notary icon indicating copy to clipboard operation
notary copied to clipboard

Published 20 hours ago verified publisher icon notaryproject

issues while using custom certificates and keys in kubernetes environment

Open imashish-in opened this issue 3 years ago • 1 comments

Working condition Using below certs and key (openssl generated) in config.json

server-app-cm.yml :

{ "server": { "http_addr": ":443", "tls_key_file": "./certs/notary-server.key", "tls_cert_file": "./certs/notary-server.crt" }, "trust_service": { "type": "remote", "hostname": "notary-signer-svc", "port": "7899", "key_algorithm": "ecdsa", "tls_ca_file": "./certs/root-ca.crt", "tls_client_cert": "./certs/notary-server.crt", "tls_client_key": "./certs/notary-server.key" }, "logging": { "level": "debug" }, "storage": { "backend": "mysql", "db_url": "{{ template "metadata.database.server.cm.url" . }}" } }

signer-app-cm.yml :

`{
  "server": {
    "grpc_addr": ":7899",
    "tls_cert_file": "./certs/notary-signer.crt",
    "tls_key_file": "./certs/notary-signer.key",
    "client_ca_file": "./certs/notary-server.crt"
  },
  "logging": {
    "level": "debug"
  },
  "storage": {
    "backend": "mysql",
    "db_url": "{{ template "metadata.database.signer.cm.url" . }}",
    "default_alias": "{{ .Values.signer.cm.passwordalias1Name }}"
  }
}
`

Not working condition

If we use organization generate certs and keys. getting below error.

image

Can anyone please suggest how can we replace below certs and keys using organization generate certs and keys??

"server": { "http_addr": ":443", "tls_key_file": "./certs/notary-server.key", "tls_cert_file": "./certs/notary-server.crt" }, "trust_service": { "type": "remote", "hostname": "notary-signer-svc", "port": "7899", "key_algorithm": "ecdsa", "tls_ca_file": "./certs/root-ca.crt", "tls_client_cert": "./certs/notary-server.crt", "tls_client_key": "./certs/notary-server.key" }

  and 
  
  `"server": {
    "grpc_addr": ":7899",
    "tls_cert_file": "./certs/notary-signer.crt",  
    "tls_key_file": "./certs/notary-signer.key",
    "client_ca_file": "./certs/notary-server.crt"
  }`

please suggest from below listed keys which got generated from organization. how can we replace with openssl certs and keys.

  1. domain.csr
  2. domain.privkey.pem
  3. domain.pem
  4. domain.ccc
  5. TrustedSecureCertificateAuthority5.ccc
  6. USERTrustRSAAAACA.CCC

imashish-in avatar Nov 15 '21 13:11 imashish-in

@imashish-in hi! If you take a look at fixtures/regenerateTestingCerts.sh you can see how the testing certificates are being generated using OpenSSL, and hence adapt your configuration to your needs.

Also, take a look at the documentation about how to configure the notary server and the notary client.

Hope this helps!

IAL32 avatar Nov 16 '21 21:11 IAL32