SSL is working for me (for riak-control) using self-signed
certificates. However I've not yet tried it with an external client.
On Fri, Jul 13, 2012 at 2:34 PM, Michael Johnson <m...@mediatemple.net> wrote:
> I've been having problems getting riak to function via https and have not
> been able to find anything online that seems to help so far. I am using a
> self-signed certificate (which is one I generated specifically for this
> testing, and thus could post as it will not be used for anything else) and
> have it stored as separate .crt and .key files. I've used open SSL to
> verify the certificate and it appears to be all good. Here is what the
> relevant bits of my app.config look like (I can post the rest as needed, but
> I'm trying to be consise):
>
> {http, [{"0.0.0.0", 8091}]},
> {https, [{"0.0.0.0", 8092}]},
> {ssl, [
> {certfile, "/etc/riak/ssl.crt"},
> {keyfile, "/etc/riak/ssl.key"}
> ]},
>
> Starting riak does not generate any errors, and 'riak-admin test' works:
> [root@riak01 riak]# riak-admin test
> Attempting to restart script through sudo -u riak
> Successfully completed 1 read/write cycle to 'r...@riak01.mediatemple.net'
>
> Manuallly querying riak via http also works fine:
>
> [root@riak01 riak]# curl -k -vvv
> http://127.0.0.1:8091/riak/__riak_client_test__
> * About to connect() to 127.0.0.1 port 8091 (#0)
> * Trying 127.0.0.1... connected
> * Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0)
>> GET /riak/__riak_client_test__ HTTP/1.1
>> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
>> NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
>> Host: 127.0.0.1:8091
>> Accept: */*
>>
> < HTTP/1.1 200 OK
> < Vary: Accept-Encoding
> < Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
> < Date: Fri, 13 Jul 2012 18:03:13 GMT
> < Content-Type: application/json
> < Content-Length: 410
> <
> * Connection #0 to host 127.0.0.1 left intact
> * Closing connection #0
> {"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}}
>
>
> But the minute I try to connect via https I have problems:
>
> [root@riak01 riak]# curl -k -vvv
> https://127.0.0.1:8092/riak/__riak_client_test__
> * About to connect() to 127.0.0.1 port 8092 (#0)
> * Trying 127.0.0.1... connected
> * Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * NSS error -5938
> * Closing connection #0
> * SSL connect error
> curl: (35) SSL connect error
>
> And I see the following in the logs:
>
> console.log:
> 2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process <0.5313.0>
> with 0 neighbours crashed with reason:
> {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
> 2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor ssl_connection_sup had
> child undefined started with {ssl_connection,start_link,undefined} at
> <0.5313.0> exit with reason ekeyfile in context child_terminated
> 2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, "Accept
> failed error", "{error,ekeyfile}"
> 2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process <0.139.0>
> with 0 neighbours crashed with reason: {error,accept_failed}
> 2012-07-13 11:05:52.035 [error] <0.135.0>
> {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
>
> crash.log:
> 2012-07-13 11:05:52 =ERROR REPORT====
> [83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10,"
> ",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10,"
> ",[123,["ssl_connection",44,"init",44,"1"],125],44,10,"
> ",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10,"
> ",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13
> 11:05:52 =CRASH REPORT====
> crasher:
> initial call: ssl_connection:init/1
> pid: <0.5313.0>
> registered_name: []
> exception exit: ekeyfile
> in function gen_fsm:init_it/6
> in call from proc_lib:init_p_do_apply/3
> ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>]
> messages: []
> links: [<0.134.0>]
> dictionary: []
> trap_exit: false
> status: running
> heap_size: 1597
> stack_size: 24
> reductions: 1185
> neighbours:
> 2012-07-13 11:05:52 =SUPERVISOR REPORT====
> Supervisor: {local,ssl_connection_sup}
> Context: child_terminated
> Reason: ekeyfile
> Offender:
> [{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}]
>
> 2012-07-13 11:05:52 =ERROR REPORT====
> [{application,mochiweb},"Accept failed error","{error,ekeyfile}"]2012-07-13
> 11:05:52 =CRASH REPORT====
> crasher:
> initial call: mochiweb_acceptor:init/3
> pid: <0.139.0>
> registered_name: []
> exception exit: {error,accept_failed}
> in function mochiweb_acceptor:init/3
> in call from proc_lib:init_p_do_apply/3
> ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>]
> messages: []
> links: [<0.135.0>,#Port<0.5661>]
> dictionary: []
> trap_exit: false
> status: running
> heap_size: 233
> stack_size: 24
> reductions: 818
> neighbours:
> 2012-07-13 11:05:52 =ERROR REPORT====
> {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
>
> erlang.log.1 and error.log (which are identical):
> 11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key
> [{ssl_connection,init_private_key,5},
> {ssl_connection,ssl_init,2},
> {ssl_connection,init,1},
> {gen_fsm,init_it,6},
> {proc_lib,init_p_do_apply,3}]
>
> 11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours
> crashed with reason:
> {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
> 11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined
> started with {ssl_connection,start_link,undefined} at <0.5313.0> exit with
> reason ekeyfile in context child_terminated
> 11:05:52.031 [error] application: mochiweb, "Accept failed error",
> "{error,ekeyfile}"
> 11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours
> crashed with reason: {error,accept_failed}
> 11:05:52.035 [error]
> {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
>
>
> Everything I am finding says this means my key file is bad. However, as
> previously mentioned, I've verified this with openssl:
>
> [root@riak01 riak]# openssl verify /etc/riak/ssl.crt
> /etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = Default
> Company Ltd, CN = example.com, emailAddress = ad...@example.com
> error 18 at 0 depth lookup:self signed certificate
> OK
>
> [root@riak01 riak]# ( openssl x509 -noout -modulus -in /etc/riak/ssl.crt |
> openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | openssl md5
> ) | uniq
> (stdin)= b3d4187d8472f2d0b73cf5597d5d65b8
>
>
> I'm just really not sure what else to look at. Everything seems to be fine
> except for that fact it's not working. Does anybody have SSL working with
> self-signed certificate using the basho provided binary packages on CentOS
> 6.3? I'm beginning to thing that they might be the problem and I just don't
> know where to go from here.
>
> Any suggestions will be appreciated.
>
> _______________________________________________
> riak-users mailing list
> riak-users@lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
