Renewal of etcd certificates - ssl

Recently faced with ETCD certificate renewal. I wanted to renew certificates for 100 years. I did everything according to the documentation, but not all certificates were renewed for 100 years. ca.pem is only renewable for 5 years notAfter=Jun 9 09:19:00 2026 GMT
certificates
Can ca.pem be extended for a longer period?
My config
cat ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}


This required changing ca-csr.json
{
"CA": {
"expiry": "876000h",
"pathlen": 0
},
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
}
}
And then regenerate the certificate
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
We see the result
openssl x509 -enddate -noout -in ca.pem
notAfter=May 19 09:26:00 2121 GMT

Related

Unable to get configuration from open-id connect using keycloak

Keycloak server is running on port 8443 and for authorization I have used JWT token that has all the Infos
The https port gives certificate error:
**System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:8443/auth/realms/Smf-Portal/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://localhost:8443/auth/realms/Smf-Portal/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException:
The SSL connection could not be established, see inner exception.**
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
for ex :
{
"exp": 1624451309,
"iat": 1624451009,
"jti": "6dea03d9-49d7-4d0e-a81f-91cbc38fe595",
"iss": "https://default-host:8443/auth/realms/Smf-Portal",
"sub": "2c2402ad-37c5-4039-b78f-07f9e47cdc35",
"typ": "Bearer",
"azp": "timesheet-microservice",
"session_state": "43e86783-38e1-42de-a4aa-ed229887504b",
"acr": "1",
"allowed-origins": [
"https://localhost:5004"
],
"realm_access": {
"roles": [
"app-user"
]
},
"resource_access": {
"timesheet-microservice": {
"roles": [
"user"
]
}
},
"scope": "profile email",
"email_verified": true,
"preferred_username": "employee1"
}

How can I setup an end to end ssl conection with application gateway and apache httpd?

