Turnpike Cert Management - cloudigrade/cloudigrade GitHub Wiki
What is Turnpike?
See:
- https://github.com/RedHatInsights/turnpike/blob/master/docs/_index.md
- https://consoledot.pages.redhat.com/docs/dev/getting-started/gateway/index.html#_turnpike
Certificate Creation
In order to use turnpike with certificate authentication we must first create a cert. Most of this is documented, but here are the specific steps we need to follow:
- Connect to the Red Hat VPN.
docker pull images.paas.redhat.com/it-iam/rhcs-firefox-workaround:latest
mkdir /tmp/rhcs-request && cd "$_"
- Run the image with an interactive shell:
docker run --net=host --add-host=ca.corp.redhat.com:10.4.203.53 \ -v /tmp/rhcs-request:/output:Z \ -it images.paas.redhat.com/it-iam/rhcs-firefox-workaround:latest \ /bin/bash
cd /files/
./wrapper_script_msg cloudigrade-turnpike Stage 'Your Name' [email protected] 0001234567
- The parameters for that command, in this specific order, are:
- certificate name
- environment name (
Stage
orProd
for a Turnpike cert); this will also be the cert's Locality - requestor name (your first and last name)
- requestor email (your personal @redhat.com email or a mailing list address for the team)
- You must use a valid email address you can check because a link will be sent there.
- requestor phone number
- If the output ends with a message like
Request Status: pending
, skip to step 9. - Else if the output includes an error like
SocketException cannot write on socket
, then continue to step 7.
- The parameters for that command, in this specific order, are:
- Go to RHCS Server List and find a valid prod CA server address (like
ca01.pki.prod.int.rdu2.redhat.com:8443
). - Substitute the host and port you found from the server list...
HOSTNAME_AND_PORT="ca01.pki.prod.int.rdu2.redhat.com:8443" pki -v -U "https://${HOSTNAME_AND_PORT}/ca" cert-request-submit caUserCert-msg-copy.xml
- If the
pki
command times out or reports an error, go back to step 7 and try another CA server.
- If the
cp *.key /output/
- Your new key is now in your host's
/tmp/rhcs-request
directory. - In a couple of hours, you'll receive an email from [email protected] with information about your new cert.
- Click the URL in that email. It should have the same hostname you used in step 8.
- Copy the text under "Base 64 encoded certificate" and save to a local file as your new cert file.
App-interface may need to be updated so the x509 subject in turnpike matches that of the cert, but this is unlikely to need changing.
Testing Certificates
Try making a request using the cert to: https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage
http \
--proxy=https:http://squid.corp.redhat.com:3128 \
--cert=cloudigrade-turnpike-stage.crt --cert-key=cloudigrade-turnpike-stage.key \
https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage
curl -i \
--proxy http://squid.corp.redhat.com:3128 \
--cert cloudigrade-turnpike-stage.crt --key cloudigrade-turnpike-stage.key \
--url https://mtls.internal.cloud.stage.redhat.com/RHClientCertTestPage
The response should be HTML with some very rudimentary diagnostic information.
Search the CoreOS Slack for "RHClientCertTestPage" for more information.
Certificate Revocation
Unfortunately there is no self serve way to revoke a cert, according to IT:
Only agents can revoke a certificate. So please open ticket with IT Support in the future when need to revoke a certificate.