Nope. One key in the key file, one cert in the cert file. In fact, since this is a cert/key I generated just for testing purposes, I'll go ahead and post them:
/etc/riak/ssl.key: -----BEGIN CERTIFICATE----- MIIF8TCCA9mgAwIBAgIJAKXZl+gEfanVMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLQ3VsdmVyIENp dHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC2V4YW1w bGUuY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTAeFw0xMjA3 MTIyMzQ5NTVaFw0yMjA3MTAyMzQ5NTVaMIGOMQswCQYDVQQGEwJVUzETMBEGA1UE CAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLQ3VsdmVyIENpdHkxHDAaBgNVBAoME0Rl ZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC2V4YW1wbGUuY29tMSAwHgYJKoZI hvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAOamauTDKfz/aY8cB2H787C4/TzWYR9Wl28hukC/HmnkOsn8I+sE WLKm4A4ikrhbzIHMvESjaRhxAtlDDagDz++UyxMW/0+c481b/dOSI+5pBLdFdXdA 6b0Y7WuhKxwTBHBlt0v5fW8gF5u/4j0azUq56OUxKvKnz890nV0fgcBytyeNmRKr 5KAK/CAvZb2q1iyX9fDluIfC5KCgrXdVrD2BpdGsqUFWa8C5rZ4sDjW1tbWs/D7c Mi33In4Iraf300JxDfEyUgtGJK62Z8cgia2DhoFIrtBAzil6sCkd02ebPZ6z7KRc QUwWUXUA3zkfYat7nnVCXqxKDd8RyIX/BLm5WClmsgCcGAz2FtWTcskoikAFxRx0 Tr2OzATCLH6tfRJ9kWNr7xCjLV3FXa4VcXMIUDorBWQD0rC6egZSehcGlnZCL/KL 6zfl1zHjhWXXvd1PIPdBaFVOL+ZVTkJ6W9GQ3mXW8DDBxxvqQautS4Mykd6uDjiv Xty5eTAwknuyOO3zDunsIbA1d/cJxq9teME/BVsTqzTXRmPSsNY54n6PYNouuqgs lpP5jTdQYR2lySPPtaGnpmJpRWGoWa6zBMn4QhZAdBuSR173YmbKyx2LPt1fcMMu OdAg/K8x6p8UCF2iDmMZFKBimZIzW1hWMEq2l4MX1r+tzhHYFs4fT0fpAgMBAAGj UDBOMB0GA1UdDgQWBBTtPvZYb6P5j5MtDVHiMXb2x93hljAfBgNVHSMEGDAWgBTt PvZYb6P5j5MtDVHiMXb2x93hljAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA A4ICAQCEEDH0n8unUgxrpIAiw/zFcUIPIO/A7Ha6VmOV4a9sk+RdRspeBuLLxPIq f6imWEy9bIASBnGVCZ7XW6orltPgSoBiN8PSs8FzbyxbGkzqe0yYfzN+vV9WULtF ZV/arROCGsiEpujcb4ldhLj0DtzSCXeBwSA8wL2PeNu/ryyx3TwqwUWYkWbhWGKq /qxBZ0XrRyLhU2X76AU5QVeih2PX6u/suf81u14TLYWj8pIPme+LLgsAkKoW0UJy KUjIV4ELWTt5iXAAkCdq3+7ZBaSf98OrX+mGsRWHgEA3TgjtHdKWISeFebSXdBt0 +Ytv9ZjYS9Cfa1X2BUYhvZV3SX6D0t/J6jAHhUrmsoO5zJx/kHiy4iyG7lKvI6HQ 5tuGnDL623nSQ3fIPzC9yfie5J3ofd9HzjLik04wGprV9pEODtMnUIu2MIJc2XUc LKC5H21uV970aRj4F1rsSNBFFNxrWEXyBYNJThHqfjmfYpB18MD1XB3ht30fzE+B 0GVM6ueTv3fh+15DUpjT+dtmAf3xw4fy04Wj6Kny2DLqZ+kkjxcK6OLOimCJBapx hKuPK0zfirPYaA9a1lhqoityMtrYMnNuIVT0EHVIU6j7U0Mz5kFSHGhnryVwrcVp fFjygSx8xC2TQwhCdFDFoBUCaGFnIzis17aWeX8tINpDz3K/Vg== -----END CERTIFICATE----- /etc/riak/ssl.crt: -----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDmpmrkwyn8/2mP HAdh+/OwuP081mEfVpdvIbpAvx5p5DrJ/CPrBFiypuAOIpK4W8yBzLxEo2kYcQLZ Qw2oA8/vlMsTFv9PnOPNW/3TkiPuaQS3RXV3QOm9GO1roSscEwRwZbdL+X1vIBeb v+I9Gs1KuejlMSryp8/PdJ1dH4HAcrcnjZkSq+SgCvwgL2W9qtYsl/Xw5biHwuSg oK13Vaw9gaXRrKlBVmvAua2eLA41tbW1rPw+3DIt9yJ+CK2n99NCcQ3xMlILRiSu tmfHIImtg4aBSK7QQM4perApHdNnmz2es+ykXEFMFlF1AN85H2Gre551Ql6sSg3f EciF/wS5uVgpZrIAnBgM9hbVk3LJKIpABcUcdE69jswEwix+rX0SfZFja+8Qoy1d xV2uFXFzCFA6KwVkA9KwunoGUnoXBpZ2Qi/yi+s35dcx44Vl173dTyD3QWhVTi/m VU5CelvRkN5l1vAwwccb6kGrrUuDMpHerg44r17cuXkwMJJ7sjjt8w7p7CGwNXf3 