I'll be filing this as a bug as it doesn't seem to be a configuration problem. Perhaps most people aren't using SSL? While we could potentially get away with network segregation, I would much prefer having the traffic encrypted as well. On Jul 13, 2012 3:08 PM, "Michael Johnson" <m...@mediatemple.net> wrote:
> I gave compiling from source a try, but it did not make a difference. > > It turns out that for some reason, the method I have always used to > generate self-signed certificates doesn't seem to result in certificates > that work with riak even though they work for OpenLDAP, nginx, apache, and > other stuff. > > Here is the way I typically create certificates: > > openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout > /etc/riak/ssl.key -out /etc/riak/ssl.crt > > I like this because it's a simple one-liner. Basho does point you to > http://www.akadia.com/services/ssh_test_certificate.html for directions > on how to generate a certificate, and if you follow those directions, you > do indeed get a certificate that works with riak. > > If this only affected my self-signed certificates, I would be fine moving > on at this point. However, I have tried using certificates that a signed > by real ssl cert signing authorities and they have not been working either. > > I fully admit that I'm not an ssl expert, and have no idea what would be > the critical difference between my methodology for creating self-signed > certs, the methodology basho points to, and the way the legit cert I > tried was created/signed. Any insite? > > On Fri, Jul 13, 2012 at 2:06 PM, Michael Johnson <m...@mediatemple.net>wrote: > >> (reposting with the rest of the thread removed... it was too big and >> getting moderated) >> >> Yup, they are: >> >> [root@riak01 riak]# ls -al /etc/riak/ssl.* >> -rw-r--r--. 1 root root 2122 Jul 12 16:49 /etc/riak/ssl.crt >> -rw-r--r--. 1 root root 3272 Jul 12 16:49 /etc/riak/ssl.key >> >> In fact, I straced the beam process to see if that would show anything >> outside of what was showing up in the logs and noticed one thing that was >> somewhat interesting. The process check to see if the cert and key files >> are writeable (which they are not). On the off chance that that was >> problematic, I changed the owner and group of the cert and key to be 'riak' >> and the check for write access was succeeding, however it didn't change the >> end result. Here is a snip from the strace before changing the owner and >> group: >> >> 31520 stat("/etc/riak/ssl.crt", <unfinished ...> >> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0 >> 31520 access("/etc/riak/ssl.crt", R_OK) = 0 >> 31520 access("/etc/riak/ssl.crt", W_OK) = -1 EACCES (Permission denied) >> ... >> 31520 stat("/etc/riak/ssl.key", <unfinished ...> >> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0 >> 31520 access("/etc/riak/ssl.key", R_OK) = 0 >> 31520 access("/etc/riak/ssl.key", W_OK) = -1 EACCES (Permission denied) >> >> And after: >> 31520 stat("/etc/riak/ssl.crt", <unfinished ...> >> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0 >> 31520 access("/etc/riak/ssl.crt", R_OK) = 0 >> 31520 access("/etc/riak/ssl.crt", W_OK) = 0 >> ... >> 31520 stat("/etc/riak/ssl.key", <unfinished ...> >> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0 >> 31520 access("/etc/riak/ssl.key", R_OK) = 0 >> 31520 access("/etc/riak/ssl.key", W_OK) = 0 >> >> On Fri, Jul 13, 2012 at 1:34 PM, Dave Parfitt <dparf...@basho.com> wrote: >> >>> Hi Michael - >>> >>> [root@riak01 riak]# openssl verify /etc/riak/ssl.crt >>>>>> >>>>> >>> I see you are using root to create/verify these certs - are they >>> readable by the riak user? >>> >>> >
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
