Story #8364
Ensure portal uses correct X509 certificates
30%
Description
We've run into issues where after an upgrade of the dataone-cn-portal
package on the CNs, the properties pointing to the public certificate and private key are incorrectly pointing to the old GeoTrust wildcard files rather than the new Lets Encrypt files:
cn.server.publiccert.filename=/etc/ssl/certs/.test.dataone.org.crt
cn.server.privatekey.filename=/etc/ssl/private/.test.dataone.org.key
These should be (in STAGE):
/etc/letsencrypt/live/cn-stage.test.dataone.org/cert.pem
/etc/letsencrypt/live/cn-stage.test.dataone.org/privkey.pem
The issue might be that these are not being set correctly during the postinst
script run. Jing pointed out that these values are taken from the debconf database settings that get set when dataon-cn-os-core
is installed. So although the postinst
script might be setting the correct values, the old cached values might still be in memory in the debconf database. If so, we'll need to clear those values during installations and upgrades.
Also, knowing where to look for these configuration settings can be challenging. These are referenced from /var/lib/tomcat7/webapps/portal/WEB-INF/portal.properties
. These settings should be consolidated into /etc/dataone/portal/portal.properties
so they also don't get blown away on war file upgrades in Tomcat.
Subtasks
History
#1 Updated by Dave Vieglais almost 7 years ago
- Sprint set to CCI-2.3.10
#2 Updated by Dave Vieglais almost 7 years ago
- Target version changed from CCI-2.3.8 to CCI-2.3.10
#3 Updated by Dave Vieglais over 5 years ago
- % Done changed from 0 to 30
- Status changed from New to In Progress
- Tracker changed from Task to Story