Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
FIS 2.0
-
None
-
Compatibility/Configuration, User Experience
-
%
Description
When accessing jolokia from the node it's running on, but potentially from a different pod, and via curl it needs to be done with the -k, or --insecure option as the cert is self signed:
sh-4.2$ curl -v -k -u jolokia:ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W 'https://10.1.0.3:8778/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false' * About to connect() to 10.1.0.3 port 8778 (#0) * Trying 10.1.0.3... * Connected to 10.1.0.3 (10.1.0.3) port 8778 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE * start date: Jan 16 12:39:03 2017 GMT * expire date: Jan 14 12:39:03 2027 GMT * common name: Jolokia Agent 1.3.5 * issuer: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE * Server auth using Basic with user 'jolokia' > GET /jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false HTTP/1.1 > Authorization: Basic am9sb2tpYTpFeGZOSmJXbVBBNkR0R3RsN2VLSUtkcEREWlRaNVc= > User-Agent: curl/7.29.0 > Host: 10.1.0.3:8778 > Accept: */* > < HTTP/1.1 200 OK < Pragma: no-cache < Date: Mon, 16 Jan 2017 12:46:38 GMT < Transfer-encoding: chunked < Content-type: text/plain; charset=utf-8 < Expires: Mon, 16 Jan 2017 11:46:38 GMT < Cache-control: no-cache < * Connection #0 to host 10.1.0.3 left intact {"request":{"type":"version"},"value":{"agent":"1.3.5","protocol":"7.2","config":{"maxDepth":"15","discoveryEnabled":"false","maxCollectionSize":"0","password":"ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W","agentId":"10.1.0.3-1-6d6f6e28-jvm","debug":"f alse","agentType":"jvm","historyMaxEntries":"10","agentContext":"\/jolokia","maxObjects":"0","user":"jolokia","debugMaxEntries":"100"},"info":{"product":"tomcat","vendor":"Apache","version":"8.5.5"}},"timestamp":1484570798,"status":200}sh- sh-4.2$ sh-4.2$ curl -v -u jolokia:ExfNJbWmPA6DtGtl7eKIKdpDDZTZ5W 'https://10.1.0.3:8778/jolokia/?maxDepth=7&maxCollectionSize=500&ignoreErrors=true&canonicalNaming=false' * About to connect() to 10.1.0.3 port 8778 (#0) * Trying 10.1.0.3... * Connected to 10.1.0.3 (10.1.0.3) port 8778 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE * start date: Jan 16 12:39:03 2017 GMT * expire date: Jan 14 12:39:03 2027 GMT * common name: Jolokia Agent 1.3.5 * issuer: CN=Jolokia Agent 1.3.5,OU=JVM,O=jolokia.org,L=Pegnitz,ST=Franconia,C=DE * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID) * Issuer certificate is invalid. * Closing connection 0 curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. sh-4.2$