Hi Michael - > [root@riak01 riak]# openssl verify /etc/riak/ssl.crt
I see you are using root to create/verify these certs - are they readable by the riak user? - Dave On Jul 13, 2012, at 4:20 PM, Michael Johnson wrote: > Nope. One key in the key file, one cert in the cert file. In fact, since > this is a cert/key I generated just for testing purposes, I'll go ahead and > post them: > > /etc/riak/ssl.key: > -----BEGIN CERTIFICATE----- > MIIF8TCCA9mgAwIBAgIJAKXZl+gEfanVMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD > VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLQ3VsdmVyIENp > dHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC2V4YW1w > bGUuY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTAeFw0xMjA3 > MTIyMzQ5NTVaFw0yMjA3MTAyMzQ5NTVaMIGOMQswCQYDVQQGEwJVUzETMBEGA1UE > CAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLQ3VsdmVyIENpdHkxHDAaBgNVBAoME0Rl > ZmF1bHQgQ29tcGFueSBMdGQxFDASBgNVBAMMC2V4YW1wbGUuY29tMSAwHgYJKoZI > hvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP > ADCCAgoCggIBAOamauTDKfz/aY8cB2H787C4/TzWYR9Wl28hukC/HmnkOsn8I+sE > WLKm4A4ikrhbzIHMvESjaRhxAtlDDagDz++UyxMW/0+c481b/dOSI+5pBLdFdXdA > 6b0Y7WuhKxwTBHBlt0v5fW8gF5u/4j0azUq56OUxKvKnz890nV0fgcBytyeNmRKr > 5KAK/CAvZb2q1iyX9fDluIfC5KCgrXdVrD2BpdGsqUFWa8C5rZ4sDjW1tbWs/D7c > Mi33In4Iraf300JxDfEyUgtGJK62Z8cgia2DhoFIrtBAzil6sCkd02ebPZ6z7KRc > QUwWUXUA3zkfYat7nnVCXqxKDd8RyIX/BLm5WClmsgCcGAz2FtWTcskoikAFxRx0 > Tr2OzATCLH6tfRJ9kWNr7xCjLV3FXa4VcXMIUDorBWQD0rC6egZSehcGlnZCL/KL > 6zfl1zHjhWXXvd1PIPdBaFVOL+ZVTkJ6W9GQ3mXW8DDBxxvqQautS4Mykd6uDjiv > Xty5eTAwknuyOO3zDunsIbA1d/cJxq9teME/BVsTqzTXRmPSsNY54n6PYNouuqgs > lpP5jTdQYR2lySPPtaGnpmJpRWGoWa6zBMn4QhZAdBuSR173YmbKyx2LPt1fcMMu > OdAg/K8x6p8UCF2iDmMZFKBimZIzW1hWMEq2l4MX1r+tzhHYFs4fT0fpAgMBAAGj > UDBOMB0GA1UdDgQWBBTtPvZYb6P5j5MtDVHiMXb2x93hljAfBgNVHSMEGDAWgBTt > PvZYb6P5j5MtDVHiMXb2x93hljAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA > A4ICAQCEEDH0n8unUgxrpIAiw/zFcUIPIO/A7Ha6VmOV4a9sk+RdRspeBuLLxPIq > f6imWEy9bIASBnGVCZ7XW6orltPgSoBiN8PSs8FzbyxbGkzqe0yYfzN+vV9WULtF > ZV/arROCGsiEpujcb4ldhLj0DtzSCXeBwSA8wL2PeNu/ryyx3TwqwUWYkWbhWGKq > /qxBZ0XrRyLhU2X76AU5QVeih2PX6u/suf81u14TLYWj8pIPme+LLgsAkKoW0UJy > KUjIV4ELWTt5iXAAkCdq3+7ZBaSf98OrX+mGsRWHgEA3TgjtHdKWISeFebSXdBt0 > +Ytv9ZjYS9Cfa1X2BUYhvZV3SX6D0t/J6jAHhUrmsoO5zJx/kHiy4iyG7lKvI6HQ > 5tuGnDL623nSQ3fIPzC9yfie5J3ofd9HzjLik04wGprV9pEODtMnUIu2MIJc2XUc > LKC5H21uV970aRj4F1rsSNBFFNxrWEXyBYNJThHqfjmfYpB18MD1XB3ht30fzE+B > 0GVM6ueTv3fh+15DUpjT+dtmAf3xw4fy04Wj6Kny2DLqZ+kkjxcK6OLOimCJBapx > hKuPK0zfirPYaA9a1lhqoityMtrYMnNuIVT0EHVIU6j7U0Mz5kFSHGhnryVwrcVp > fFjygSx8xC2TQwhCdFDFoBUCaGFnIzis17aWeX8tINpDz3K/Vg== > -----END CERTIFICATE----- > > > /etc/riak/ssl.crt: > -----BEGIN PRIVATE KEY----- > MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDmpmrkwyn8/2mP > HAdh+/OwuP081mEfVpdvIbpAvx5p5DrJ/CPrBFiypuAOIpK4W8yBzLxEo2kYcQLZ > Qw2oA8/vlMsTFv9PnOPNW/3TkiPuaQS3RXV3QOm9GO1roSscEwRwZbdL+X1vIBeb > v+I9Gs1KuejlMSryp8/PdJ1dH4HAcrcnjZkSq+SgCvwgL2W9qtYsl/Xw5biHwuSg > oK13Vaw9gaXRrKlBVmvAua2eLA41tbW1rPw+3DIt9yJ+CK2n99NCcQ3xMlILRiSu > tmfHIImtg4aBSK7QQM4perApHdNnmz2es+ykXEFMFlF1AN85H2Gre551Ql6sSg3f > EciF/wS5uVgpZrIAnBgM9hbVk3LJKIpABcUcdE69jswEwix+rX0SfZFja+8Qoy1d > xV2uFXFzCFA6KwVkA9KwunoGUnoXBpZ2Qi/yi+s35dcx44Vl173dTyD3QWhVTi/m > VU5CelvRkN5l1vAwwccb6kGrrUuDMpHerg44r17cuXkwMJJ7sjjt8w7p7CGwNXf3 > CcavbXjBPwVbE6s010Zj0rDWOeJ+j2DaLrqoLJaT+Y03UGEdpckjz7Whp6ZiaUVh > qFmuswTJ+EIWQHQbkkde92Jmyssdiz7dX3DDLjnQIPyvMeqfFAhdog5jGRSgYpmS > M1tYVjBKtpeDF9a/rc4R2BbOH09H6QIDAQABAoICABtYe6/nm6DNP1yiPBXX40p+ > hDekSxuGDqo0W3q1rgtr7bRo2nFQsJttwX6rhq2o5JQ3C9MvdJRbQbU0h/f1i7+h > 6nm27kooFbIRSAS/fNcVSGPaLlUXMx8iR3PNReksMAiLZrHxQHfeXC4xD8ei19gW > NpCFxcvDLZYxAz85Lw78Cs77sLxP+OkopD/EntFf4cijs5r+AWTHLIgGxMozNBqO > tnQnfmGqt1fAK99m5cBkbMi/W6CwRprAhCxhJwWVEkz8TmTcTHHdvRehtKgdKXWS > 9G17io5SQJ8WVrBpQtkzxJh+SH4sGenFc57lnZGOMOw92cmZNtRCa2aZGycX1x1c > OU7s0n0xcnuAniKI+Ee3W2shK6vtQMR8Qsu6Ax2uF+UUJAomr/2bbD8hpk7zwPhO > 5dQ6RJurWMPRxaK+/vy8+4E6BnwhJ4WsogXaf86409v8eWoy8BYGA3XiOxy7W0eK > oKcs30Uvq61nqB8Nt/AvsJrYj1flHk/gHn3qBGJor23e92G7TQiBs/DjatD4AdkH > k8E4b+zvtlI/i/WNuOMimLntKYFgDNnumi5MyZcngv0hYPqdHewvXV/9e6gTw/rn > hl8m6BMW7bvbXxz0GYGnxCADTW3PWC5Qma+y2SoGNo0unp4VQ6AHPApV5gUvAGaY > /RKs9CgzlAdphMpUjykBAoIBAQD97WGWoM4+bd9Nyrat1HAQRY+MW/vt67oaTnEV > EIicwM6TMvyUiFIv6wdmMsyGzlqFwboRGo19WbZP+pIoC46Gs6fqq6Jr8cna5Gme > n59e2zVxFY1CmCsdAXs5TaG72D4BJkNIWqIBb68jeDglYj5mKpvsDDo3Muqznx04 > uS6+QXKJITR7+sPWalWqeUPIHdIrs3V1BR3/9N1ItfLy8bN/anrTFIMjI+ulZ9xy > jDitwWCxCMmIyTV0xz5oJ0RYcgnvKS7sRMoII0Q4L+ZBzosSl0U4ksRaZJuB/6ij > zFUidbMPYVHgvnUx4i5SLY048gu62gyHsntyLUl0RbZB6texAoIBAQDoiGUqGSti > FyLyPi3Rj00uCsCIeV3oexLXKIHsia+EuULtCJj2kJPFGtks+XC+acP4xEyRjdzr > JR87uxI5y0FmgjKmEpL0Kn5yBG0N0ioVbnT8YDKywvRJg2z279vm6CrsjuQ8h+ph > KVRJJEveImcCiuRbzJrBgWC2G4GWlCnLxsSLKfqrsghrCAKFmMqBvsu1hrfRFhCG > 86CSV3/Jdofd8/up0Y0qMKHB20KFAm3tWceWqlcpdI7l0BDWg4vIBaXkST90Gm4a > 0XJqfa1NqpuF1z5KZxXMlbHLd5RXqTtFCs/UpJwQSEnNiv3Po6SZI3CwGqYjUo1i > bqub4uPDgzm5AoIBADDO0QQ38oyzZ8m3Hjf5bnTiOf5bq+gGeGYYD8phvDCNKufG > VCBkt494WJq/RurefS3al94zwWCHvvBOlItX9VRU8gC8buLavdbyMo8H1YVRE0ui > Pd3ADAFuSHYyQtUtcnWcGjCtIxitk/d4YypkYOQYapILo6D6i3xtKBvAFIkDYXWU > SVdPUxdCpya2Wl37xWsa+oe8rRCGy4XvWzxxUvQ5zlQGTFKT0/aeKRRneXmEgwZk > TwCY1EqXBZrVeWCawugSfW9ypXa8+J7oLhUWE0tGgkqmg1FwpydssciSPQb7oqhh > J3DQiwxEkmy/TrbUZ4bJ5MCsgOfoZocP40F2V3ECggEBAJAz1ZjP1wmTk4ZqbPui > RJii7lcz/LqpaDup0TihAgnq4cghJsrxSdJYHgo3/mT3LiLdiSZStYfVk5L1Jg5V > MA+j+kjnB98HYzbN69tAU/zKbR39gjM9l0TnjfFtOg/uNoBQ9NVc7Eqo2K4rJilx > aDQ5cfhD4EzUMOd+E1UQOQM4Fra+p8dGNtY5N2cmI59mdOnzy5aMel9WQmO+g26q > ZQONxKnBXCun0QhpMs1NfmJM5OtYY4k/0UZPS8Hb/hli90ek7QbRRSq4bJ4BpjGd > 9aiAnQ6C8w/WXVXyqDncpvbgB5a1JlsqmSowYcocj3ywb7emLxWEok1CmIWppNmg > TXECggEBAIGhKrsG/F5hWEpw5NMU7/i0fWs0bP3uj7rQMbP7KvShl8mtQ5HLARU9 > 45Mv9bQeSfpzfwdEO6BuccVpMiQ1Kw4pXQxJb5Hx4QeAkjJHYmswHaRBbBGEOZHN > lY37E2MN0Pe41IwyslSrD5p6DA1BKws00BkzkgP+voowmIKtZYuIy60lpPsPdsb1 > vblLLwrqITtWZ+i/+jS2Zhc/azzI4KH985OCXQjikLp+CZ3i2E90APj7sH1M0Bga > ZoahWO2cnCWPY0Vx1gGVrz6fbDCx/nQB9EaWoNzDAOnEU0PBdKy9SnQBsO6RiEvV > ZkUzSrUoBPilDSSotFgUZeHfxERupUU= > -----END PRIVATE KEY----- > > On Fri, Jul 13, 2012 at 12:53 PM, Chris Meiklejohn <cmeiklej...