i setup a kubernetes cluster on azure with the azure-container-service cli (az acs create). The cluster is up and running and it seems to work fine. Now I want to sign client certificates with my kubernetes CA which was created on installation. In my understanding i need the ca certificate (which is hand over to the kubernetes api server with --client-ca-file=) and the private key from this ca file to sign a new client certificate. The Problem is I can't find the private key for my CA file.
Where can i find the private key?
Can i sign client certs for my developer without this private key?
Is the setup process of azure-container-service broken when the private key is lost?
Are these the one that you are looking for??
azureuser#k8s-master-9XXXXX-0:~$ ls -la /etc/kubernetes/certs/
total 28
drwxr-xr-x 2 root root 4096 Mar 14 20:59 .
drwxr-xr-x 5 root root 4096 Mar 14 20:59 ..
-rw-r--r-- 1 root root 1600 Mar 14 20:58 apiserver.crt
-rw-r--r-- 1 root root 2048 Mar 14 20:59 apiserver.key
-rw-r--r-- 1 root root 1182 Mar 14 20:58 ca.crt
-rw-r--r-- 1 root root 1202 Mar 14 20:58 client.crt
-rw-r--r-- 1 root root 2048 Mar 14 20:59 client.key
Related
I have node applications where some dependency git repos specified in package.json and deploying using S2I in OCP. To clone the repos I have mounted the sshkey as a secret into /opt/app-root/src/.ssh .. But the permissions are coming default 6 to group that is root. And failing with error npm ERR! Load key "/opt/app-root/src/.ssh/id_rsa": bad permissions. Couple of suggestions from different git links are 1. Use hostpath 2. Runas root 3. Set fsGroup. How can I apply any of these changes into buildConfig? What ever I set in deployConfig is not reflecting for build.
ls -lasL /opt/app-root/src/.ssh
total 20
0 drwxr-xr-x. 3 default root 92 Jan 20 17:35 .
0 drwxrwxr-x. 1 default root 18 Jan 20 17:35 ..
0 drwxr-xr-x. 2 default root 39 Jan 20 17:35 ..2023_01_20_17_35_25.328954621
0 drwxr-xr-x. 2 default root 39 Jan 20 17:35 ..data
4 -rw-------. 1 default root 2610 Jan 20 17:35 id_rsa
16 -rw-------. 1 default root 12403 Jan 20 17:35 known_hosts
This is a more-narrowed-down problem stemming from my earlier question.
Here is my buildspec.yml:
version: 0.2
phases:
install:
commands:
# upgrade AWS CLI
- pip install --upgrade awscli
# install Node 12
- curl -sL https://deb.nodesource.com/setup_12.x | bash -
- apt install nodejs
pre_build:
commands:
# install server dependencies
- npm install
build:
commands:
# install client dependencies and build static files
- npm install --prefix client && npm run build --prefix client
post_build:
commands:
# FOR TESTING AND DEBUGGING
- ls -la
- ls client -la
- mkdir client/TEST
- ls client -la
artifacts:
files:
- '**/*'
discard-paths: no
base-directory: '*'
In the post-build phase, I output directories for debugging and this is what they show:
[Container] 2020/07/02 02:36:15 Entering phase POST_BUILD
[Container] 2020/07/02 02:36:15 Running command ls -la
total 132
drwxr-xr-x 11 root root 4096 Jul 2 02:34 .
drwxr-xr-x 3 root root 4096 Jul 2 02:34 ..
-rw-rw-r-- 1 root root 129 Jul 2 02:33 .gitignore
-rw-rw-r-- 1 root root 16 Jul 2 02:33 .npmrc
-rw-rw-r-- 1 root root 34 Jul 2 02:33 README.md
-rw-rw-r-- 1 root root 1737 Jul 2 02:33 app.js
drwxr-xr-x 2 root root 4096 Jul 2 02:34 bin
-rw-rw-r-- 1 root root 655 Jul 2 02:33 buildspec.yml
drwxr-xr-x 6 root root 4096 Jul 2 02:35 client
drwxr-xr-x 2 root root 4096 Jul 2 02:34 config
drwxr-xr-x 2 root root 4096 Jul 2 02:34 graphql
drwxr-xr-x 2 root root 4096 Jul 2 02:34 models
drwxr-xr-x 197 root root 4096 Jul 2 02:34 node_modules
-rw-rw-r-- 1 root root 63888 Jul 2 02:33 package-lock.json
-rw-rw-r-- 1 root root 814 Jul 2 02:33 package.json
drwxr-xr-x 2 root root 4096 Jul 2 02:34 routes
drwxr-xr-x 2 root root 4096 Jul 2 02:34 services
drwxr-xr-x 2 root root 4096 Jul 2 02:34 views
[Container] 2020/07/02 02:36:15 Running command ls client -la
total 748
drwxr-xr-x 6 root root 4096 Jul 2 02:35 .