I am setting, on Azure, an application gateway that I want to have an end to end SSL connection with my apache httpd server that servers my page from a vm
I have set Listener and HTTP setting, it seems to work with simple http for frontend and backend
My server serves https with a ".crt" certificate
In order for the end to end https to work on application gateway, you need to whitelist the back end certificate. In order to do that you need to add a ".cer" file in an HTTP setting.
When I request the page I get the following error:
502 Bad Gateway
Microsoft-Azure-Application-Gateway/v2
Already I followed the following guides provided by Microsoft
https://learn.microsoft.com/el-gr/azure/application-gateway/ssl-overview
https://learn.microsoft.com/el-gr/azure/application-gateway/end-to-end-ssl-portal
https://learn.microsoft.com/el-gr/azure/application-gateway/application-gateway-troubleshooting-502#problems-with-default-health-probe
As mentioned in the first reference, the FQDN of the backend pool should be the same as the CN of the certificate.
Also, I tried to generate a ".pfx" and then export the ".cer" and ".crt" files without any luck.
The backend health probe returns that the backend server is healthy
so the appgateway can reach the backend host.
I am using V2 and add the base 64 encoded ".cer"
The FQDN is the same as the dns name of the backend node
I used the following commands in order to generate the certificates
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 \
-days 1024 -out rootCA.crt
openssl genrsa -out my.domain.com.key 2048
openssl req -new -sha256 -key my.domain.com.key \
-subj "/C=GR/ST=Attica/O=mycompany/CN=my.domain.com" \
-out my.domain.com.csr
openssl x509 -req -in my.domain.com.csr \
-CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
-out my.domain.com.crt -days 500 -sha256
After that I imported the "rootCA.crt" file to windows certification manager and exported as a base64 ".cer"
I used the exported certificate in the Trusted Root Certificates section in application gateway
The deployment template is the following:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverapplicationGateways_name_app_gateway_name": {
"defaultValue": "name-app-gateway",
"type": "String"
},
"virtualNetworks_name_app_gateway_externalid": {
"defaultValue": "/subscriptions/[subscription-id]/resourceGroups/name-app-gateway-rg/providers/Microsoft.Network/virtualNetworks/name-app-gateway",
"type": "String"
},
"publicIPAddresses_name_app_gateway_pip_externalid": {
"defaultValue": "/subscriptions/[subscription-id]/resourceGroups/name-app-gateway-rg/providers/Microsoft.Network/publicIPAddresses/name-app-gateway-pip",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-04-01",
"name": "[parameters('serverapplicationGateways_name_app_gateway_name')]",
"location": "westeurope",
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "20beed4d-2ff5-440b-918f-5772d6c91ad2",
"sku": {
"name": "Standard_v2",
"tier": "Standard_v2"
},
"gatewayIPConfigurations": [
{
"name": "appGatewayIpConfig",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"subnet": {
"id": "[concat(parameters('virtualNetworks_name_app_gateway_externalid'), '/subnets/default')]"
}
},
"type": "Microsoft.Network/applicationGateways/gatewayIPConfigurations"
}
],
"sslCertificates": [
{
"name": "company",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"publicCertData": "MIIDvgYJKoZIhvcNAQcCoIIDrzCCA6sCAQExADALBgkqhkiG9w0BBwGgggOTMIIDjzCCAnegAwIBAgIUCgwbAVCKmec/OdsO1bwmpDX/6/UwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR1IxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHZmxleGZpbjAeFw0xOTA3MDMxNTI5MDlaFw0yMDA3MDIxNTI5MDlaMFcxCzAJBgNVBAYTAkdSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2ZsZXhmaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDfOIiBjcolw2GI+ZO1KYLR/En/2CQ8sQ+rBgocSFybHOsIbdm+nFvFSQLtdQf5lVjYFqhhBfhOP9otIa1UdEq0Mb+k0sZptJgW/ZziqLBsK5SwJxdwSxZgsfm4wKedS1bpYgVBBayKraKYCeUwUsUEoV/e5tjqRqC6i3Z3ZYAVdm4pf2vYJxjwKG1U0X3qyvjtv9nkJ2U3R3O1KILB1HPPdEe5nHHjkDravcghBxMjaI0YKgKcw2PyNiVcrcDZ3mrMoAvAzpLcbLIGvwfISjIMcI1wNYBfIC4qiLhlUASbudWGL8GFJ5/KZbsFNzq9ontwbjgeT8OLUJ47m+at3BN9AgMBAAGjUzBRMB0GA1UdDgQWBBSB4kKSMWZQ+Lxn1yiXdEvaT/H1BTAfBgNVHSMEGDAWgBSB4kKSMWZQ+Lxn1yiXdEvaT/H1BTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAEeaAMSAZWqlPGmM+Rzrxuj1joD514pxuSEmJfiDUf8TczNjh1g6sLC0eGqzI+Om4APz/mn2z8t5ziWnxDD+jtzLM4CjWGxOR1873fsAPjz/PdBfaNCpXBeXvS4LMrAYnZocFel1ypIAfty+KGWWkE7z6hbQr8OCrlnpmHnU/+OdtjuEPKqQVFVmJUHDzwiOSQgqCDIq0CYDKii1+1OCIVdce7VmWFMiGucqujM2Q8QbWZILVb82Yee6AnnyenmvWsO6pJawrOtg0IYYnGJPILqjFU1yk1ox7OBZHjoxz9U43JL2FnwVdMphU1vIU5huW22tRigHnvjuSUPRhXL0ejMQA="