@basho.com> > wrote: > Hi Michael, > > Does either your cert/key file have two keys in it by chance? If so, one of > those is most likely an intermediary cert, which should be placed in it's own > file as outlined here (see intermediate authorities, cacertfile): > > http://wiki.basho.com/Riak-Control.html > > - Chris > > Christopher Meiklejohn > Software Engineer > Basho Technologies, Inc. > > On Fri, Jul 13, 2012 at 3:45 PM, Michael Johnson <m...@mediatemple.net> wrote: > I've also gave this a try a bit ago using a legit cert from an ssl provider > with the same result. Are you also running on centos 6 using the binaries > provided from http://downloads.basho.com/riak/CURRENT/ > > If I need to build my own packages from source, I can do that, but I'd much > prefer to use the pre-built binaries. > > > On Fri, Jul 13, 2012 at 11:41 AM, John E. Vincent > <lusis.org+riak-us...@gmail.com> wrote: > SSL is working for me (for riak-control) using self-signed > certificates. However I've not yet tried it with an external client. > > On Fri, Jul 13, 2012 at 2:34 PM, Michael Johnson <m...@mediatemple.net> wrote: > > I've been having problems getting riak to function via https and have not > > been able to find anything online that seems to help so far. I am using a > > self-signed certificate (which is one I generated specifically for this > > testing, and thus could post as it will not be used for anything else) and > > have it stored as separate .crt and .key files. I've used open SSL to > > verify the certificate and it appears to be all good. Here is what the > > relevant bits of my app.config look like (I can post the rest as needed, but > > I'm trying to be consise): > > > > {http, [{"0.0.0.0", 8091}]}, > > {https, [{"0.0.0.0", 8092}]}, > > {ssl, [ > > {certfile, "/etc/riak/ssl.crt"}, > > {keyfile, "/etc/riak/ssl.key"} > > ]}, > > > > Starting riak does not generate any errors, and 'riak-admin test' works: > > [root@riak01 riak]# riak-admin test > > Attempting to restart script through sudo -u riak > > Successfully completed 1 read/write cycle to 'r...@riak01.mediatemple.net' > > > > Manuallly querying riak via http also works fine: > > > > [root@riak01 riak]# curl -k -vvv > > http://127.0.0.1:8091/riak/__riak_client_test__ > > * About to connect() to 127.0.0.1 port 8091 (#0) > > * Trying 127.0.0.1... connected > > * Connected to 127.0.0.1 (127.0.0.1) port 8091 (#0) > >> GET /riak/__riak_client_test__ HTTP/1.1 > >> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 > >> NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > >> Host: 127.0.0.1:8091 > >> Accept: */* > >> > > < HTTP/1.1 200 OK > > < Vary: Accept-Encoding > > < Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue) > > < Date: Fri, 13 Jul 2012 18:03:13 GMT > > < Content-Type: application/json > > < Content-Length: 410 > > < > > * Connection #0 to host 127.0.0.1 left intact > > * Closing connection #0 > > {"props":{"name":"__riak_client_test__","allow_mult":false,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":1,"last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":1,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":1,"rw":1,"small_vclock":50,"w":1,"young_vclock":20}} > > > > > > But the minute I try to connect via https I have problems: > > > > [root@riak01 riak]# curl -k -vvv > > https://127.0.0.1:8092/riak/__riak_client_test__ > > * About to connect() to 127.0.0.1 port 8092 (#0) > > * Trying 127.0.0.1... connected > > * Connected to 127.0.0.1 (127.0.0.1) port 8092 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * warning: ignoring value of ssl.verifyhost > > * NSS error -5938 > > * Closing connection #0 > > * SSL connect error > > curl: (35) SSL connect error > > > > And I see the following in the logs: > > > > console.log: > > 2012-07-13 11:05:52.023 [error] <0.5313.0> CRASH REPORT Process <0.5313.0> > > with 0 neighbours crashed with reason: > > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} > > 2012-07-13 11:05:52.026 [error] <0.134.0> Supervisor ssl_connection_sup had > > child undefined started with {ssl_connection,start_link,undefined} at > > <0.5313.0> exit with reason ekeyfile in context child_terminated > > 2012-07-13 11:05:52.031 [error] <0.139.0> application: mochiweb, "Accept > > failed error", "{error,ekeyfile}" > > 2012-07-13 11:05:52.033 [error] <0.139.0> CRASH REPORT Process <0.139.0> > > with 0 neighbours crashed with reason: {error,accept_failed} > > 2012-07-13 11:05:52.035 [error] <0.135.0> > > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} > > > > crash.log: > > 2012-07-13 11:05:52 =ERROR REPORT==== > > [83,83,76,58,32,"1112",58,32,"error",58,"[]",32,"/etc/riak/ssl.key","\n",32,32,[91,[[123,["ssl_connection",44,"init_private_key",44,"5"],125],44,10," > > ",[123,["ssl_connection",44,"ssl_init",44,"2"],125],44,10," > > ",[123,["ssl_connection",44,"init",44,"1"],125],44,10," > > ",[123,["gen_fsm",44,"init_it",44,"6"],125],44,10," > > ",[123,["proc_lib",44,"init_p_do_apply",44,"3"],125]],93],"\n"]2012-07-13 > > 11:05:52 =CRASH REPORT==== > > crasher: > > initial call: ssl_connection:init/1 > > pid: <0.5313.0> > > registered_name: [] > > exception exit: ekeyfile > > in function gen_fsm:init_it/6 > > in call from proc_lib:init_p_do_apply/3 > > ancestors: [ssl_connection_sup,ssl_sup,<0.130.0>] > > messages: [] > > links: [<0.134.0>] > > dictionary: [] > > trap_exit: false > > status: running > > heap_size: 1597 > > stack_size: 24 > > reductions: 1185 > > neighbours: > > 2012-07-13 11:05:52 =SUPERVISOR REPORT==== > > Supervisor: {local,ssl_connection_sup} > > Context: child_terminated > > Reason: ekeyfile > > Offender: > > [{pid,<0.5313.0>},{name,undefined},{mfargs,{ssl_connection,start_link,undefined}},{restart_type,temporary},{shutdown,4000},{child_type,worker}] > > > > 2012-07-13 11:05:52 =ERROR