Re: ha_proxy issue, how to add cert into ssl_pem:


CF Runtime
 

The first format is normally easier to read. To be valid YAML, ensure there
are only spaces for indentation, and not tab characters.

The second format will also work, but you need to make double line breaks
between each line:

properties:
ha_proxy:
ssl_pem: "-----BEGIN CERTIFICATE-----

MIIChTCCAe4CCQDPm3qYbkHm+DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMC



…………………………………………………….


-----END CERTIFICATE-----


-----BEGIN RSA PRIVATE KEY-----


MIICXAIBAAKBgQCgy5XTU8Rct9+lZZswLlgm0SrnU8fiOmsV0H4BxmC2OX4GBeIu


……………………………


-----END RSA PRIVATE KEY-----"


Joseph

OSS Release Integration Team

On Fri, Jul 24, 2015 at 8:42 AM, Liu, David <David.G.Liu(a)emc.com> wrote:

Hi Expert,

What is the right format to add cert/private key into ssl_pem?



My environment:

BOSH 1.3016.0

CF-release:213

Stemcell: 3012

vSphere 5.5 u2

Ubuntu 14.04 bosh cli, VI to edit file.



HA proxy part configuration in cf-deployment.yml

A, When set ssl_pem as below

properties:

ha_proxy:

disable_http: false

ssl_ciphers: null

ssl_pem: |+

-----BEGIN CERTIFICATE-----

MIIChTCCAe4CCQDPm3qYbkHm+DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMC

……………………

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQCgy5XTU8Rct9+lZZswLlgm0SrnU8fiOmsV0H4BxmC2OX4GBeIu

………………………………………….

-----END RSA PRIVATE KEY-----

metron_agent:



then RUN #bosh deployment cf-deployment.yml

ERROR: “Incorrect YAML structure in
`/home/david/cf-release/cf-deployment.yml': (<unknown>): found a tab
character that violate intendation while scanning a plain scalar at line 66
column 16”



B, when set ssl_pem as blow:

properties:

ha_proxy:

disable_http: false

ssl_ciphers: null

ssl_pem: "-----BEGIN CERTIFICATE-----

MIIChTCCAe4CCQDPm3qYbkHm+DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMC

…………………………………………………….

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQCgy5XTU8Rct9+lZZswLlgm0SrnU8fiOmsV0H4BxmC2OX4GBeIu

……………………………

-----END RSA PRIVATE KEY-----"



then RUN #bosh deployment cf-deployment.yml , it work ok.

Then run #bosh deploy

ERROR “ha_proxy is not running after updating”.



SSH to ha_proxy VM, find that “cert.pem” in /var/vcap/jobs/haproxy/config
is in wrong format

----BEGIN
CERTIFICATE-----MIIChTCCAe4CCQDPm3qYbkHm+DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMC

……………………………………………………. -----END CERTIFICATE----- -----BEGIN RSA
PRIVATE
KEY-----MIICXAIBAAKBgQCgy5XTU8Rct9+lZZswLlgm0SrnU8fiOmsV0H4BxmC2OX4GBeIu

…………………………… -----END RSA PRIVATE KEY-----



Manual change cert.pem to below format, restart haproxy, it work fine.

----BEGIN CERTIFICATE-----

MIIChTCCAe4CCQDPm3qYbkHm+DANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMC

…………………………………………………….

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQCgy5XTU8Rct9+lZZswLlgm0SrnU8fiOmsV0H4BxmC2OX4GBeIu

……………………………

-----END RSA PRIVATE KEY-----



So, what is the right format to add cert/private key into ssl_pem?

Thanks

David















_______________________________________________
cf-bosh mailing list
cf-bosh(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-bosh

Join cf-bosh@lists.cloudfoundry.org to automatically receive all group messages.