},
"type": "Microsoft.Network/applicationGateways/sslCertificates"
}
],
"trustedRootCertificates": [
{
"name": "server-uat",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"data": "sertificate data"
},
"type": "Microsoft.Network/applicationGateways/trustedRootCertificates"
}
],
"frontendIPConfigurations": [
{
"name": "appGwPublicFrontendIp",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"type": "Microsoft.Network/applicationGateways/frontendIPConfigurations",
"properties": {
"provisioningState": "Succeeded",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[parameters('publicIPAddresses_name_app_gateway_pip_externalid')]"
}
}
}
],
"frontendPorts": [
{
"name": "port_443",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 443
},
"type": "Microsoft.Network/applicationGateways/frontendPorts"
},
{
"name": "http-port",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 80
},
"type": "Microsoft.Network/applicationGateways/frontendPorts"
}
],
"backendAddressPools": [
{
"name": "server",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"backendAddresses": [
{
"fqdn": "server-prod.internal.company.com"
}
]
},
"type": "Microsoft.Network/applicationGateways/backendAddressPools"
}
],
"backendHttpSettingsCollection": [
{
"name": "server-http-setting",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 443,
"protocol": "Https",
"cookieBasedAffinity": "Disabled",
"pickHostNameFromBackendAddress": true,
"requestTimeout": 20,
"trustedRootCertificates": [
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/httpd')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server-http-settingeeab8427-4514-4ef4-8e94-7d155a76f037')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/httpd-root')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server-uat')]"
}
]
},
"type": "Microsoft.Network/applicationGateways/backendHttpSettingsCollection"
},
{
"name": "server-http-80-setting",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 80,
"protocol": "Http",
"cookieBasedAffinity": "Disabled",
"pickHostNameFromBackendAddress": false,
"affinityCookieName": "ApplicationGatewayAffinity",
"requestTimeout": 20
},
"type": "Microsoft.Network/applicationGateways/backendHttpSettingsCollection"
}
],
"httpListeners": [
{
"name": "server-l",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendIPConfigurations/appGwPublicFrontendIp')]"
},
"frontendPort": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendPorts/port_443')]"
},
"protocol": "Https",
"sslCertificate": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/sslCertificates/company')]"
},
"requireServerNameIndication": false
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
},
{
"name": "server-http-l",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendIPConfigurations/appGwPublicFrontendIp')]"
},
"frontendPort": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendPorts/http-port')]"
},
"protocol": "Http",
"requireServerNameIndication": false
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
}
],
"urlPathMaps": [],
"requestRoutingRules": [
{
"name": "server-rr",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"ruleType": "Basic",
"httpListener": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/httpListeners/server-l')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendAddressPools/server')]"
},
"backendHttpSettings": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendHttpSettingsCollection/server-http-setting')]"
}
},
"type": "Microsoft.Network/applicationGateways/requestRoutingRules"
},
{
"name": "redirect-to-https",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"ruleType": "Basic",
"httpListener": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/httpListeners/server-http-l')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendAddressPools/server')]"
},
"backendHttpSettings": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendHttpSettingsCollection/server-http-80-setting')]"
}
},
"type": "Microsoft.Network/applicationGateways/requestRoutingRules"
}
],
"probes": [],
"rewriteRuleSets": [],
"redirectConfigurations": [],
"enableHttp2": false,
"autoscaleConfiguration": {
"minCapacity": 2,
"maxCapacity": 10
}
}
}
]
}