REPORT==== > > [{application,mochiweb},"Accept failed error","{error,ekeyfile}"]2012-07-13 > > 11:05:52 =CRASH REPORT==== > > crasher: > > initial call: mochiweb_acceptor:init/3 > > pid: <0.139.0> > > registered_name: [] > > exception exit: {error,accept_failed} > > in function mochiweb_acceptor:init/3 > > in call from proc_lib:init_p_do_apply/3 > > ancestors: ['https_0.0.0.0:8092',riak_core_sup,<0.88.0>] > > messages: [] > > links: [<0.135.0>,#Port<0.5661>] > > dictionary: [] > > trap_exit: false > > status: running > > heap_size: 233 > > stack_size: 24 > > reductions: 818 > > neighbours: > > 2012-07-13 11:05:52 =ERROR REPORT==== > > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} > > > > erlang.log.1 and error.log (which are identical): > > 11:05:52.018 [error] SSL: 1112: error:[] /etc/riak/ssl.key > > [{ssl_connection,init_private_key,5}, > > {ssl_connection,ssl_init,2}, > > {ssl_connection,init,1}, > > {gen_fsm,init_it,6}, > > {proc_lib,init_p_do_apply,3}] > > > > 11:05:52.023 [error] CRASH REPORT Process <0.5313.0> with 0 neighbours > > crashed with reason: > > {ekeyfile,[{gen_fsm,init_it,6},{proc_lib,init_p_do_apply,3}]} > > 11:05:52.026 [error] Supervisor ssl_connection_sup had child undefined > > started with {ssl_connection,start_link,undefined} at <0.5313.0> exit with > > reason ekeyfile in context child_terminated > > 11:05:52.031 [error] application: mochiweb, "Accept failed error", > > "{error,ekeyfile}" > > 11:05:52.033 [error] CRASH REPORT Process <0.139.0> with 0 neighbours > > crashed with reason: {error,accept_failed} > > 11:05:52.035 [error] > > {mochiweb_socket_server,310,{acceptor_error,{error,accept_failed}}} > > > > > > Everything I am finding says this means my key file is bad. However, as > > previously mentioned, I've verified this with openssl: > > > > [root@riak01 riak]# openssl verify /etc/riak/ssl.crt > > /etc/riak/ssl.crt: C = US, ST = California, L = Culver City, O = Default > > Company Ltd, CN = example.com, emailAddress = ad...@example.com > > error 18 at 0 depth lookup:self signed certificate > > OK > > > > [root@riak01 riak]# ( openssl x509 -noout -modulus -in /etc/riak/ssl.crt | > > openssl md5; openssl rsa -noout -modulus -in /etc/riak/ssl.key | openssl md5 > > ) | uniq > > (stdin)= b3d4187d8472f2d0b73cf5597d5d65b8 > > > > > > I'm just really not sure what else to look at. Everything seems to be fine > > except for that fact it's not working. Does anybody have SSL working with > > self-signed certificate using the basho provided binary packages on CentOS > > 6.3? I'm beginning to thing that they might be the problem and I just don't > > know where to go from here. > > > > Any suggestions will be appreciated. > > > > _______________________________________________ > > riak-users mailing list > > riak-users@lists.basho.com > > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > > > > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > > > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