drwxr-xr-x 11 root root 4096 Jul 2 02:34 ..
drwxr-xr-x 3 root root 4096 Jul 2 02:36 build
drwxr-xr-x 1081 root root 36864 Jul 2 02:35 node_modules
-rw-rw-r-- 1 root root 699332 Jul 2 02:33 package-lock.json
-rw-rw-r-- 1 root root 1212 Jul 2 02:33 package.json
drwxr-xr-x 2 root root 4096 Jul 2 02:34 public
drwxr-xr-x 8 root root 4096 Jul 2 02:34 src
[Container] 2020/07/02 02:36:15 Running command mkdir client/TEST
[Container] 2020/07/02 02:36:15 Running command ls client -la
total 752
drwxr-xr-x 7 root root 4096 Jul 2 02:36 .
drwxr-xr-x 11 root root 4096 Jul 2 02:34 ..
drwxr-xr-x 2 root root 4096 Jul 2 02:36 TEST
drwxr-xr-x 3 root root 4096 Jul 2 02:36 build
drwxr-xr-x 1081 root root 36864 Jul 2 02:35 node_modules
-rw-rw-r-- 1 root root 699332 Jul 2 02:33 package-lock.json
-rw-rw-r-- 1 root root 1212 Jul 2 02:33 package.json
drwxr-xr-x 2 root root 4096 Jul 2 02:34 public
drwxr-xr-x 8 root root 4096 Jul 2 02:34 src
[Container] 2020/07/02 02:36:15 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2020/07/02 02:36:15 Phase context status code: Message:
[Container] 2020/07/02 02:36:15 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2020/07/02 02:36:15 Phase context status code: Message:
Which shows that client/build, client/node_modules, and a test directory client/TEST were all created during the CodeBuild. However when I go to the Beanstalk environment I get the error:
ENOENT: no such file or directory, stat '/var/app/current/client/build/index.html'
When I ssh into Beanstalk and check the /var/app/current/ directory, the node_modules in the root directory was successfully built. However, the client/build, client/node_modules, and client/TEST are all missing:
$ cd /var/app/current
$ ls
app.js buildspec.yml config models package.json Procfile routes views
bin client graphql node_modules package-lock.json README.md services
$ cd client
$ ls
package.json package-lock.json public src
This indicates to me that something messed up in the Deploy stage of the CodePipeline, or maybe the artifacts section of the buildspec.yml. I have been stuck on this issue for so long and have no idea how to go about it.
Based on the comments.
To deploy to ElasticBeanstalk, CodePipepine is using Elastic Beanstalk provider in a Deploy action. As part of setting up this action, input artifacts need to be specified.
The issue was that the input artifacts were set to use Source action, rather then the CodeBuild action.
The solution was to adjust the setting of the the Deploy action to use the CodeBuild artifacts, instead of Source artifacts.
I am testing python code performance with uvloop. I am getting 'uvloop' has no attribute 'EventLoopPolicy' error.
I am using python 3.7 and
uvloop 0.13.0
pycharm
I tried changing interpreter reinstalling uvloop but none of them did not work.
Can anyone suggest what is the problem?
Rename your own file to something else than uvloop.py, such as test_uvloop.py.
You're confusing Python's import machinery by having your own file the same name as the library you're trying to use.
I see that you're on a Mac, but I just fixed this problem on my CentOS7.x server by properly setting permissions to the uvloop Python package. It's pesky because (at least on CentOS) some pip-installed Python packages go in /usr/local/lib/python3.7/site-packages and some go in /usr/local/lib64/python3.7/site-packages.
Check out what the files in my lib64 directory looked like before I fixed it:
me#myserver /usr/local/lib64/python3.7/site-packages
$ ll
total 16
drwxr-xr-x. 3 root root 4096 Jan 17 15:38 click
drwxr-xr-x. 2 root root 134 Jan 17 15:38 Click-7.0.dist-info
drwxr-x---. 4 root root 74 Jan 17 15:42 httptools
drwxr-x---. 2 root root 141 Jan 17 15:42 httptools-0.0.13-py3.6.egg-info
drwxr-x---. 3 root root 4096 Jan 17 15:43 pydantic
drwxr-x---. 2 root root 111 Jan 17 15:43 pydantic-1.3.dist-info
drwxr-x---. 5 root root 4096 Jan 17 15:43 uvloop
drwxr-x---. 2 root root 141 Jan 17 15:43 uvloop-0.14.0-py3.6.egg-info
drwxr-xr-x. 4 root root 4096 Jan 17 15:38 websockets
drwxr-xr-x. 2 root root 134 Jan 17 15:38 websockets-8.1.dist-info
Unless I was running as a root user the uvloop files are untouchable and that's what caused the error. On your Mac, try to find where your uvloop package is installed and make sure your script can access it.
I have a website that was set up to use https using a certificate from Let's Encrypt. I am trying to add that certificate to a keystore to use https with a dropwizzard API. The problem I am having is that there are multiple certificates.
My question is how can I figure out which of the certificates my website uses so that I could use that for the API as well?
In /etc/ssl/certs this is what shows up:
lrwxrwxrwx 1 root root 49 Nov 20 2017 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-rw-r--r-- 1 root root 885625 Apr 12 00:27 ca-bundle.crt.rpmnew
lrwxrwxrwx 1 root root 55 Nov 20 2017 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r-- 1 root root 1059673 Apr 12 00:27 ca-bundle.trust.crt.rpmnew
-rw------- 1 root root 1586 Dec 15 2017 localhost.crt
-rwxr-xr-x 1 root root 610 Aug 17 17:16 make-dummy-cert
-rw-r--r-- 1 root root 2516 Aug 17 17:16 Makefile
-rwxr-xr-x 1 root root 829 Aug 17 17:16 renew-dummy-cert
After looking more closely at the config files like Patrick had suggested I found the config file in /etc/httpd/conf.d/ssl.conf that had the path to where the certificate and private key were.
You can have a look at your vhost file to see the path to the physical ssl cert files being used by the website. The vhost is likely going to be at /etc/apache2/sites-available/ .
I have installed opendkim to my Ubuntu server 14.04.4 LTS. I have set into the postfix config to be used the opendkim previous created mail.private key.
When I try to send a mail I see the following messages into the /var/log/mai.log file
Jan 29 09:19:47 test postfix/smtpd[2427]: connect from ip6localhost[127.0.0.1]
Jan 29 09:19:47 test postfix/smtpd[2427]: 625E3E0FE7: client=ip6-localhost[127.0.0.1]
Jan 29 09:19:47 test postfix/cleanup[2431]: 625E3E0FE7: message-id=<890ba29cd6ef289c50581335723ccdb9[edited domain]>
Jan 29 09:19:47 test opendkim[1370]: can't load key from /etc/opendkim/keys/mail.private: Permission denied
Jan 29 09:19:47 test opendkim[1370]: 625E3E0FE7: error loading key 'mail._[edited domain]'
The key was stored into the folder /etc/opendkim/keys
root#test:/home/crewlog.com# ls -l /etc/opendkim
total 16
drw------- 2 opendkim opendkim 4096 Jan 29 07:49 keys
-rw-r----- 1 opendkim opendkim 891 Jan 29 07:48 mail.private
-rw------- 1 opendkim opendkim 67 Jan 29 08:01 KeyTable
-rw------- 1 opendkim opendkim 32 Jan 29 07:47 SigningTable
-rw------- 1 opendkim opendkim 81 Jan 29 07:19 TrustedHosts
I used the opendkim:opendkim user. Here is my /etc/opendkim.config file
AutoRestart Yes
AutoRestartRate 10/1h
Syslog yes
UMask 002
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
UserID opendkim:opendkim
Mode sv
OversignHeaders From
Domain [edited domain]
KeyFile /etc/opendkim/keys/mail.private
Selector mail
SOCKET inet:8891#127.0.0.1
Any help will be welcomed as I don't know what I am doing wrong
You have the mail.private in the wrong directory, it's looking in the keys directory for mail.private.
Move mail.private into the keys directory and make sure opendkim has permission to read the file.