AWS Thinkbox Discussion Forums

How to switch to SSL after installation?

I’ve been trying to solve SSL certification generation for a clean install for a few weeks…

The challenging part is the docs don’t show how to use certificates with an installation that was never configured to use certificates in the first place:
https://docs.thinkboxsoftware.com/products/deadline/10.0/1_User%20Manual/manual/proxy-sslgen.html

If I try and use certs produced by that python script documented, I still get errors, probably because the x509 user doesn’t exist:

connecting to: mongodb://deadlinedb.service.consul:27100/deadline10db?authMechanism=MONGODB-X509&authSource=%24external&gssapiServiceName=mongodb
2021-04-17T15:07:40.389+0000 E QUERY    [thread1] Error: Could not find user OU=Deadline10Client,O=Deadline10Installer,CN=Deadline10Client@$external

I don’t know for sure though what is wrong… what else should I do to get deadline working with certificates?

The backstory is that I am trying to create immutable images with deadline installed. This means the certs cannot reside on the images, they must be produced seperately / configured in user data on boot.

The deadline installer really should probably be split apart to support immutable infrastructure, seeing as its owned by AWS, this is best practice in devops.

For the sake of isolating the problem, I created this wrapper installer to try to discover what is missing:

This works for ubuntu 18 (installation with certs as per usual):

install-deadlinedb --deadline-version "10.1.14.5"

This does not work (attempting to use the SSL gen scripts after standard install without authentication enabled):

install-deadlinedb --deadline-version "10.1.14.5" --skip-certgen-during-install --post-certgen

I’d love to determine what needs to be done. This would also be necessary I’d imagine for docker implementation.

This version of the installer script works for generating the server cert and client cert for RCS, allowing us to install the DB in the image without certs.

it does not yet resolve seperate cert generation from the RCS service yet though, I will work on that next.

The part I was missing was creation of the x509 user:

  x509_subject=$(openssl x509 -in "${deadline_certificates_location}/mongo_client.pem" -inform PEM -subject -nameopt RFC2253 | head -1 | sed 's/^.\{8\}//') # extract subject from cert for user name.
  echo "subject: $x509_subject"
  
  LINE=$(cat <<END
db.getSiblingDB("\$external").runCommand(
  {
    createUser: "${x509_subject}",
    roles: [
         { role: "readWrite", db: "test" },
         { role: "readWrite", db: "deadline${deadline_major_version}db" },
         { role: "userAdminAnyDatabase", db: "admin" }
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)
END
)
  echo "...Adding x509 User:"
  sudo /opt/Thinkbox/DeadlineDatabase10/mongo/application/bin/deadline_mongo --eval "$LINE"
Privacy | Site terms | Cookie preferences