [-] [Thread-4] ERROR GitBasedArtifactRepository Accessing remote git
repository failed for tenant -1234
org.eclipse.jgit.api.errors.TransportException: <private repo URL redacted>: not authorized
        at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
        at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:179)
        at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)


What's the best way to add a custom CA certificate to a cartridge so that it can access a
private git repository that requires it?


Thank you for all your hard work

Ricardo Carvalho



--
Imesh Gunaratne

Technical Lead, WSO2
Committer & PMC Member, Apache Stratos




--
Imesh Gunaratne

Technical Lead, WSO2
Committer & PMC Member, Apache Stratos

Mime
View raw message