CcavbXjBPwVbE6s010Zj0rDWOeJ+j2DaLrqoLJaT+Y03UGEdpckjz7Whp6ZiaUVh qFmuswTJ+EIWQHQbkkde92Jmyssdiz7dX3DDLjnQIPyvMeqfFAhdog5jGRSgYpmS M1tYVjBKtpeDF9a/rc4R2BbOH09H6QIDAQABAoICABtYe6/nm6DNP1yiPBXX40p+ hDekSxuGDqo0W3q1rgtr7bRo2nFQsJttwX6rhq2o5JQ3C9MvdJRbQbU0h/f1i7+h 6nm27kooFbIRSAS/fNcVSGPaLlUXMx8iR3PNReksMAiLZrHxQHfeXC4xD8ei19gW NpCFxcvDLZYxAz85Lw78Cs77sLxP+OkopD/EntFf4cijs5r+AWTHLIgGxMozNBqO tnQnfmGqt1fAK99m5cBkbMi/W6CwRprAhCxhJwWVEkz8TmTcTHHdvRehtKgdKXWS 9G17io5SQJ8WVrBpQtkzxJh+SH4sGenFc57lnZGOMOw92cmZNtRCa2aZGycX1x1c OU7s0n0xcnuAniKI+Ee3W2shK6vtQMR8Qsu6Ax2uF+UUJAomr/2bbD8hpk7zwPhO 5dQ6RJurWMPRxaK+/vy8+4E6BnwhJ4WsogXaf86409v8eWoy8BYGA3XiOxy7W0eK oKcs30Uvq61nqB8Nt/AvsJrYj1flHk/gHn3qBGJor23e92G7TQiBs/DjatD4AdkH k8E4b+zvtlI/i/WNuOMimLntKYFgDNnumi5MyZcngv0hYPqdHewvXV/9e6gTw/rn hl8m6BMW7bvbXxz0GYGnxCADTW3PWC5Qma+y2SoGNo0unp4VQ6AHPApV5gUvAGaY /RKs9CgzlAdphMpUjykBAoIBAQD97WGWoM4+bd9Nyrat1HAQRY+MW/vt67oaTnEV EIicwM6TMvyUiFIv6wdmMsyGzlqFwboRGo19WbZP+pIoC46Gs6fqq6Jr8cna5Gme n59e2zVxFY1CmCsdAXs5TaG72D4BJkNIWqIBb68jeDglYj5mKpvsDDo3Muqznx04 uS6+QXKJITR7+sPWalWqeUPIHdIrs3V1BR3/9N1ItfLy8bN/anrTFIMjI+ulZ9xy jDitwWCxCMmIyTV0xz5oJ0RYcgnvKS7sRMoII0Q4L+ZBzosSl0U4ksRaZJuB/6ij zFUidbMPYVHgvnUx4i5SLY048gu62gyHsntyLUl0RbZB6texAoIBAQDoiGUqGSti FyLyPi3Rj00uCsCIeV3oexLXKIHsia+EuULtCJj2kJPFGtks+XC+acP4xEyRjdzr JR87uxI5y0FmgjKmEpL0Kn5yBG0N0ioVbnT8YDKywvRJg2z279vm6CrsjuQ8h+ph KVRJJEveImcCiuRbzJrBgWC2G4GWlCnLxsSLKfqrsghrCAKFmMqBvsu1hrfRFhCG 86CSV3/Jdofd8/up0Y0qMKHB20KFAm3tWceWqlcpdI7l0BDWg4vIBaXkST90Gm4a 0XJqfa1NqpuF1z5KZxXMlbHLd5RXqTtFCs/UpJwQSEnNiv3Po6SZI3CwGqYjUo1i bqub4uPDgzm5AoIBADDO0QQ38oyzZ8m3Hjf5bnTiOf5bq+gGeGYYD8phvDCNKufG VCBkt494WJq/RurefS3al94zwWCHvvBOlItX9VRU8gC8buLavdbyMo8H1YVRE0ui Pd3ADAFuSHYyQtUtcnWcGjCtIxitk/d4YypkYOQYapILo6D6i3xtKBvAFIkDYXWU SVdPUxdCpya2Wl37xWsa+oe8rRCGy4XvWzxxUvQ5zlQGTFKT0/aeKRRneXmEgwZk TwCY1EqXBZrVeWCawugSfW9ypXa8+J7oLhUWE0tGgkqmg1FwpydssciSPQb7oqhh J3DQiwxEkmy/TrbUZ4bJ5MCsgOfoZocP40F2V3ECggEBAJAz1ZjP1wmTk4ZqbPui RJii7lcz/LqpaDup0TihAgnq4cghJsrxSdJYHgo3/mT3LiLdiSZStYfVk5L1Jg5V MA+j+kjnB98HYzbN69tAU/zKbR39gjM9l0TnjfFtOg/uNoBQ9NVc7Eqo2K4rJilx aDQ5cfhD4EzUMOd+E1UQOQM4Fra+p8dGNtY5N2cmI59mdOnzy5aMel9WQmO+g26q ZQONxKnBXCun0QhpMs1NfmJM5OtYY4k/0UZPS8Hb/hli90ek7QbRRSq4bJ4BpjGd 9aiAnQ6C8w/WXVXyqDncpvbgB5a1JlsqmSowYcocj3ywb7emLxWEok1CmIWppNmg TXECggEBAIGhKrsG/F5hWEpw5NMU7/i0fWs0bP3uj7rQMbP7KvShl8mtQ5HLARU9 45Mv9bQeSfpzfwdEO6BuccVpMiQ1Kw4pXQxJb5Hx4QeAkjJHYmswHaRBbBGEOZHN lY37E2MN0Pe41IwyslSrD5p6DA1BKws00BkzkgP+voowmIKtZYuIy60lpPsPdsb1 vblLLwrqITtWZ+i/+jS2Zhc/azzI4KH985OCXQjikLp+CZ3i2E90APj7sH1M0Bga ZoahWO2cnCWPY0Vx1gGVrz6fbDCx/nQB9EaWoNzDAOnEU0PBdKy9SnQBsO6RiEvV ZkUzSrUoBPilDSSotFgUZeHfxERupUU= -----END PRIVATE KEY----- On Fri, Jul 13, 2012 at 12:53 PM, Chris Meiklejohn <cmeiklej...