stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Imesh Gunaratne <im...@apache.org>
Subject Re: Cartridge deployment can't access private git repository with custom CA certificate
Date Sat, 28 Mar 2015 06:39:10 GMT
Hi Ricardo,

It's nice to hear that you were able to solve this problem. Thanks for
sharing your experience!

Thanks

On Fri, Mar 27, 2015 at 3:55 PM, Ricardo Carvalho <
Ricardo.Carvalho@identity.pt> wrote:

>  Hi everyone.
>
>
>  So I ended up solving this problem, and it had nothing to do with
> certificates or credentials. I double-checked the cartridge agent log, and
> noticed that at least the username credential was being passed correctly,
> but the AsyncDataPublisher was having trouble connecting to the main Apache
> Stratos instance.
>
>
>  So back  in the main Apache Stratos instance,  I noticed in the
> wso2carbon.log that the CEP agent had never started at all, because of this
> exception:
>
>
>  java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
> available
>
>
>  Turns out I was running IBM Java, so I switched to Oracle Java and all
> the problems went away. Should have paid more attention to my logs.
>
>
>  Thank you for all your help
>
> Ricardo Carvalho
>  ------------------------------
> *De:* Imesh Gunaratne <imesh@apache.org>
> *Enviado:* 27 de março de 2015 03:48
>
> *Para:* dev
> *Assunto:* Re: Cartridge deployment can't access private git repository
> with custom CA certificate
>
>  Hi Ricardo,
>
>  This is how we send Git credentials to the instance:
>
>  - We do not send Git credentials in the payload due to security reasons.
> - Git password is encrypted using an auto-generated key.
> - The above key is sent in the payload.
> - Git credentials are sent in the Artifact Updated event.
> - Cartridge agent listen to above event and execute the Git clone/pull.
>
>  If you could share the cartridge agent log which might be located in
> /var/logs/apache-stratos/ folder, we should be able to investigate this
> further.
>
>  Thanks
>
> On Thu, Mar 26, 2015 at 3:33 PM, Ricardo Carvalho <
> Ricardo.Carvalho@identity.pt> wrote:
>
>>  Hi Chamila
>>
>>
>>  Thanks for the suggestion, but the access is configured for HTTPS. The
>> problem now is that I can't find the repo credentials anywhere in the
>> payload, even when I try submiting them both through the web interface and
>> the CLI tool. I also tried manually adding them to the .git/config file,
>> but since that folder is constantly being overwritten by the Artifact
>> Coordenator, all changes are overwritten.
>>
>>
>>  Any help is appreciated.
>>
>> Ricardo Carvalho
>>  ------------------------------
>> *De:* Chamila De Alwis <chamilad@wso2.com>
>> *Enviado:* 25 de março de 2015 15:36
>>
>> *Para:* dev
>> *Assunto:* Re: Cartridge deployment can't access private git repository
>> with custom CA certificate
>>
>>   Hi Ricardo,
>>
>>  AFAIR in Stratos 4.0.0, only git clone over HTTPS is supported with
>> Username and Password credentials. If it is possible please configure the
>> git server for access over HTTPS.
>>
>>
>>  Regards,
>>  Chamila de Alwis
>>  Software Engineer | WSO2 | +94772207163
>>  Blog: code.chamiladealwis.com
>>
>>
>>
>> On Wed, Mar 25, 2015 at 6:38 PM, Ricardo Carvalho <
>> Ricardo.Carvalho@identity.pt> wrote:
>>
>>>  Hi Imesh
>>>
>>>
>>>  Now that you mention it, I noticed there were no credentials in the
>>> payload, both when I subscribed through the web interface and when I used
>>> "subscribe-cartridge" in the command-line tool.
>>>
>>>
>>>  Should I just add them to the launch-params file in the cartridge
>>> instance? Or am I missing something in configuring Apache Stratos?
>>>
>>>
>>>  Thank you for your support
>>>
>>> Ricardo Carvalho
>>>  ------------------------------
>>> *De:* Imesh Gunaratne <imesh@apache.org>
>>> *Enviado:* 25 de março de 2015 00:31
>>> *Para:* dev
>>> *Assunto:* Re: Cartridge deployment can't access private git repository
>>> with custom CA certificate
>>>
>>>   Hi Ricardo,
>>>
>>>  It's nice to hear that you are trying to use Stratos 4.0.0.
>>>
>>>  I cannot recall whether we used a certificate to talk to the private
>>> Git repository from Cartridge Agent but I know for sure that we need Git
>>> repository credentials. Can you please check whether the Cartridge Agent
>>> has received Git repository credentials in the payload?
>>>
>>>  Thanks
>>>
>>> On Tue, Mar 24, 2015 at 11:19 PM, Ricardo Carvalho <
>>> Ricardo.Carvalho@identity.pt> wrote:
>>>
>>>>  Hi everyone.
>>>>
>>>>
>>>>  I've followed the 4.0.0 installation guide and have managed to
>>>> successfully deploy several php and load balancer cartridges on an
>>>> Openstack environment. However, a custom certificate is needed to access
>>>> the private git repo I indicated as the artifact source  when deploying,
>>>> and the cartridge agent is failing when trying to access this git repo.
>>>>
>>>>
>>>>  I added the certificate to /etc/ssl/certs/ca-certificates.crt, and
>>>> can then use git clone directly inside the cartridge instance with no
>>>> problems. I tried adding the same certificate to the client-truststore.jks
>>>> keystore and even to the wso2carbon.jks in the Apache Stratos VM, but I
>>>> still get the following errors:
>>>>
>>>>
>>>>  INFO CartridgeAgent Executing git checkout
>>>> 2015-03-24 15:47:34,849 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> Initializing git context.
>>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> local path /var/www/
>>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> remote url <private repo URL redacted>
>>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> tenant -1234
>>>> 2015-03-24 15:47:34,850 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> Repo path returned : /var/www/
>>>> 2015-03-24 15:47:34,935 [-] [Thread-4]  INFO GitBasedArtifactRepository
>>>> caching repo context
>>>> 2015-03-24 15:47:35,584 [-] [Thread-4] ERROR GitBasedArtifactRepository
>>>> Accessing remote git repository failed for tenant -1234
>>>> org.eclipse.jgit.api.errors.TransportException: <private repo URL
>>>> redacted>: not authorized
>>>>         at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
>>>>         at
>>>> org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:179)
>>>>         at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)
>>>>
>>>>
>>>>  What's the best way to add a custom CA certificate to a cartridge so
>>>> that it can access a private git repository that requires it?
>>>>
>>>>
>>>>  Thank you for all your hard work
>>>>
>>>> Ricardo Carvalho
>>>>
>>>
>>>
>>>
>>>  --
>>>  Imesh Gunaratne
>>>
>>> Technical Lead, WSO2
>>> Committer & PMC Member, Apache Stratos
>>>
>>
>>
>
>
>  --
>  Imesh Gunaratne
>
> Technical Lead, WSO2
> Committer & PMC Member, Apache Stratos
>



-- 
Imesh Gunaratne

Technical Lead, WSO2
Committer & PMC Member, Apache Stratos

Mime
View raw message