You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2020/04/07 09:58:17 UTC

[GitHub] [openwhisk] Reylak opened a new issue #4875: Broken self-signed certificate on Ansible local deployment

Reylak opened a new issue #4875: Broken self-signed certificate on Ansible local deployment
URL: https://github.com/apache/openwhisk/issues/4875
 
 
   ## Environment details:
   
   Local deployment via Ansible on Arch Linux (kernel 5.5.13)
   
   ## Steps to reproduce the issue:
   
   1. deploy locally using Ansible (https://github.com/apache/openwhisk/blob/master/ansible/README.md)
   2. set the API host to "localhost"
   3. reach the API gateway using `wsk` with any command (e.g. `wsk action list`)
   
   ## Provide the expected results and outputs:
   
   Command working (e.g. list of actions for `wsk action list`).
   
   ## Provide the actual results and outputs:
   
   ```
   error: Unable to obtain the list of actions for namespace 'default': Get https://localhost/api/v1/namespaces/_/actions?limit=30&skip=0: x509: certificate is valid for *.localhost, not localhost
   ```
   
   ## Additional information you deem important:
   
   I believe the root cause is that the self-signed certificate has its CN set to "*.localhost" which is not valid for many SSL clients in general (see https://serverfault.com/questions/811111/wildcard-localhost-ssl-with-nginx-and-chrome). I think this is a bug in "ansible/setup.yml" when generating the certificates: the parameter to "files/genssl.sh" is `"*.{{ whisk_api_localhost_name | default(whisk_api_host_name) | default(whisk_api_localhost_name_default) }}"` which gets reduced to `*.localhost`.
   
   Of course, `wsk -i` works around this issue, as [clearly stated in the documentation](https://github.com/apache/openwhisk/blob/master/docs/cli.md), but for the wrong reason: the generated certificate is faulty anyway. We should be able to tell our SSL client that it is okay to use the self-signed certificate.
   
   On a side note: setting the API host to something explicit like "http://localhost:80" to not use SSL does not work, and produces the exact same error message. This is more probably a CLI bug though.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [openwhisk] rabbah commented on issue #4875: Broken self-signed certificate on Ansible local deployment

Posted by GitBox <gi...@apache.org>.
rabbah commented on issue #4875: Broken self-signed certificate on Ansible local deployment
URL: https://github.com/apache/openwhisk/issues/4875#issuecomment-610463441
 
 
   The wildcard comes from the nginx routing rule which permits `namespace.servername/path/to/action` to be mapped to `servername/api/v1/web/namespace/path/to/action` - this is referenced as vanity URLs for webactions.
   
   The wildcard SSL is related to this general routing 
   The reason http doesn't work is that nginx is explicitly rewriting http requests to https.
   
   If you want to use http did you try the standalone controller? 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [openwhisk] Reylak commented on issue #4875: Broken self-signed certificate on Ansible local deployment

Posted by GitBox <gi...@apache.org>.
Reylak commented on issue #4875: Broken self-signed certificate on Ansible local deployment
URL: https://github.com/apache/openwhisk/issues/4875#issuecomment-610472228
 
 
   I understand the usage of the wildcard, and why HTTP doesn't work, thank you.
   
   I was just using this deployment as a quick way to work on OpenWhisk's components, so I might try the standalone controller as you suggest. I don't necessarily need HTTP, I just need a programmatic way to reach the REST API from Python :)
   
   Still, the bug of the broken certificate for "*.localhost"  on local Ansible deployments remains, although it is not a big concern.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services