Fix CA

server/pbenchinacan/README.md

@@ -0,0 +1,22 @@
+# Private CA
+
+The "pbench in a can" build of the Pbench Server relies on a private
+Certificate Authority cert called `pbench_CA.crt`. This expires at 5
+year intervals and needs to be periodically regenerated:
+
+```
+openssl req -x509 -new -nodes \
+  -key server/pbenchinacan/etc/pki/tls/private/pbench_CA.key \
+  -sha256 -days 1826 \
+  -out server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt \
+  -subj '/CN=pbench.redhat.com/C=US/L=Westford, MA'
+```
+
+Note that the private key file doesn't need to be regenerated.
+
+You can view the current certificate with
+
+```
+openssl x509 -text \
+  -in server/pbenchinacan/etc/pki/tls/private/certs/pbench_CA.crt
+```

server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt

@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIDYTCCAkmgAwIBAgIUUtVXi1qMBbg1wLVBmeUM/tMuWsMwDQYJKoZIhvcNAQEL
+MIIDYTCCAkmgAwIBAgIUDWClad/f+A7kcX0y0fpB2MaHWHQwDQYJKoZIhvcNAQEL
 BQAwQDEaMBgGA1UEAwwRcGJlbmNoLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRUw
-EwYDVQQHDAxXZXN0Zm9yZCwgTUEwHhcNMjMwNTA1MjEzNzU0WhcNMjQwNDI1MjEz
-NzU0WjBAMRowGAYDVQQDDBFwYmVuY2gucmVkaGF0LmNvbTELMAkGA1UEBhMCVVMx
+EwYDVQQHDAxXZXN0Zm9yZCwgTUEwHhcNMjQwNTA0MTI1MzM2WhcNMjkwNTA0MTI1
+MzM2WjBAMRowGAYDVQQDDBFwYmVuY2gucmVkaGF0LmNvbTELMAkGA1UEBhMCVVMx
 FTATBgNVBAcMDFdlc3Rmb3JkLCBNQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
 AQoCggEBAJVWR8CY3cvtLu5Ss9XAWBp5PNE/X0zWJtRrph/Xz0qtQsxpqn9fhEjF
 kLr36AkewbOoW8HmqKzSrS9bgCrdglH1oqefLntt6q9F10SOCXF2jbQA3r63f9Kb
@@ -11,11 +11,11 @@ Xxtl6vUi9zoM7b3I1I0Cztg23e86ZsEVd+OZVDQbYLd4A3uBmzcmepHP6mwNc+Gm
 yhNeQ0ovu03Zz8j9W64Jau8Tpaja90s48pk0VRdfQX//N4mntAo3vYwd3Ab4Pq4o
 2c2GGpihLURlOCk9fNGo/s9atP/0+NsCAwEAAaNTMFEwHQYDVR0OBBYEFMz+SX+d
 JyWELuNukm1Szpz+l7qiMB8GA1UdIwQYMBaAFMz+SX+dJyWELuNukm1Szpz+l7qi
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACxI0EXHjJtPhPkX
-1gLDxeID1+HMSmQVfnEd0zcBz/DhACVPnAPHF+lQ0QLfqJobmSKRei9s0pa5XEfo
-vIVcBvzKE7tuEM7ZeCKx0PBftp7poMEQyIEPezoaD9j20rXE14KS2fCOnFkahGjp
-CeYqHjnnf+LMkYf1nXM3Yhxz4w3uzFQmYO+pRVAE6Vjeftz2d3s2w+1G/bNPKgEu
-8NbG/6T25ZNe0T+wE8rxvB1+tDuPbIc83or7SrpiaxbSo1wqAm/ajxW6bdXftP0l
-aLLlVemlt3oWE9lkVDtuMJTbt0noCjb3FlWrDVwm5Zm3ilVf8L2JOsG7LYjYUAQs
-5VgnCv8=
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG2NFW0pWJuUuFoh
+w2GZkoFz1uSJs3O1LCHWa2A+3g4fRWs6OOKHS4joRll0S0ExtrTGt2FKMS+3IUXJ
+JFcKfLfmzgIu6rX4G/BEHu1Jr4MkT3HJUkHfGD4aGF99IuhXT6u/6pPzl9ddvgRK
+8S2AGOWIQOXO9gzlu9BsfrFkolKdnogG3Kcf5DqiFKEb9OA39Yute4VsrBAbT4ng
+TEMI7Duz0hlef+beLHe0YGbR3vH2/e6EvZEa0kF127jdXo1v+h/r5ESlT067dA3M
+dxDQ768G0TqUq8lxDDYX2/2u9JtNQSsz/pBO2/abha/tkTwqhOT39Iw/Z81orvLh
+M7htpEM=
 -----END CERTIFICATE-----

server/pbenchinacan/load_keycloak.sh

@@ -48,7 +48,7 @@ echo "Keycloak redirect URI list is <${keycloak_redirect_uris}>."
 
 ADMIN_TOKEN=""
 while true; do
-  ADMIN_TOKEN=$(curl -s -f -X POST \
+  ADMIN_TOKEN=$(curl -sS -f -X POST \
     "${KEYCLOAK_HOST_PORT}/realms/master/protocol/openid-connect/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "username=${ADMIN_USERNAME}" \