I've also gave this a try a bit ago using a legit cert from an ssl provider
with the same result. Are you also running on centos 6 using the binaries
provided from http://downloads.basho.com/riak/CURRENT/
If I need to build my own packages from source, I can do that, but I'd much
prefer to use the pre-built binaries.
On Fri, Jul 13, 2012 at 11:41 AM, John E. Vincent <
lusis.org+riak-us...@gmail.com> wrote:
> SSL is working for me (for riak-control) using self-signed
> certificates. However I've not yet tried it with an external client.
>
> On Fri, Jul 13, 2012 at 2:34 PM, Michael Johnson <m...@mediatemple.net>
> wrote:
> > I've been having problems getting riak to function via https and have not
> > been able to find anything online that seems to help so far. I am using
> a
> > self-signed certificate (which is one I generated specifically for this
> > testing, and thus could post as it will not be used for anything else)
> and
> > have it stored as separate .crt and .key files. I've used open SSL to
> > verify the certificate and it appears to be all good. Here is what the
> > relevant bits of my app.config look like (I can post the rest as needed,
> but
> > I'm trying to be consise):
> >
> > {http, [{"0.0.0.0", 8091}]},
> > {https, [{"0.0.0.0", 8092}]},
> > {ssl, [
> > {certfile, "/etc/riak/ssl.crt"},
> > {keyfile, "/etc/riak/ssl.key"}
> > ]},
> >
> > Starting riak does not generate any errors, and 'riak-admin test' works:
> > [root@riak01 riak]# riak-admin test
> > Attempting to restart script through sudo -u riak
> > Successfully completed 1 read/write cycle to '
> r...@riak01.mediatemple.net'
> >
> > Manuallly querying riak via http also works fine:
> >
> > [root@riak01 riak]# curl -k -vvv
> > http://127.0.0.1:8091/riak/__riak_client_test__
> > * About to connect() to 127.0.0.1 port 8091 (#0)
> > * Trying 127.0.0.1... connected
> > * Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0)
> >> GET /riak/__riak_client_test__ HTTP/1.1
> >> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> >> NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> >> Host: 127.0.0.1:8091
> >> Accept: */*
> >>
> > < HTTP/1.1 200 OK
> > < Vary: Accept-Encoding
> > < Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
> > < Date: Fri, 13 Jul 2012 18:03:13 GMT
> > < Content-Type: application/json
> > < Content-Length: 410
> > <
> > * Connection #0 to host 127.0.0.1 left intact
> > * Closing connection #0
> >
> {"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}}
> >
> >
> > But the minute I try to connect via https I have problems:
> >
> > [root@riak01 riak]# curl -k -vvv
> > https://127.0.0.1:8092/riak/__riak_client_test__
> > * About to connect() to 127.0.0.1 port 8092 (#0)
> > * Trying 127.0.0.1... connected
> > * Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * warning: ignoring value of ssl.verifyhost
> > * NSS error -5938
> > * Closing connection #0
> > * SSL connect error
> > curl: (35) SSL connect error
> >
> > And I see the following in the logs:
> >
> > console.log:
> > 2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process
> <0.5313.0>
> > with 0 neighbours crashed with reason:
> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
> > 2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor ssl_connection_sup
> had
> > child undefined started with {ssl_connection,start_link,undefined} at
> > <0.5313.0> exit with reason ekeyfile in context child_terminated
> > 2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, "Accept
> > failed error", "{error,ekeyfile}"
> > 2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process <0.139.0>
> > with 0 neighbours crashed with reason: {error,accept_failed}
> > 2012-07-13 11:05:52.035 [error] <0.135.0>
> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
> >
> > crash.log:
> > 2012-07-13 11:05:52 =ERROR REPORT====
> >
> [83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10,"
> > ",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10,"
> > ",[123,["ssl_connection",44,"init",44,"1"],125],44,10,"
> > ",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10,"
> > ",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13
> > 11:05:52 =CRASH REPORT====
> > crasher:
> > initial call: ssl_connection:init/1
> > pid: <0.5313.0>
> > registered_name: []
> > exception exit: ekeyfile
> > in function gen_fsm:init_it/6
> > in call from proc_lib:init_p_do_apply/3
> > ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>]
> > messages: []
> > links: [<0.134.0>]
> > dictionary: []
> > trap_exit: false
> > status: running
> > heap_size: 1597
> > stack_size: 24
> > reductions: 1185
> > neighbours:
> > 2012-07-13 11:05:52 =SUPERVISOR REPORT====
> > Supervisor: {local,ssl_connection_sup}
> > Context: child_terminated
> > Reason: ekeyfile
> > Offender:
> >
> [{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}]
> >
> > 2012-07-13 11:05:52 =ERROR REPORT====
> > [{application,mochiweb},"Accept failed
> error","{error,ekeyfile}"]2012-07-13
> > 11:05:52 =CRASH REPORT====
> > crasher:
> > initial call: mochiweb_acceptor:init/3
> > pid: <0.139.0>
> > registered_name: []
> > exception exit: {error,accept_failed}
> > in function mochiweb_acceptor:init/3
> > in call from proc_lib:init_p_do_apply/3
> > ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>]
> > messages: []
> > links: [<0.135.0>,#Port<0.5661>]
> > dictionary: []
> > trap_exit: false
> > status: running
> > heap_size: 233
> > stack_size: 24
> > reductions: 818
> > neighbours:
> > 2012-07-13 11:05:52 =ERROR REPORT====
> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
> >
> > erlang.log.1 and error.log (which are identical):
> > 11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key
> > [{ssl_connection,init_private_key,5},
> > {ssl_connection,ssl_init,2},
> > {ssl_connection,init,1},
> > {gen_fsm,init_it,6},
> > {proc_lib,init_p_do_apply,3}]
> >
> > 11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours
> > crashed with reason:
> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]}
> > 11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined
> > started with {ssl_connection,start_link,undefined} at <0.5313.0> exit
> with
> > reason ekeyfile in context child_terminated
> > 11:05:52.031 [error] application: mochiweb, "Accept failed error",
> > "{error,ekeyfile}"
> > 11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours
> > crashed with reason: {error,accept_failed}
> > 11:05:52.035 [error]
> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}}
> >
> >
> > Everything I am finding says this means my key file is bad. However, as
> > previously mentioned, I've verified this with openssl:
> >
> > [root@riak01 riak]# openssl verify /etc/riak/ssl.crt
> > /etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = Default
> > Company Ltd, CN = example.com, emailAddress = ad...@example.com
> > error 18 at 0 depth lookup:self signed certificate
> > OK
> >
> > [root@riak01 riak]# ( openssl x509 -noout -modulus -in
> /etc/riak/ssl.crt |
> > openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | openssl
> md5
> > ) | uniq
> > (stdin)= b3d4187d8472f2d0b73cf5597d5d65b8
> >
> >
> > I'm just really not sure what else to look at. Everything seems to be
> fine
> > except for that fact it's not working. Does anybody have SSL working
> with
> > self-signed certificate using the basho provided binary packages on
> CentOS
> > 6.3? I'm beginning to thing that they might be the problem and I just
> don't
> > know where to go from here.
> >
> > Any suggestions will be appreciated.
> >
> > _______________________________________________
> > riak-users mailing list
> > riak-users@lists.basho.com
> > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> >
>
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