First of all, you could check the backend health in the monitoring of the application gateway. Find the error details about the 502 error then troubleshoot it following the steps-by-steps from this link. Perhaps, you could also narrow down the scenario if this works when you set the normal settings with the HTTP protocol.
Authentication Certificates have been deprecated and replaced by Trusted Root Certificates in the Application Gateway v2 SKU. It seems that you need to ensure you are using a root cert for whitelisting the backends in the HTTP settings.
For the V2 SKU, you should note the followings reference here.
Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings do not require any
additional step for end to end SSL to work.
For example, if the backend certificates are issued by a well known CA and has a CN of contoso.com, and the backend http setting’s host
field is also set to contoso.com, then no additional steps are
required. You can set the backend http setting protocol to HTTPS and
both the health probe and data path would be SSL enabled. If you're
using Azure App Service or other Azure web services as your backend,
then these are implicitly trusted as well and no further steps are
required for end to end SSL.
If the certificate is self-signed, or signed by unknown intermediaries, then to enable end to end SSL in v2 SKU a trusted root
certificate must be defined. Application Gateway will only communicate
with backends whose Server certificate’s root certificate matches one
of the list of trusted root certificates in the backend http setting
associated with the pool.
In addition to root certificate match, Application Gateway also validates if the Host setting specified in the backend http setting
matches that of the common name (CN) presented by the backend server’s
SSL certificate. When trying to establish an SSL connection to the
backend, Application Gateway sets the Server Name Indication (SNI)
extension to the Host specified in the backend http setting.
If pick hostname from backend address is chosen instead of the Host field in the backend http setting, then the SNI header is always
set to the backend pool FQDN and the CN on the backend server SSL
certificate must match its FQDN. Backend pool members with IPs aren't
supported in this scenario.
The root certificate is a base64 encoded root certificate from the backend Server certificates.
If the above all is no effect, you could upload your settings with hiding some sensitive data for further help.

How can resolve SSL handshake issue on reindex from remote server

I am trying to reindex from a remote server to my local es index. remote is a https host, I am getting SSL handshake exception as following error, please advise, thank you
{
"source": {
"remote": {
"host": "https://otherhost:9200"
},
"index": "twitter",
"query": {
"match_all": {
}
}
},
"dest": {
"index": "new_twitter"
}
}
this is response:
{
"error": {
"root_cause": [
{
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem"
}
],
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem",
"caused_by": {
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem",
"caused_by": {
"type": "validator_exception",
"reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by": {
"type": "sun_cert_path_builder_exception",
"reason": "unable to find valid certification path to requested target"
}
}
}
},
"status": 500
}

aws ec2 can not secureshell from one subnet/vpc to another subnet/vpc

I have an aws ec2 machine (172.18.18.133) on subnetwork with CidrBlock 172.18.18.0/23.
Have secureshell ingress ip open for 10.0.0.0/8 and 172.23.0.0/18 (ignore "0.0.0.0/0" in firewall as I'm playing with it because specific source CidrBlock did not work)
aws ec2 describe-security-groups --group-ids sg-659fd31p --profile aws-federated --region us-west-2
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"Description": "VPC Security Group",
"Tags": [
{
"Value": "restapi-dev",
"Key": "elasticbeanstalk:environment-name"
},
{
"Value": "awseb-e-8gx8kmq9dj-stack",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "AWSEBSecurityGroup",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "restapi-dev",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/awseb-e-8gx8kmq9dj-stack/605642e0-3eb8-11e7-a388-503ac9ec2499",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "e-8gx8kmq9dj",
"Key": "elasticbeanstalk:environment-id"
}
],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "033814027302",
"GroupId": "sg-ee81cd95"
}
],
"Ipv6Ranges": []
},
{
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
{
"CidrIp": "10.0.0.0/8"
},
{
"CidrIp": "0.0.0.0/0"
},
{
"CidrIp": "172.23.0.0/18"
}
],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"GroupName": "awseb-e-8gx8kmq9dj-stack-AWSEBSecurityGroup-4J0FPNXL840U",
"VpcId": "vpc-5374e434",
"OwnerId": "033814027302",
"GroupId": "sg-659fd31p"
}
]
}
I want to secureshell connect to above machine from another machine which is on different VPC and CidrBlock 172.23.0.0/18.
But I can not connect from ec2 machine with Ip address 172.23.38.167
to above target machine.
[ec2-user#ip-172-23-38-167 ~]$ ssh -v -i /home/ec2-user/.ssh/staging-api.pem ec2-user#172.18.18.133
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.18.18.133 [172.18.18.133] port 22.
debug1: connect to address 172.18.18.133 port 22: Connection timed out
ssh: connect to host 172.18.18.133 port 22: Connection timed out
I do have .pem file ~/.ssh
[ec2-user#ip-172-23-38-167 ~]$ ll ~/.ssh/
total 20
-rw-------. 1 ec2-user ec2-user 1675 May 24 02:45 staging-api.pem
-rw-------. 1 ec2-user ec2-user 398 Apr 8 21:29 authorized_keys
-rw-------. 1 root root 1766 Apr 23 20:06 gitkey_rsa
-rw-r--r--. 1 root root 386 Apr 23 20:06 gitkey_rsa.pub
-rw-r--r--. 1 ec2-user ec2-user 413 May 20 21:02 known_hosts
Note: I have few ec2 VMs in the same subnet and I can do secureshell between them.
Target/Source VPC config
Not sure but the problem could be with the routing table on the VPC.
The routing table config of the VPC with target machine which I want secureshell into is below. Don't know the purpose of all these 6/7 routes but understand NAT gateway to enable VMs in a private subnet to connect to the Internet or other AWS services.
$ aws ec2 describe-route-tables --route-table-ids rtb-9e0337f9 --profile aws-federated --region us-west-2
{
"RouteTables": [
{
"Associations": [
{
"SubnetId": "subnet-a1ec23e8",
"RouteTableAssociationId": "rtbassoc-d8ffbbbe",
"Main": false,
"RouteTableId": "rtb-9e0337f9"
}
],
"RouteTableId": "rtb-9e0337f9",
"VpcId": "vpc-5374e434",
"PropagatingVgws": [],
"Tags": [
{
"Value": "fff000",
"Key": "Permissions"
},
{
"Value": "us-west-2b",
"Key": "PhysicalLocation"
},
{
"Value": "InternalSubnet01AZ1RouteTable",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "rtb_nonprod-prayagupd-vpc-01_internal_az1",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW/f7e06c10-ee60-11e6-92e6-503a90a9c435",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "internal",
"Key": "Designation"
}
],
"Routes": [
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.2.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.4.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.122.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-f0f76299"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.104.0/21",
"State": "active",
"VpcPeeringConnectionId": "pcx-7483081d"
},
{
"GatewayId": "local",
"DestinationCidrBlock": "172.18.16.0/21",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "192.168.0.0/16",
"State": "active",
"Origin": "CreateRoute"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "10.0.0.0/8",
"State": "active",
"Origin": "CreateRoute"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0dbd1eca0fe1fcb8e",
"State": "active"
}
]
}
]
}
For Source VPC, Similar route config as target VPC,
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0b6d136887df6f792",
"State": "active"
}
NAT config for source VPC is
$ aws ec2 describe-nat-gateways --nat-gateway-id nat-0b6d136887df6f792 --profile aws-federated --region us-west-2
{
"NatGateways": [
{
"NatGatewayAddresses": [
{
"PublicIp": "34.208.30.85",
"NetworkInterfaceId": "eni-43d8c630",
"AllocationId": "eipalloc-d47488b2",
"PrivateIp": "172.23.248.220"
}
],
"VpcId": "vpc-a77a82c2",
"State": "available",
"NatGatewayId": "nat-0b6d136887df6f792",
"SubnetId": "subnet-b267b2d7",
"CreateTime": "2017-03-30T18:16:05.767Z"
}
]
}
Resource
Possible reasons for timeout when trying to access EC2 instance

composer / satis svn repository http basic authentication

I am trying to create a composer package repository for my company using satis.
My svn repositories are acessed via http (apache svn).
I am trying to add this to my config.json of satis
{
"name": "packages",
"homepage": "http://packages.example.org",
"repositories": [
{ "type": "svn",
"url": "myrepourl"
}
],
"require-all": true
}
THe problem is that I cant authenticate in the repository:
Repository could not be processed, svn: OPTIONS of authorization failed. basic authentication rejected.
How can I pass the username/password to satis?.
Thank you

According to composer documentation, you have to put your user key files or your certificate in your project, not in the satis configuration :
Using SSH :
{
"repositories": [
{
"type": "composer",
"url": "ssh2.sftp://example.org",
"options": {
"ssh2": {
"username": "composer",
"pubkey_file": "/home/composer/.ssh/id_rsa.pub",
"privkey_file": "/home/composer/.ssh/id_rsa"
}
}
}
]
}
Using Certificate :
{
"repositories": [
{
"type": "composer",
"url": "https://example.org",
"options": {
"ssl": {
"cert_file": "/home/composer/.ssl/composer.pem",
}
}
}
]
}