riak, self signed certificate, ssl, riak ssl

Quick and Dirty Riak SSL Signed Certificate.txt

## Caveats
1. The CN on the `Generate a Key and CSR for Riak Node` The CN section of the subject must match the FQDN of the server, or the certificate verification will fail. A wildcard (or SANs) may be used to avoid generating different certificates for different nodes (Particularly helpful when behind a load balancer). 
    1. If you are using your local machine to check/test add to /etc/hosts the node name 
2. Note that a Mac machine uses an old version of OpenSSL (could be checked using `openssl version`) it will have problems with the generated certificates
    1. Generated working certificates using Ubuntu with OpenSSL version OpenSSL 1.0.1f 6 Jan 2014.
	2. In Mac, upgrading SSL and changing the symlink to point to the homebrew version works fine. Homebrew installed OpenSSL 1.0.2e 3 Dec 2015 works. 
3. When testing with a browser, you WILL need to confirm the security exception. 
4. Make sure that you disable the listener.http.internal and enable `listener.https.internal` on the Riak config.
5. Please edit accordingly to adhere to security specifications.
6. HTTPS connections will NOT work without certificates (configured in riak.conf) even when security is disabled.
7. Protobuf connections via client will work without certificates ONLY IF security is disabled.
8. Protobuf connections will require certificates/or login creds if security IS enabled.

## Prep the directory
```
cd ~
mkdir certs
cd certs
```
## Generate Root CA and CSR
```
openssl genrsa -out rootCA.key 2048
openssl req -new -key rootCA.key -out rootCA.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=RootCA/emailAddress=aortile@basho.com"
```
## Self Sign Root CA CSR and Generate a Certificate
```
openssl x509 -req -days 365 -in rootCA.csr -signkey rootCA.key -out rootCA.crt
```
## Generate a Key and CSR for Riak Node
Note that you MAY use a wildcard as long as it is resolvable to the Riak node (ie. `*.myserver.com`) or a SAN.
```
openssl genrsa -out riaknode.key 2048
openssl req -new -key riaknode.key -out riaknode.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=<FQDN>/emailAddress=aortile@basho.com"
```
## Sign the CSR with Root CA and Generate Certificate for Riak Node
```
openssl x509 -req -days 365 -in riaknode.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out riaknode.crt
```
## Configure the Certs in Riak Node
```
##Comment out nodename, listener.http.internal and listener.protobuf.internal
listener.https.internal = 0.0.0.0:8098
listener.protobuf.internal = 0.0.0.0:8087
nodename = riak@riak1.myserver.com
ssl.certfile = /path/to/certificate/file/riaknode.crt
ssl.keyfile = /path/to/certificate/file/riaknode.key
ssl.cacertfile = /path/to/certificate/file/rootCA.crt
check_crl = off
```
## If Using Riak Security w/ Cert Authentication, Generate User Keys
### Generate the Keys
```
openssl genrsa -out riakuser.key 2048
openssl req -new -key riakuser.key -out riakuser.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=riakuser/emailAddress=aortile@basho.com"
openssl x509 -req -days 365 -in riakuser.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out riakuser.crt
```
### Create the User
```
riak-admin security add-user riakuser
```
### Add the Souce
```
riak-admin security add-source riakuser 127.0.0.1/32 certificate
```
### Add Grants
```
riak-admin security grant riak_kv.get,riak_kv.put on any to riakuser
```
### Enable Security
```
riak-admin security enable
```
## Notes on check_crl
There is a scenario when authenticating with certificates would fail and put out an error in `console.log` with the following line: 
```
2017-01-04 11:21:55.404 [error] <0.9404.35> gen_fsm <0.9404.35> in state wait_for_tls terminated with reason: {error,{startls_failed,{tls_alert,"certificate unknown"}}}
```

One possible cause is that the CRL checks in riak and the SSL module is failing during `ssl_handshake`. If you dont plan on using CRLs, this can be mitigated by setting `check_crl=off` in `riak.conf`. A better handler and message would be written in the future. 

* https://github.com/erlang/otp/blob/maint-r16b02/lib/ssl/src/ssl_handshake.erl#L341-L389
* https://github.com/basho/riak_api/blob/develop/src/riak_api_ssl.erl#L62

## Testing Your Certificates
Using the `rootCA.crt` file, use it as the `--cacert` value when performing request via `cURL`. Make sure that you are using the resolvable FQDN (used in generating the node certificates) as the URL of the request. 

In the example above, if you have used a wildcard value on the `CN` and you have `riak1` as one of your servers with the FQDN `riak1.myserver.com` you will have to use it in your `cURL` command as follows: 
```
curl https://riak1.myserver.com:8098/ping --cacert /path/to/certificate/file/rootCA.crt
```
## Using the ____ Riak Client

* NodeJS: https://github.com/pogzie/riak-security-tester/blob/master/nodejs/riak_auth.js
* Python: https://github.com/pogzie/riak-security-tester/blob/master/python/riak_auth.py

## References
```
+-------------------+------------------+----------------------+
|                   |  HTTP            |   Protocol Buffer    |
|                   |  Requests        |   Requests           |
+-------------------------------------------------------------+
|     Riak          |  Client needs    |   No certs needed    |
|                   |  rootCA.crt      |                      |
+-------------------------------------------------------------+
|Riak w/ SSL        |  Client needs    |   No certs needed    |
|(No Riak Security) |  rootCA.crt      |                      |
+-------------------------------------------------------------+
|Riak w/ SSL        |  Client needs    |   Client needs       |
|(w/ Riak Security) |  rootCA.crt      |   rootCA.crt         |
|                   |  and auth creds/ |   and auth creds/    |
|                   |    auth keypair  |     auth keypair     |
+-------------------+------------------+----------------------+
```