Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-42622

Gather intermediate certificates in cbcollect_info

    XMLWordPrintable

Details

    • 1

    Description

      Currently intermediate certificates installed on nodes are not included to cbcollect info, since they are not part of the ns_config. I suggest to print the content of certain .pem files (the ones that do not contain private keys) found in config directory to couchbase.log.

      Attachments

        For Gerrit Dashboard: MB-42622
        # Subject Branch Project Status CR V

        Activity

          A few questions:

          1) Should be these files be logged periodically?  I suspect so, but I'm not sure under what conditions they change.  If they should be logged periodically, what should the period be?  Daily?

          2) The ticket title mentions "diag.log" and the description mentions "couchbase.log".  I may be looking in the wrong place, but I don't see either of these files under /opt/couchbase/var/lib/couchbase/logs. Is the intent that they be logged to "debug.log"?

          sam.cramer Sam Cramer (Inactive) added a comment - A few questions: 1) Should be these files be logged periodically?  I suspect so, but I'm not sure under what conditions they change.  If they should be logged periodically, what should the period be?  Daily? 2) The ticket title mentions "diag.log" and the description mentions "couchbase.log".  I may be looking in the wrong place, but I don't see either of these files under /opt/couchbase/var/lib/couchbase/logs. Is the intent that they be logged to "debug.log"?

          these files need to be collected when the user clicks collect logs button. You need to add tasks to cbcollect_info script that cat some .pem files into couchbase.log

          artem Artem Stemkovski added a comment - these files need to be collected when the user clicks collect logs button. You need to add tasks to cbcollect_info script that cat some .pem files into couchbase.log

          OK, now I understand.  I thought you were saying that we should be logging them periodically, and that then cbcollect_info would pick them up as part of the standard log file "collection" process.

          sam.cramer Sam Cramer (Inactive) added a comment - OK, now I understand.  I thought you were saying that we should be logging them periodically, and that then cbcollect_info would pick them up as part of the standard log file "collection" process.

          I suggest to print the content of certain .pem files (the ones that do not contain private keys)

          I can think of a few ways to implement this:

          1) At cbcollect_info run time find of all the .pem files in /opt/couchbase/var/lib/couchbase/config, determine which of them only contain public keys and collect them. On Linux the find(1) command can determine if a file contains a private key, but that's not much help on Windows.

          2) Instruct cbcollect_info to collect a specific list of public key files.

          I vote for option 2). It's easier and less likely to cause us to collect a private key due to programming or utility program error. The downside is that we may need to update cbcollect_info in the future in order to collect more public key files. I don't see that as a major problem.

          sam.cramer Sam Cramer (Inactive) added a comment - I suggest to print the content of certain .pem files (the ones that do not contain private keys) I can think of a few ways to implement this: 1) At cbcollect_info run time find of all the .pem files in /opt/couchbase/var/lib/couchbase/config , determine which of them only contain public keys and collect them. On Linux the find(1) command can determine if a file contains a private key, but that's not much help on Windows. 2) Instruct cbcollect_info to collect a specific list of public key files. I vote for option 2). It's easier and less likely to cause us to collect a private key due to programming or utility program error. The downside is that we may need to update cbcollect_info in the future in order to collect more public key files. I don't see that as a major problem.

          What I believe to be the relevant files in /opt/couchbase/var/lib/couchbase/config:

          • memcached-cert.pem (addressed in MB-41464)
          • local-ssl-cert.pem
          • ssl-cert-key.pem
          sam.cramer Sam Cramer (Inactive) added a comment - What I believe to be the relevant files in  /opt/couchbase/var/lib/couchbase/config : memcached-cert.pem (addressed in MB-41464 ) local-ssl-cert.pem ssl-cert-key.pem

          Build couchbase-server-7.0.0-3949 contains ns_server commit 90df161 with commit message:
          MB-42622 Gather intermediate certificates in cbcollect_info

          build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.0-3949 contains ns_server commit 90df161 with commit message: MB-42622 Gather intermediate certificates in cbcollect_info

          Validated using 7.0.0-4607.

          Closing the ticket.

          ashwin.govindarajulu Ashwin Govindarajulu added a comment - Validated using 7.0.0-4607. Closing the ticket.

          People

            sam.cramer Sam Cramer (Inactive)
            artem Artem Stemkovski
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty