I gave compiling from source a try, but it did not make a difference. It turns out that for some reason, the method I have always used to generate self-signed certificates doesn't seem to result in certificates that work with riak even though they work for OpenLDAP, nginx, apache, and other stuff.
Here is the way I typically create certificates: openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/riak/ssl.key -out /etc/riak/ssl.crt I like this because it's a simple one-liner. Basho does point you to http://www.akadia.com/services/ssh_test_certificate.html for directions on how to generate a certificate, and if you follow those directions, you do indeed get a certificate that works with riak. If this only affected my self-signed certificates, I would be fine moving on at this point. However, I have tried using certificates that a signed by real ssl cert signing authorities and they have not been working either. I fully admit that I'm not an ssl expert, and have no idea what would be the critical difference between my methodology for creating self-signed certs, the methodology basho points to, and the way the legit cert I tried was created/signed. Any insite? On Fri, Jul 13, 2012 at 2:06 PM, Michael Johnson <m...@mediatemple.net> wrote: > (reposting with the rest of the thread removed... it was too big and > getting moderated) > > Yup, they are: > > [root@riak01 riak]# ls -al /etc/riak/ssl.* > -rw-r--r--. 1 root root 2122 Jul 12 16:49 /etc/riak/ssl.crt > -rw-r--r--. 1 root root 3272 Jul 12 16:49 /etc/riak/ssl.key > > In fact, I straced the beam process to see if that would show anything > outside of what was showing up in the logs and noticed one thing that was > somewhat interesting. The process check to see if the cert and key files > are writeable (which they are not). On the off chance that that was > problematic, I changed the owner and group of the cert and key to be 'riak' > and the check for write access was succeeding, however it didn't change the > end result. Here is a snip from the strace before changing the owner and > group: > > 31520 stat("/etc/riak/ssl.crt", <unfinished ...> > 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0 > 31520 access("/etc/riak/ssl.crt", R_OK) = 0 > 31520 access("/etc/riak/ssl.crt", W_OK) = -1 EACCES (Permission denied) > ... > 31520 stat("/etc/riak/ssl.key", <unfinished ...> > 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0 > 31520 access("/etc/riak/ssl.key", R_OK) = 0 > 31520 access("/etc/riak/ssl.key", W_OK) = -1 EACCES (Permission denied) > > And after: > 31520 stat("/etc/riak/ssl.crt", <unfinished ...> > 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0 > 31520 access("/etc/riak/ssl.crt", R_OK) = 0 > 31520 access("/etc/riak/ssl.crt", W_OK) = 0 > ... > 31520 stat("/etc/riak/ssl.key", <unfinished ...> > 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0 > 31520 access("/etc/riak/ssl.key", R_OK) = 0 > 31520 access("/etc/riak/ssl.key", W_OK) = 0 > > On Fri, Jul 13, 2012 at 1:34 PM, Dave Parfitt <dparf...@basho.com> wrote: > >> Hi Michael - >> >> [root@riak01 riak]# openssl verify /etc/riak/ssl.crt >>>>> >>>> >> I see you are using root to create/verify these certs - are they readable >> by the riak user? >> >>
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