@basho.com>wrote: > Hi Michael, > > Does either your cert/key file have two keys in it by chance? If so, one > of those is most likely an intermediary cert, which should be placed in > it's own file as outlined here (see intermediate authorities, cacertfile): > > http://wiki.basho.com/Riak-Control.html > > - Chris > > Christopher Meiklejohn > Software Engineer > Basho Technologies, Inc. > > On Fri, Jul 13, 2012 at 3:45 PM, Michael Johnson <m...@mediatemple.net>wrote: > >> I've also gave this a try a bit ago using a legit cert from an ssl >> provider with the same result. Are you also running on centos 6 using the >> binaries provided from http://downloads.basho.com/riak/CURRENT/ >> >> If I need to build my own packages from source, I can do that, but I'd >> much prefer to use the pre-built binaries. >> >> >> On Fri, Jul 13, 2012 at 11:41 AM, John E. Vincent < >> lusis.org+riak-us...@gmail.com> wrote: >> >>> SSL is working for me (for riak-control) using self-signed >>> certificates. However I've not yet tried it with an external client. >>> >>> On Fri, Jul 13, 2012 at 2:34 PM, Michael Johnson <m...@mediatemple.net> >>> wrote: >>> > I've been having problems getting riak to function via https and have >>> not >>> > been able to find anything online that seems to help so far. I am >>> using a >>> > self-signed certificate (which is one I generated specifically for this >>> > testing, and thus could post as it will not be used for anything else) >>> and >>> > have it stored as separate .crt and .key files. I've used open SSL to >>> > verify the certificate and it appears to be all good. Here is what the >>> > relevant bits of my app.config look like (I can post the rest as >>> needed, but >>> > I'm trying to be consise): >>> > >>> > {http, [{"0.0.0.0", 8091}]}, >>> > {https, [{"0.0.0.0", 8092}]}, >>> > {ssl, [ >>> > {certfile, "/etc/riak/ssl.crt"}, >>> > {keyfile, "/etc/riak/ssl.key"} >>> > ]}, >>> > >>> > Starting riak does not generate any errors, and 'riak-admin test' >>> works: >>> > [root@riak01 riak]# riak-admin test >>> > Attempting to restart script through sudo -u riak >>> > Successfully completed 1 read/write cycle to ' >>> r...@riak01.mediatemple.net' >>> > >>> > Manuallly querying riak via http also works fine: >>> > >>> > [root@riak01 riak]# curl -k -vvv >>> > http://127.0.0.1:8091/riak/__riak_client_test__ >>> > * About to connect() to 127.0.0.1 port 8091 (#0) >>> > * Trying 127.0.0.1... connected >>> > * Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0) >>> >> GET /riak/__riak_client_test__ HTTP/1.1 >>> >> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 >>> >> NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 >>> >> Host: 127.0.0.1:8091 >>> >> Accept: */* >>> >> >>> > < HTTP/1.1 200 OK >>> > < Vary: Accept-Encoding >>> > < Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue) >>> > < Date: Fri, 13 Jul 2012 18:03:13 GMT >>> > < Content-Type: application/json >>> > < Content-Length: 410 >>> > < >>> > * Connection #0 to host 127.0.0.1 left intact >>> > * Closing connection #0 >>> > >>> {"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}} >>> > >>> > >>> > But