I've been having problems getting riak to function via https and have not
been able to find anything online that seems to help so far. I am using a
self-signed certificate (which is one I generated specifically for this
testing, and thus could post as it will not be used for anything else) and
have it stored as separate .crt and .key files. I've used open SSL to
verify the certificate and it appears to be all good. Here is what the
relevant bits of my app.config look like (I can post the rest as needed,
but I'm trying to be consise):
{http, [{"0.0.0.0", 8091}]},
{https, [{"0.0.0.0", 8092}]},
{ssl, [
{certfile, "/etc/riak/ssl.crt"},
{keyfile, "/etc/riak/ssl.key"}
]},
Starting riak does not generate any errors, and 'riak-admin test' works:
[root@riak01 riak]# riak-admin test
Attempting to restart script through sudo -u riak
Successfully completed 1 read/write cycle to 'r...@riak01.mediatemple.net'
Manuallly querying riak via http also works fine:
[root@riak01 riak]# curl -k -vvv
http://127.0.0.1:8091/riak/__riak_client_test__
* About to connect() to 127.0.0.1 port 8091 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0)
> GET /riak/__riak_client_test__ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: 127.0.0.1:8091
> Accept: */*
>
< HTTP/1.1 200 OK
< Vary: Accept-Encoding
< Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
< Date: Fri, 13 Jul 2012 18:03:13 GMT
< Content-Type: application/json
< Content-Length: 410
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
{"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}}
But the minute I try to connect via https I have problems:
[root@riak01 riak]# curl -k -vvv
https://127.0.0.1:8092/riak/__riak_client_test__
* About to connect() to 127.0.0.1 port 8092 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
And I see the following in the logs:
console.log:
2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process <0.5313.0>
with 0 neighbours crashed with reason:
{ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor ssl_connection_sup had
child undefined started with {ssl_connection,start_link,undefined} at
<0.5313.0> exit with reason ekeyfile in context child_terminated
2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, "Accept
failed error", "{error,ekeyfile}"
2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process <0.139.0>
with 0 neighbours crashed with reason: {error,accept_failed}
2012-07-13 11:05:52.035 [error] <0.135.0>
{mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
crash.log:
2012-07-13 11:05:52 =ERROR REPORT====
[83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10,"
",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10,"
",[123,["ssl_connection",44,"init",44,"1"],125],44,10,"
",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10,"
",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13
11:05:52 =CRASH REPORT====
crasher:
initial call: ssl_connection:init/1
pid: <0.5313.0>
registered_name: []
exception exit: ekeyfile
in function gen_fsm:init_it/6
in call from proc_lib:init_p_do_apply/3
ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>]
messages: []
links: [<0.134.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 1597
stack_size: 24
reductions: 1185
neighbours:
2012-07-13 11:05:52 =SUPERVISOR REPORT====
Supervisor: {local,ssl_connection_sup}
Context: child_terminated
Reason: ekeyfile
Offender:
[{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}]
2012-07-13 11:05:52 =ERROR REPORT====
[{application,mochiweb},"Accept failed error","{error,ekeyfile}"]2012-07-13
11:05:52 =CRASH REPORT====
crasher:
initial call: mochiweb_acceptor:init/3
pid: <0.139.0>
registered_name: []
exception exit: {error,accept_failed}
in function mochiweb_acceptor:init/3
in call from proc_lib:init_p_do_apply/3
ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>]
messages: []
links: [<0.135.0>,#Port<0.5661>]
dictionary: []
trap_exit: false
status: running
heap_size: 233
stack_size: 24
reductions: 818
neighbours:
2012-07-13 11:05:52 =ERROR REPORT====
{mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
erlang.log.1 and error.log (which are identical):
11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key
[{ssl_connection,init_private_key,5},
{ssl_connection,ssl_init,2},
{ssl_connection,init,1},
{gen_fsm,init_it,6},
{proc_lib,init_p_do_apply,3}]
11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours
crashed with reason:
{ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined
started with {ssl_connection,start_link,undefined} at <0.5313.0> exit with
reason ekeyfile in context child_terminated
11:05:52.031 [error] application: mochiweb, "Accept failed error",
"{error,ekeyfile}"
11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours
crashed with reason: {error,accept_failed}
11:05:52.035 [error]
{mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
Everything I am finding says this means my key file is bad. However, as
previously mentioned, I've verified this with openssl:
[root@riak01 riak]# openssl verify /etc/riak/ssl.crt
/etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = Default
Company Ltd, CN = example.com, emailAddress = ad...@example.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@riak01 riak]# ( openssl x509 -noout -modulus -in /etc/riak/ssl.crt |
openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | openssl
md5 ) | uniq
(stdin)= b3d4187d8472f2d0b73cf5597d5d65b8
I'm just really not sure what else to look at. Everything seems to be fine
except for that fact it's not working. Does anybody have SSL working with
self-signed certificate using the basho provided binary packages on CentOS
6.3? I'm beginning to thing that they might be the problem and I just don't
know where to go from here.
Any suggestions will be appreciated.
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
