Hi Michael, Does either your cert/key file have two keys in it by chance? If so, one of those is most likely an intermediary cert, which should be placed in it's own file as outlined here (see intermediate authorities, cacertfile):
http://wiki.basho.com/Riak-Control.html - Chris Christopher Meiklejohn Software Engineer Basho Technologies, Inc. On Fri, Jul 13, 2012 at 3:45 PM, Michael Johnson <m...@mediatemple.net> wrote: > I've also gave this a try a bit ago using a legit cert from an ssl > provider with the same result. Are you also running on centos 6 using the > binaries provided from http://downloads.basho.com/riak/CURRENT/ > > If I need to build my own packages from source, I can do that, but I'd > much prefer to use the pre-built binaries. > > > On Fri, Jul 13, 2012 at 11:41 AM, John E. Vincent < > lusis.org+riak-us...@gmail.com> wrote: > >> SSL is working for me (for riak-control) using self-signed >> certificates. However I've not yet tried it with an external client. >> >> On Fri, Jul 13, 2012 at 2:34 PM, Michael Johnson <m...@mediatemple.net> >> wrote: >> > I've been having problems getting riak to function via https and have >> not >> > been able to find anything online that seems to help so far. I am >> using a >> > self-signed certificate (which is one I generated specifically for this >> > testing, and thus could post as it will not be used for anything else) >> and >> > have it stored as separate .crt and .key files. I've used open SSL to >> > verify the certificate and it appears to be all good. Here is what the >> > relevant bits of my app.config look like (I can post the rest as >> needed, but >> > I'm trying to be consise): >> > >> > {http, [{"0.0.0.0", 8091}]}, >> > {https, [{"0.0.0.0", 8092}]}, >> > {ssl, [ >> > {certfile, "/etc/riak/ssl.crt"}, >> > {keyfile, "/etc/riak/ssl.key"} >> > ]}, >> > >> > Starting riak does not generate any errors, and 'riak-admin test' works: >> > [root@riak01 riak]# riak-admin test >> > Attempting to restart script through sudo -u riak >> > Successfully completed 1 read/write cycle to ' >> r...@riak01.mediatemple.net' >> > >> > Manuallly querying riak via http also works fine: >> > >> > [root@riak01 riak]# curl -k -vvv >> > http://127.0.0.1:8091/riak/__riak_client_test__ >> > * About to connect() to 127.0.0.1 port 8091 (#0) >> > * Trying 127.0.0.1... connected >> > * Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0) >> >> GET /riak/__riak_client_test__ HTTP/1.1 >> >> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 >> >> NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >> >> Host: 127.0.0.1:8091 >> >> Accept: */* >> >> >> > < HTTP/1.1 200 OK >> > < Vary: Accept-Encoding >> > < Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue) >> > < Date: Fri, 13 Jul 2012 18:03:13 GMT >> > < Content-Type: application/json >> > < Content-Length: 410 >> > < >> > * Connection #0 to host 127.0.0.1 left intact >> > * Closing connection #0 >> > >> {"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}} >> > >> > >> > But the minute I try to connect via https I have problems: >> > >> > [root@riak01 riak]# curl -k -vvv >> > https://127.0.0.1:8092/riak/__riak_client_test__ >> > * About to connect() to 127.0.0.1 port 8092 (#0) >> > * Trying 127.0.0.1... connected >> > * Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0) >> > * Initializing NSS with certpath: sql:/etc/pki/nssdb >> > * warning: ignoring value of ssl.verifyhost >> > * NSS error -5938 >> > * Closing connection #0 >> > * SSL connect error >> > curl: (35) SSL connect error >> > >> > And I see the following in the logs: >> > >> > console.log: >> > 2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process >> <0.5313.0> >> > with 0 neighbours crashed with reason: >> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} >> > 2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor ssl_connection_sup >> had >> > child undefined started with {ssl_connection,start_link,undefined} at >> > <0.5313.0> exit with reason ekeyfile in context child_terminated >> > 2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, "Accept >> > failed error", "{error,ekeyfile}" >> > 2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process <0.139.0> >> > with 0 neighbours crashed with reason: {error,accept_failed} >> > 2012-07-13 11:05:52.035 [error] <0.135.0> >> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >> > >> > crash.log: >> > 2012-07-13 11:05:52 =ERROR REPORT==== >> > >> [83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10," >> > ",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10," >> > ",[123,["ssl_connection",44,"init",44,"1"],125],44,10," >> > ",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10," >> > >> ",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13 >> > 11:05:52 =CRASH REPORT==== >> > crasher: >> > initial call: ssl_connection:init/1 >> > pid: <0.5313.0> >> > registered_name: [] >> > exception exit: ekeyfile >> > in function gen_fsm:init_it/6 >> > in call from proc_lib:init_p_do_apply/3 >> > ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>] >> > messages: [] >> > links: [<0.134.0>] >> > dictionary: [] >> > trap_exit: false >> > status: running >> > heap_size: 1597 >> > stack_size: 24 >> > reductions: 1185 >> > neighbours: >> > 2012-07-13 11:05:52 =SUPERVISOR REPORT==== >> > Supervisor: {local,ssl_connection_sup} >> > Context: child_terminated >> > Reason: ekeyfile >> > Offender: >> > >> [{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}] >> > >> > 2012-07-13 11:05:52 =ERROR REPORT==== >> > [{application,mochiweb},"Accept failed >> error","{error,ekeyfile}"]2012-07-13 >> > 11:05:52 =CRASH REPORT==== >> > crasher: >> > initial call: mochiweb_acceptor:init/3 >> > pid: <0.139.0> >> > registered_name: [] >> > exception exit: {error,accept_failed} >> > in function mochiweb_acceptor:init/3 >> > in call from proc_lib:init_p_do_apply/3 >> > ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>] >> > messages: [] >> > links: [<0.135.0>,#Port<0.5661>] >> > dictionary: [] >> > trap_exit: false >> > status: running >> > heap_size: 233 >> > stack_size: 24 >> > reductions: 818 >> > neighbours: >> > 2012-07-13 11:05:52 =ERROR REPORT==== >> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >> > >> > erlang.log.1 and error.log (which are identical): >> > 11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key >> > [{ssl_connection,init_private_key,5}, >> > {ssl_connection,ssl_init,2}, >> > {ssl_connection,init,1}, >> > {gen_fsm,init_it,6}, >> > {proc_lib,init_p_do_apply,3}] >> > >> > 11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours >> > crashed with reason: >> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} >> > 11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined >> > started with {ssl_connection,start_link,undefined} at <0.5313.0> exit >> with >> > reason ekeyfile in context child_terminated >> > 11:05:52.031 [error] application: mochiweb, "Accept failed error", >> > "{error,ekeyfile}" >> > 11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours >> > crashed with reason: {error,accept_failed} >> > 11:05:52.035 [error] >> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >> > >> > >> > Everything I am finding says this means my key file is bad. However, as >> > previously mentioned, I've verified this with openssl: >> > >> > [root@riak01 riak]# openssl verify /etc/riak/ssl.crt >> > /etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = Default >> > Company Ltd, CN = example.com, emailAddress = ad...@example.com >> > error 18 at 0 depth lookup:self signed certificate >> > OK >> > >> > [root@riak01 riak]# ( openssl x509 -noout -modulus -in >> /etc/riak/ssl.crt | >> > openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | >> openssl md5 >> > ) | uniq >> > (stdin)= b3d4187d8472f2d0b73cf5597d5d65b8 >> > >> > >> > I'm just really not sure what else to look at. Everything seems to be >> fine >> > except for that fact it's not working. Does anybody have SSL working >> with >> > self-signed certificate using the basho provided binary packages on >> CentOS >> > 6.3? I'm beginning to thing that they might be the problem and I just >> don't >> > know where to go from here. >> > >> > Any suggestions will be appreciated. >> > >> > _______________________________________________ >> > riak-users mailing list >> > riak-users@lists.basho.com >> > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com >> > >> > > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > >
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