the minute I try to connect via https I have problems: >>> > >>> > [root@riak01 riak]# curl -k -vvv >>> > https://127.0.0.1:8092/riak/__riak_client_test__ >>> > * About to connect() to 127.0.0.1 port 8092 (#0) >>> > * Trying 127.0.0.1... connected >>> > * Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0) >>> > * Initializing NSS with certpath: sql:/etc/pki/nssdb >>> > * warning: ignoring value of ssl.verifyhost >>> > * NSS error -5938 >>> > * Closing connection #0 >>> > * SSL connect error >>> > curl: (35) SSL connect error >>> > >>> > And I see the following in the logs: >>> > >>> > console.log: >>> > 2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process >>> <0.5313.0> >>> > with 0 neighbours crashed with reason: >>> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} >>> > 2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor >>> ssl_connection_sup had >>> > child undefined started with {ssl_connection,start_link,undefined} at >>> > <0.5313.0> exit with reason ekeyfile in context child_terminated >>> > 2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, >>> "Accept >>> > failed error", "{error,ekeyfile}" >>> > 2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process >>> <0.139.0> >>> > with 0 neighbours crashed with reason: {error,accept_failed} >>> > 2012-07-13 11:05:52.035 [error] <0.135.0> >>> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >>> > >>> > crash.log: >>> > 2012-07-13 11:05:52 =ERROR REPORT==== >>> > >>> [83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10," >>> > ",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10," >>> > ",[123,["ssl_connection",44,"init",44,"1"],125],44,10," >>> > ",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10," >>> > >>> ",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13 >>> > 11:05:52 =CRASH REPORT==== >>> > crasher: >>> > initial call: ssl_connection:init/1 >>> > pid: <0.5313.0> >>> > registered_name: [] >>> > exception exit: ekeyfile >>> > in function gen_fsm:init_it/6 >>> > in call from proc_lib:init_p_do_apply/3 >>> > ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>] >>> > messages: [] >>> > links: [<0.134.0>] >>> > dictionary: [] >>> > trap_exit: false >>> > status: running >>> > heap_size: 1597 >>> > stack_size: 24 >>> > reductions: 1185 >>> > neighbours: >>> > 2012-07-13 11:05:52 =SUPERVISOR REPORT==== >>> > Supervisor: {local,ssl_connection_sup} >>> > Context: child_terminated >>> > Reason: ekeyfile >>> > Offender: >>> > >>> [{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}] >>> > >>> > 2012-07-13 11:05:52 =ERROR REPORT==== >>> > [{application,mochiweb},"Accept failed >>> error","{error,ekeyfile}"]2012-07-13 >>> > 11:05:52 =CRASH REPORT==== >>> > crasher: >>> > initial call: mochiweb_acceptor:init/3 >>> > pid: <0.139.0> >>> > registered_name: [] >>> > exception exit: {error,accept_failed} >>> > in function