Get a certificate signed for hostname (next phase of the GCE deployer) #901
Comments
|
The URL you're giving in the report above has an IP address, not a host name. You need to go in your google cloud console for your project, to the page for your instance. There you should look for the "camlistore-hostname" variable in the custom metadata section. |
|
I tried "camlistore-hostname" but not working. Has a different message: This site can’t be reached "Took too long to respond. --//-- I don't see any sign of the HTTPS certificate. let me know if you need a screen shot via google docs to your gmail. |
|
What's the IP address you see for your camlistore-server instance in the google cloud console? I mean, in your first post you gave 104.154.23.135 , but our DNS says that 09a2499a.camlistore.net resolves to 104.197.84.88, so there's already some fishy discrepancy there. |
|
VM instances: View serial port. [25231.525301] accounts-from-metadata[3001]: INFO Did not grant admin access to clive_boulton. /etc/sudoers not found. |
|
External IP Internal IP I cant explain 104.197.84.88 (is not shown in GC console) |
|
ok, I don't know what's going on for you atm, but let's first check if at least your gpg key matches your hostname. Go to the logs of your instance, which should be at https://console.cloud.google.com/logs/viewer?project=YOURPROJECTID if you scroll up a bit in the entries, to about the time your instance was created (although I think log times are in UTC, so you have to compensate for that), can you see the lines showing when camlistored started? It should be something like: 2017/01/19 22:26:45 Starting camlistored version bb969d4; Go go1.8rc2 (linux/amd64) |
|
Please see #901
…On Thu, Jan 19, 2017 at 6:16 PM, mpl ***@***.***> wrote:
What's the IP address you see for your camlistore-server instance in the
google cloud console?
I mean, in your first post you gave 104.154.23.135 , but our DNS says that
09a2499a.camlistore.net resolves to 104.197.84.88, so there's already
some fishy discrepancy there.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#901 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsyrkpwMZo0uZKSQPWquq6O5ro7atZTks5rT-6zgaJpZM4LoWwI>
.
|
|
My GCE Camlistore instance only has logs for the past 7 days (assume earlier logs have been purged by the GC system). Hence providing today's log for camlistore started not when my camlistore was created. { 13:22:28.418 |
|
those are GCE logs, not Camlistore logs. Sorry I should have specified. Looks like the interface changed again. In the selector below the filter bar that is on the top, the one on the left, you have to select "Global". At least, that is how it is on my interface now. |
|
In the GC interface I have, there is no ability to select "Global".
Screenshot my console
https://drive.google.com/file/d/0BxvxbukcauRwZUxUdnBPLUV0N3c/view?usp=sharing
…On Thu, Jan 19, 2017 at 7:31 PM, mpl ***@***.***> wrote:
those are GCE logs, not Camlistore logs. Sorry I should have specified.
Looks like the interface changed again. In the selector below the filter
bar that is on the top, the one on the left, you have to select "Global".
At least, that is how it is on my interface now.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#901 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsyrgDgTnui49C1ZDTDsOwKPwoZsyihks5rUABXgaJpZM4LoWwI>
.
|
|
ugh |
|
Do you have the "gpg" command installed on your computer? |
|
Using a Chromebook Pixel. I have Crouton (Ubuntu) fairly bare bones Linux.
I will start it up and and look for gpg or try to install it.
…On Thu, Jan 19, 2017 at 7:56 PM, mpl ***@***.***> wrote:
Do you have the "gpg" command installed on your computer?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#901 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsyriQNX-77AEycEWT16tFfdWP8rwl_ks5rUAY8gaJpZM4LoWwI>
.
|
|
Ok, I'll have to go soon, so here's something you can try out in the meantime if you manage to have access to a computer with gpg installed. Go to your config bucket, at https://console.cloud.google.com/storage/browser/PROJECTID-camlistore/config/?project=PROJECTID And download your GPG key, which should be the file named identity-secring.gpg. Be super careful with tha t file. No one should ever get access to it except for you. So after we're done, remove it from the computer where you downloaded it if it's not totally secure. Then, just run the gpg command on it: $ gpg config%2Fidentity-secring.gpg It should show something like that: sec 2048R/1E966B1D 2017-01-03 (camlistore) On the first line, for you we should see 09A2499A, as it's supposed to be your key id, according to the hostname (09a2499a.camlistore.net) that Camlistore obtained for you. |
|
Keys seem to be locked down. Looks like requires installing GC Cloud SDK locally. (I needed to buy new machine, not use a Crouton Chromebook). I am work on getting a new Macbook set up. |
|
Sorry, I don't understand? As for gpg, I'm not sure if you can do it on a chromebook, but you sure don't need the cloud sdk for that part. I don't know how chromebooks work and what can be done with them. But if you have a terminal and a way to install unix programs, then you should be able to do it. |
|
The key ring isn't at the URL provided (I looked around a lot).
On Jan 24, 2017 8:21 PM, "mpl" <notifications@github.com> wrote:
Sorry, I don't understand?
You shouldn't need the cloud sdk for any of the above. You *could* use the
sdk to fetch the keyring, but you don't *need* to, you can just do it with
your browser, from the cloud console page I indicated above.
As for gpg, I'm not sure if you can do it on a chromebook, but you sure
don't need the cloud sdk for that part. I don't know how chromebooks work
and what can be done with them. But if you have a terminal and a way to
install unix programs, then you should be able to do it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#901 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsyrpc4WTP7pJJ5qJBBwjx7D5DJ6GsMks5rVqOxgaJpZM4LoWwI>
.
|
|
hmm I didn't actually say it before so, just to be sure, you did replace PROJECTID with your actual project ID, in that URL, didn't you? Like, if your project ID is clive-gce, the URL would be: https://console.cloud.google.com/storage/browser/clive-gce-camlistore/config/?project=clive-gce If yes, and you don't see the keyring there, then it's pretty bad. It means camlistored didn't generate it for you, so it probably failed pretty early on startup. |
|
I replaced with my camli-xxxx project I'd, and even tried the internal
numerical I'd.
There is no key in my current project (this is a an early LFNW time frame
launcher).
I'll generate a new Camlistore via the GCE deployer and compare if a key is
generated, and report back.
Travelling and hacking, may not get to this till Sunday-ish.
…On Jan 24, 2017 9:39 PM, "mpl" ***@***.***> wrote:
hmm I didn't actually say it before so, just to be sure, you did replace
PROJECTID with your actual project ID, in that URL, didn't you?
Like, if your project ID is clive-gce, the URL would be:
https://console.cloud.google.com/storage/browser/clive-gce-
camlistore/config/?project=clive-gce
If yes, and you don't see the keyring there, then it's pretty bad. It
means camlistored didn't generate it for you, so it probably failed pretty
early on startup.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#901 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsyrt8E68GijhtZHsT8P8VGm08qfB54ks5rVrXwgaJpZM4LoWwI>
.
|
BWO user concerned security discussions with MPL:
"Next phase of the deployer, i.e. it will provide you with a hostname as well, so you'll get a certificate signed for that very hostname instead of one signed for localhost, as it does now. Actually, I don't see why we couldn't deploy that version of it now, at least behind an experimental flag. I'll try to get it done asap, and report back here."
Was: “Your connection is not private"
NET::ERR_CERT_AUTHORITY_INVALID
Now: "This site can’t provide a secure connection"
ERR_SSL_PROTOCOL_ERROR
Please see my Camlistore GCE for test
Search for experimental deployer code
The text was updated successfully, but these errors were encountered: