東川印記

一本東川,笑看爭龍斗虎;寰茫兦者,度橫佰昧人生。
senRsl

CentOS6.4搭建repo服务器管理android source

2016年9月2日星期五



接着搞

现在搭建的通过http能正常同步android源码。

然后大约需要做
1,配置https模式用以规避curl: (22) The requested URL returned error: 404 Not Found
Server does not provide clone.bundle; ignoring.问题;
2,给开发板MX6库的那个配置manifest,可以通过repo来正常运行;
3,MX6库进行整体模拟开发测试,上线;
4,android库自动同步最新源码;


1,配置gerrit使用http协议
1)配置apache使用https
安装ssl模块
  1. [root@Android ~]# yum install mod_ssl
安装完后会创建默认SSL证书,路径位于
  1. [root@Android ~]# ls /etc/pki/tls/
  2. cert.pem  certs  misc  openssl.cnf  private
  3. [root@Android ~]#
重启apache,此时,支持http及http访问。

此时查看https证书信息,都是默认生成的。。。。

2)手动创建证书

①生成服务器私钥
  1. senrsl@senrsl-T540p:~$ cd test/
  2. senrsl@senrsl-T540p:~/test$ mkdir ssl
  3. senrsl@senrsl-T540p:~/test$ cd ssl/
  4. senrsl@senrsl-T540p:~/test/ssl$ openssl genrsa -out gerrit.key 1024
  5. Generating RSA private key, 1024 bit long modulus
  6. ...............++++++
  7. .++++++
  8. e is 65537 (0x10001)
  9. senrsl@senrsl-T540p:~/test/ssl$ ll
②用私钥生成证书请求文件csr
  1. senrsl@senrsl-T540p:~/test/ssl$ openssl req -new -key gerrit.key -out gerrit.csrYou are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. Country Name (2 letter code) [AU]:CN
  9. State or Province Name (full name) [Some-State]:Bejing
  10. Locality Name (eg, city) []:Beijing
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:SENRSLr
  12. Organizational Unit Name (eg, section) []:SENRSL
  13. Common Name (e.g. server FQDN or YOUR name) []:gerrit.senrsl.com
  14. Email Address []:senRsl@126.com
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:
  19. senrsl@senrsl-T540p:~/test/ssl$ ll
密码往后直接回车

③生成数字签名crt文件

  1. senrsl@senrsl-T540p:~/test/ssl$ openssl x509 -days 3650 -req -in gerrit.csr -signkey gerrit.key -out gerrt.crt
  2. Signature ok
  3. subject=/C=CN/ST=Bejing/L=Beijing/O=SENRSLr/OU=SENRSL/CN=gerrit.senrsl.com/emailAddress=senRsl@126.com
  4. Getting Private key
  5. senrsl@senrsl-T540p:~/test/ssl$

3)apache部署自定义证书

创建文件夹
  1. [root@Android gerrit]# pwd
  2. /etc/pki/tls/gerrit
把gerrit.key和gerrit.crt上传到这个目录
然后修改证书地址
  1. #   Server Certificate:
  2. # Point SSLCertificateFile at a PEM encoded certificate.  If
  3. # the certificate is encrypted, then you will be prompted for a
  4. # pass phrase.  Note that a kill -HUP will prompt again.  A new
  5. # certificate can be generated using the genkey(1) command.
  6. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  7. SSLCertificateFile /etc/pki/tls/gerrit/gerrt.crt
  8. #   Server Private Key:
  9. #   If the key is not combined with the certificate, use this
  10. #   directive to point at the key file.  Keep in mind that if
  11. #   you've both a RSA and a DSA private key you can configure
  12. #   both in parallel (to also allow the use of DSA ciphers, etc.)
  13. #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  14. SSLCertificateKeyFile /etc/pki/tls/gerrit/gerrit.key
重启httpd

访问http正常
访问https,查看证书




4)配置gerrit使用ssl
gerrit没配置原来也可以用https了。。。。




5)下载测试
①用自定义证书
  1. curl: (60) SSL certificate problem: self signed certificate
  2. More details here: http://curl.haxx.se/docs/sslcerts.html
  3. curl performs SSL certificate verification by default, using a "bundle"
  4.  of Certificate Authority (CA) public keys (CA certs). If the default
  5.  bundle file isn't adequate, you can specify an alternate file
  6.  using the --cacert option.
  7. If this HTTPS server uses a certificate signed by a CA represented in
  8.  the bundle, the certificate verification probably failed due to a
  9.  problem with the certificate (it might be expired, or the name might
  10.  not match the domain name in the URL).
  11. If you'd like to turn off curl's verification of the certificate, use
  12.  the -k (or --insecure) option.
  13. fatal: unable to access 'https://10.1.11.145/gerrit/AOSP/platform/manifest/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  14. fatal: unable to access 'https://10.1.11.145/gerrit/AOSP/platform/manifest/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  15. fatal: cannot obtain manifest https://10.1.11.145/gerrit/AOSP/platform/manifest
  16. senrsl@senrsl-T540p:~/android/source/WORKING_DIRECTORY$ repo-internal init -u htps://10.1.11.145/gerrit/AOSP/platform/manifest
  17. Get https://10.1.11.145/gerrit/AOSP/git-repo
  18. fatal: unable to access 'https://10.1.11.145/gerrit/AOSP/git-repo/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  19. senrsl@senrsl-T540p:~/android/source/WORKING_DIRECTORY$

没法下载。。。。
网页打开,发现多级目录时404,

重新初始化下然后就成这样了。。。。
  1. Internal Server Error
  2. The server encountered an internal error or misconfiguration and was unable to complete your request.
  3. Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.
  4. More information about this error may be available in the server error log.
  5. Apache/2.2.15 (CentOS) Server at 10.1.11.145 Port 443

这么弄太危险了,还是新建个gerrit搞https比较好。。。。

哎,上面那个问题

  1. senrsl@senrsl-T540p:~/android/source/WORKING_DIRECTORY$ git config --global http.sslverify false
  2. senrsl@senrsl-T540p:~/android/source/WORKING_DIRECTORY$ repo-internal init -u https://10.1.11.145/gerrit/AOSP/platform/manifest

上面那条命令影响了
~.gitconfig和~.repo_gitconfig.json

哎,真无语了。。。。
加了这个一直报那一串自定义证书问题。。。。
但是不会当成错误了。。。。

解决了一个问题,又出现一个更头疼的问题。。。。
算了,就这样吧。。。。。。。。


6)自定义证书信任
①浏览器信任自定义证书


②ubuntu信任自定义证书

脚本如是
  1. senrsl@senrsl-T540p:/usr/share/ca-certificates$ sudo mkdir extra
  2. [sudo] password for senrsl:
  3. senrsl@senrsl-T540p:/usr/share/ca-certificates$ sudo cp ~/test/ssl/gerr
  4. gerrit.csr  gerrit.key  gerrt.crt  
  5. senrsl@senrsl-T540p:/usr/share/ca-certificates$ sudo cp ~/test/ssl/gerrt.crt /usr/share/ca-certificates/extra/gerrit.crt
  6. [sudo] password for senrsl:
  7. senrsl@senrsl-T540p:/usr/share/ca-certificates$ sudo dpkg-reconfigure ca-certificates
  8. 正在处理用于 ca-certificates (20141019ubuntu0.14.04.1) 的触发器 ...
  9. Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
  10. WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
  11. 1 added, 0 removed; done.
  12. Running hooks in /etc/ca-certificates/update.d....
  13. Adding debian:gerrit.pem
  14. done.
  15. done.
  16. senrsl@senrsl-T540p:/usr/share/ca-certificates$ ls /etc/ssl/certs/ge*
  17. /etc/ssl/certs/gerrit.pem
  18. senrsl@senrsl-T540p:/usr/share/ca-certificates$


2,开发板源码manifest编写






2016年09月02日18:14:13
做好离职准备


--
senRsl
2015年12月31日17:36:16
senRsl 18:14:00

没有评论 :

发表评论

订阅: 博文评论 ( Atom )