mochiweb_acceptor:init/3 >>> > in call from proc_lib:init_p_do_apply/3 >>> > ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>] >>> > messages: [] >>> > links: [<0.135.0>,#Port<0.5661>] >>> > dictionary: [] >>> > trap_exit: false >>> > status: running >>> > heap_size: 233 >>> > stack_size: 24 >>> > reductions: 818 >>> > neighbours: >>> > 2012-07-13 11:05:52 =ERROR REPORT==== >>> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >>> > >>> > erlang.log.1 and error.log (which are identical): >>> > 11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key >>> > [{ssl_connection,init_private_key,5}, >>> > {ssl_connection,ssl_init,2}, >>> > {ssl_connection,init,1}, >>> > {gen_fsm,init_it,6}, >>> > {proc_lib,init_p_do_apply,3}] >>> > >>> > 11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours >>> > crashed with reason: >>> > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} >>> > 11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined >>> > started with {ssl_connection,start_link,undefined} at <0.5313.0> exit >>> with >>> > reason ekeyfile in context child_terminated >>> > 11:05:52.031 [error] application: mochiweb, "Accept failed error", >>> > "{error,ekeyfile}" >>> > 11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours >>> > crashed with reason: {error,accept_failed} >>> > 11:05:52.035 [error] >>> > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} >>> > >>> > >>> > Everything I am finding says this means my key file is bad. However, >>> as >>> > previously mentioned, I've verified this with openssl: >>> > >>> > [root@riak01 riak]# openssl verify /etc/riak/ssl.crt >>> > /etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = >>> Default >>> > Company Ltd, CN = example.com, emailAddress = ad...@example.com >>> > error 18 at 0 depth lookup:self signed certificate >>> > OK >>> > >>> > [root@riak01 riak]# ( openssl x509 -noout -modulus -in >>> /etc/riak/ssl.crt | >>> > openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | >>> openssl md5 >>> > ) | uniq >>> > (stdin)= b3d4187d8472f2d0b73cf5597d5d65b8 >>> > >>> > >>> > I'm just really not sure what else to look at. Everything seems to be >>> fine >>> > except for that fact it's not working. Does anybody have SSL working >>> with >>> > self-signed certificate using the basho provided binary packages on >>> CentOS >>> > 6.3? I'm beginning to thing that they might be the problem and I just >>> don't >>> > know where to go from here. >>> > >>> > Any suggestions will be appreciated. >>> > >>> > _______________________________________________ >>> > riak-users mailing list >>> > riak-users@lists.basho.com >>> > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com >>> > >>> >> >> >> _______________________________________________ >> riak-users mailing list >> riak-users@lists.basho.com >> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com >> >> >
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
