howtos/fedora_messaging_certificates.md

# How to create TLS certificates for fedora-messaging

In ansible-private, find the files/rabbitmq/ folder. In that is a production 
and a staging subdirectory

* Create the staging certificates:

In the staging subdir, run:
```
/usr/share/easy-rsa/3/easyrsa build-client-full <service name>.stg nopass
```

For example:
```
/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass
```

(**note**: for **stg** we always make the name ``.stg`` so that ansible scripts
work with it)

* Create the production certificates:

In the production subdir, run:

```
/usr/share/easy-rsa/3/easyrsa build-client-full <service name> nopass
```

For example:
```
/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating nopass
```

(**note**: no ``.stg`` here).

* Add the certificates to the git repo:

Run the usual commands:
```
git add .
git commit -s -a -m 'Added fedora-messaging certs for <service>'
git push
```


Source: https://pagure.io/fedora-infrastructure/issue/8638


## Debugging

If when generating the certificates, you run into the following error:
```
failed to update database
TXT_DB error number 2
```

The full output looking something like
```

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.+++
.....+++
writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8'
-----
Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'monitor-gating.stg'
Certificate is to be certified until Feb  9 14:52:07 2023 GMT (1080 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)
```

This is because you're trying to generate a certificate for a name that already
exists in the database (as explained in:
https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/)

The easiest way around this is to simply to a ``git grep <name of your cert>``.
It should tell you that the name can be found in ``index.txt`` (and potentially
``index.txt.old`` if another certificate was generated since the first attempt
and yours).

Edit this/these file(s) and remove the line concerning your certificate, then
re-run the `easyrsa` command as above.
Add how to generate fedora-messaging certs Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> 2020-02-13 09:27:59 +01:00			`# How to create TLS certificates for fedora-messaging`

			`In ansible-private, find the files/rabbitmq/ folder. In that is a production`
			`and a staging subdirectory`

			`* Create the staging certificates:`

			`In the staging subdir, run:`
			```
			`/usr/share/easy-rsa/3/easyrsa build-client-full <service name>.stg nopass`
			```

			`For example:`
			```
			`/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass`
			```

			(note: for stg we always make the name ``.stg`` so that ansible scripts
			`work with it)`

			`* Create the production certificates:`

			`In the production subdir, run:`

			```
			`/usr/share/easy-rsa/3/easyrsa build-client-full <service name> nopass`
			```

			`For example:`
			```
			`/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating nopass`
			```

			(note: no ``.stg`` here).

			`* Add the certificates to the git repo:`

			`Run the usual commands:`
			```
			`git add .`
			`git commit -s -a -m 'Added fedora-messaging certs for <service>'`
			`git push`
			```

Add the source of the fedora-messaging certificate howto Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> 2020-02-13 09:35:17 +01:00
			`Source: https://pagure.io/fedora-infrastructure/issue/8638`
Document debugging an issue with generating fedora-messaging certificates Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> 2020-02-26 11:43:10 +01:00

			`## Debugging`

			`If when generating the certificates, you run into the following error:`
			```
			`failed to update database`
			`TXT_DB error number 2`
			```

			`The full output looking something like`
			```

			`Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017`
			`Generating a 2048 bit RSA private key`
			`.+++`
			`.....+++`
			`writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8'`
			`-----`
			`Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf`
			`Check that the request matches the signature`
			`Signature ok`
			`The Subject's Distinguished Name is as follows`
			`commonName :ASN.1 12:'monitor-gating.stg'`
			`Certificate is to be certified until Feb 9 14:52:07 2023 GMT (1080 days)`
			`failed to update database`
			`TXT_DB error number 2`

			`Easy-RSA error:`

			`signing failed (openssl output above may have more detail)`
			```

			`This is because you're trying to generate a certificate for a name that already`
			`exists in the database (as explained in:`
			`https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/)`

			The easiest way around this is to simply to a ``git grep <name of your cert>``.
			It should tell you that the name can be found in ``index.txt`` (and potentially
			``index.txt.old`` if another certificate was generated since the first attempt
			`and yours).`

			`Edit this/these file(s) and remove the line concerning your certificate, then`
			re-run the `easyrsa` command as above.