Infrastructure/howtos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
howtos/fedora_messaging_certificates.md
Michal Konečný 026b1c9036 Revoke the old certificate instead of deleting it 
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
2023-04-17 08:49:40 +02:00

3 KiB
Raw Permalink Blame History

How to create TLS certificates for fedora-messaging

In ansible-private, find the files/rabbitmq/ folder. In that is a production and a staging subdirectory

  • Create the staging certificates:

In the staging subdir, run:

/usr/share/easy-rsa/3/easyrsa build-client-full <service name>.stg nopass

For example:

/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating.stg nopass

(note: for stg we always make the name .stg so that ansible scripts work with it)

  • Create the production certificates:

In the production subdir, run:

/usr/share/easy-rsa/3/easyrsa build-client-full <service name> nopass

For example:

/usr/share/easy-rsa/3/easyrsa build-client-full monitor-gating nopass

(note: no .stg here).

  • Add the certificates to the git repo:

Run the usual commands:

git add .
git commit -s -a -m 'Added fedora-messaging certs for <service>'
git push

Source: https://pagure.io/fedora-infrastructure/issue/8638

Regenerating TLS certificates

  • First revoke old certificate

In the staging subdir run

/usr/share/easy-rsa/3/easyrsa revoke <service-name>

Same for production, but without .stg in name and the commands need to be run from production subdir

  • Remove the cert from index.txt and index.txt.old

The easiest way around this is to simply to a git grep <name of your cert>. It should tell you that the name can be found in index.txt (and potentially index.txt.old if another certificate was generated since the first attempt and yours).

  • Follow the How to create TLS certificates for fedora-messaging section in this How-To

Debugging

If when generating the certificates, you run into the following error:

failed to update database
TXT_DB error number 2

The full output looking something like


Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.+++
.....+++
writing new private key to '/..../files/rabbitmq/staging/pki/private/monitor-gating.stg.key.PhSK949Ny8'
-----
Using configuration from /..../files/rabbitmq/staging/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'monitor-gating.stg'
Certificate is to be certified until Feb  9 14:52:07 2023 GMT (1080 days)
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

This is because you're trying to generate a certificate for a name that already exists in the database (as explained in: https://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/)

The easiest way around this is to simply to a git grep <name of your cert>. It should tell you that the name can be found in index.txt (and potentially index.txt.old if another certificate was generated since the first attempt and yours).

Edit this/these file(s) and remove the line concerning your certificate, then re-run the easyrsa command as above.