Create self sign certificate for load balancer

[rauizab]

Hi

I was not able to create self sign certificates as explain in the documentation.
First I had to create a CA and then create a certificate. Only in this way I was able to execute bbl create-lbs

Best regards

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/140131207

The labels on this github issue will be updated when the story is started.

[dsabeti]

Hi @rauizab. Can you give me a little more information please? The following would be helpful:

1. Which part of the documentation are you following? The GCP deployment guide?
2. Which command are you running?
3. What is the failure mode? Does the command to generate the certificate fail? Does bbl create-lbs fail?

Thanks

[rauizab]

Hi @dsabeti

I meant on https://github.com/cloudfoundry/cf-deployment/blob/develop/gcp-deployment-guide.md point b

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes

On executing:

bbl create-lbs ... --cert cert.pem --key key.pem

I got a problem with the key/certificate bad format

What it worked for me was:

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=example.com'
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

And then I provided these crt

bbl create-lbs ... --cert server.crt --key serve.key

[dsabeti]

@rauizab Can you show me the error message from bbl create-lbs?

[rauizab]

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes

bbl create-lbs --type cf --domain $SYSTEM_DOMAIN --cert "/home/local/BOOXWARE/abadr/platform/workspace/keys/cert.pem" --key "/home/local/BOOXWARE/abadr/platform/workspace/keys/key.pem"

there was 1 error with 'create-lbs':

• failed to parse private key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} @5

[dsabeti]

@rauizab. Are your keys encrypted? Issues like this one imply that it might be the case.

I think you can tell if the keys are encrypted by looking for the following in your key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
...

Also, what version of openssl are you using?

[rauizab]

Hi
My openssl version: OpenSSL 1.0.2g 1 Mar 2016
Key is not encrypted.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141335673

The labels on this github issue will be updated when the story is started.

[dsabeti]

@rauizab I managed to reproduce this by updating my openssl version to 1.0.2. Let's rope in the bbl team.

@evanfarrar @christianang, any ideas why updated openssl would cause this problem? bbl fails with the following output:

there was 1 error with 'update-lbs':
    * failed to parse private key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false}  @5

[dsabeti]

@rauizab One thing I'll add is that this seems to be an issue in a handful of golang projects, and there doesn't seem to be a standard solution anywhere. My guess is that this is a relatively new problem, and there's some lower-level debugging to do to figure out how golang parses private keys, and what changing the version of openssl has to do with it.

It might be best to downgrade openssl to a lower version (I've been using 0.9.8zg successfully) in the meantime, while we try to figure this out.

[dsabeti]

@rauizab Did you ever resolve this issue?

@evanfarrar @christianang, does it make sense to address this in bbl?

[rauizab]

Hi
We didnt do anything else. We were able to go through using what I commented on 22th Februar.
From my point of view the ticket could be closed.

[dsabeti]

Great, thanks @rauizab.