When trying to install Zato step-by-step as the quickstart does it, the UI throws an error of ‘Could not fetch the load balancer’s configuration’.
After comparing the configuration in detail to the quickstart one and the one created while running via the zato cli, the only issue that seems to be is the difference of the certificates.
It seems like zato has a different private key for each individual service (web-admin/load-balancer/serverN)
We have a wildcard certificate and key (*.domain.com):
private key (wildcard) -> public key can be generated from this.
certificate (wildcard)
CA certificate
How can we use that within the context of deploying zato?
The load-balancer is created as such: zato create load_balancer /opt/zato/dev/load_balancer /opt/zato/dev/certs/PUBLICKEY.pem /opt/zato/dev/certs/PRIVATEKEY.pem /opt/zato/dev/certs/WILDCARDCERTIFICATE.pem /opt/zato/dev/certs/CACERTIFICATE.pem
What would be the best approach for us to go with? Would the above wildcard key/cert pair be sufficient or an individual set needs to be created for each service?
I have one server per component (web-admin, load-balancer, server-x) and it works fine and web-admin has access to the balancer configuration, I just had to change lb host https://zato.io/docs/web-admin/clusters.html#edit
@giannis.katsini@jupiter
Thank you very much for your help.
So the error from the web-admin.log mentions the SSL Certificate verification failed. That was my initial thought as well hence the question on the SSL aspect.
How do i proceed further from this:
2017-10-27 00:09:43,201 - ERROR - 27387:MainThread - zato.admin.web.views.cluster:174 - Could not invoke agent, client:[<ServerProxy
for localhost:20151/RPC2>], e:[Traceback (most recent call last):
File "/opt/zato/2.0.8/code/zato-web-admin/src/zato/admin/web/views/cluster.py", line 165, in index
lb_config = client.get_config()
File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__
return self.__send(self.__name, args)
File "/usr/lib64/python2.7/xmlrpclib.py", line 1587, in __request
verbose=self.__verbose
File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib64/python2.7/xmlrpclib.py", line 1301, in single_request
self.send_content(h, request_body)
File "/usr/lib64/python2.7/xmlrpclib.py", line 1448, in send_content
connection.endheaders(request_body)
File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 797, in send
self.connect()
File "/opt/zato/2.0.8/code/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/http.py", line 48, in connect
self.sock = self.wrap_socket(sock)
File "/opt/zato/2.0.8/code/eggs/springpython-1.3.0rc1-py2.7.egg/springpython/remoting/http.py", line 56, in wrap_socket
ssl_version=self.ssl_version)
File "/usr/lib64/python2.7/ssl.py", line 913, in wrap_socket
ciphers=ciphers)
File "/usr/lib64/python2.7/ssl.py", line 588, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 810, in do_handshake
self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
]
I can see that others will help you out with the lb_host variable if it turns out to be needed to but to answer your specific question - yes, you can use just one set of public/private keys along with the certificate of the CA that was involved in signing the certificate that uses the keys.
The reason why they are all different by default is that in this way one has flexibility of what to do, either keep them separate or use a single one.
As for the CERTIFICATE_VERIFY_FAILED error - as mentioned in other replies, web-admin communicates with the load-balancer using that load-balancer’s agent, it’s basically a mini-server that accepts a very specific set of commands, validates them and passes them along to the load-balancer.
This agent needs its own public/private keys and certificate and this is the material that the ‘zato create load_balancer’ command accepts. Again, this crypto material can be then shared with any other component - it’s up to you how you break it down.
But what you also need to make sure of is that web-admin knows what CA signed the load-balancer agent’s certificate.
That is, when web-admin invokes the agent it needs to know what CA signed the agent’s certificate. That CA’s certificate is stored in /path/to/web/admin/config/repo/web-admin-ca-certs.pem. Simply place your CA’s certificate there, in PEM format, then stop/start web-admin and it will work.