Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8799

Update Jolokia to use the OpenShift CA instead of self-signed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • FIS 2.0
    • None
    • Compatibility/Configuration, User Experience
    • % %

      When accessing jolokia from the node it's running on, but potentially from a different pod, and via curl it needs to be done with the -k, or --insecure option as the cert is self signed:

      sh-4.2$ curl -v -k -u jolokia:ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W 'https://10.1.0.3:8778/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false'                                                                         
      * About to connect() to 10.1.0.3 port 8778 (#0)
      *   Trying 10.1.0.3...
      * Connected to 10.1.0.3 (10.1.0.3) port 8778 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * skipping SSL peer certificate verification
      * NSS: client certificate not found (nickname not specified)
      * SSL connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      * Server certificate:
      *       subject: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE
      *       start date: Jan 16 12:39:03 2017 GMT
      *       expire date: Jan 14 12:39:03 2027 GMT
      *       common name: Jolokia Agent 1.3.5
      *       issuer: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE
      * Server auth using Basic with user 'jolokia'
      > GET /jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false HTTP/1.1
      > Authorization: Basic am9sb2tpYTpFeGZOSmJXbVBBNkR0R3RsN2VLSUtkcEREWlRaNVc=
      > User-Agent: curl/7.29.0
      > Host: 10.1.0.3:8778
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Pragma: no-cache
      < Date: Mon, 16 Jan 2017 12:46:38 GMT
      < Transfer-encoding: chunked
      < Content-type: text/plain; charset=utf-8
      < Expires: Mon, 16 Jan 2017 11:46:38 GMT
      < Cache-control: no-cache
      < 
      * Connection #0 to host 10.1.0.3 left intact
      {"request":{"type":"version"},"value":{"agent":"1.3.5","protocol":"7.2","config":{"maxDepth":"15","discoveryEnabled":"false","maxCollectionSize":"0","password":"ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W","agentId":"10.1.0.3-1-6d6f6e28-jvm","debug":"f
      alse","agentType":"jvm","historyMaxEntries":"10","agentContext":"\/jolokia","maxObjects":"0","user":"jolokia","debugMaxEntries":"100"},"info":{"product":"tomcat","vendor":"Apache","version":"8.5.5"}},"timestamp":1484570798,"status":200}sh-
      sh-4.2$
      sh-4.2$ curl -v -u jolokia:ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W 'https://10.1.0.3:8778/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false'                                                                            
      * About to connect() to 10.1.0.3 port 8778 (#0)
      *   Trying 10.1.0.3...
      * Connected to 10.1.0.3 (10.1.0.3) port 8778 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * Server certificate:
      *       subject: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE
      *       start date: Jan 16 12:39:03 2017 GMT
      *       expire date: Jan 14 12:39:03 2027 GMT
      *       common name: Jolokia Agent 1.3.5
      *       issuer: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE
      * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
      * Issuer certificate is invalid.
      * Closing connection 0
      curl: (60) Issuer certificate is invalid.
      More details here: http://curl.haxx.se/docs/sslcerts.html
      
      curl performs SSL certificate verification by default, using a "bundle"
       of Certificate Authority (CA) public keys (CA certs). If the default
       bundle file isn't adequate, you can specify an alternate file
       using the --cacert option.
      If this HTTPS server uses a certificate signed by a CA represented in
       the bundle, the certificate verification probably failed due to a
       problem with the certificate (it might be expired, or the name might
       not match the domain name in the URL).
      If you'd like to turn off curl's verification of the certificate, use
       the -k (or --insecure) option.
      sh-4.2$
      

              Unassigned Unassigned
              rhn-support-rkieley Roderick Kieley
              Lukas Lowinger Lukas Lowinger
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: