Flack fails to initialize user about geni-ch HOT 6 CLOSED

This problem has been tied back to a requirement to install the ca-gpolab.crt into the service registry. This is captured in proto-ch ticket #884 and this one should be closed as a duplicate of that one.

We've tested that flack works when this cert is installed in the service registry.

Trac comment by mbrinn (github user: MarshallBrinn) on 11-13-2013 at 11:42

from geni-ch.

In order for Flack to speak to the portal, we need to pass Flack the cert that signed the apache certs. This is located in /etc/ssl/certs/ca-gpolab.cert. A change should be made to the install_db script to insert this cert into the service_registry using a SQL expression like:

insert into service_registry (service_url, service_type, service_cert) values (, 7, '/etc/ssl/certs/ca-gpolab.crt');

The fix needs to go in install_db.

Trac comment by tmitchel (github user: tcmitchell) on 11-13-2013 at 11:47

from geni-ch.

Reminder: the location of the signing cert is different for nye than for the sandboxes, so you don't want to hardcode it as ca-gpolab.

Puppet knows the location of the correct signer for each portal/CH, so if you'd like, i can have puppet put a file in /etc/geni-chapi/ containing this insert statement with the right cert for each portal/CH, and then the installer can just execute that file. Up to y'all.

Trac comment by chaos on 11-13-2013 at 12:01

from geni-ch.

Per discussion with Tom, i went ahead and had apache create this file in /etc/geni-chapi. Here's how it looks on tau-ceti:

$ cat /etc/geni-chapi/update_service_registry.01.sql 
-- --- Service registry insert for CH apache signing cert
--
-- DO NOT EDIT except via CVS (cvs.gpolab.bbn.com:/srv/cvs)
-- 
-- See /var/lib/puppet/vtf/apache_update_service_registry.01.sql
-- for a copy of this file containing the RCS info

insert into service_registry (service_url, service_type, service_cert) values
  (, 7, '/etc/ssl/certs/ca-gpolab.crt');

So the install script should be able to execute that and get the correct per-CH filename.

Trac comment by chaos on 11-18-2013 at 14:54

from geni-ch.

Tom and i found/fixed a typo in the insert. Now the file reads:

$ cat /etc/geni-chapi/update_service_registry.01.sql 
-- --- Service registry insert for CH apache signing cert
--
-- DO NOT EDIT except via CVS (cvs.gpolab.bbn.com:/srv/cvs)
-- 
-- See /var/lib/puppet/vtf/apache_update_service_registry.01.sql
-- for a copy of this file containing the RCS info

insert into service_registry (service_url, service_type, service_cert) values
  ('', 7, '/etc/ssl/certs/ca-gpolab.crt');

Trac comment by chaos on 11-18-2013 at 15:14

from geni-ch.

Fix added to install_db. If the file exists, execute it in psql.

Trac comment by tmitchel (github user: tcmitchell) on 11-18-2013 at 18:17

from geni-ch.