Last active
September 1, 2022 05:58
-
-
Save pogzie/971373113c3606d8b3bf to your computer and use it in GitHub Desktop.
riak, self signed certificate, ssl, riak ssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Caveats | |
1. The CN on the `Generate a Key and CSR for Riak Node` The CN section of the subject must match the FQDN of the server, or the certificate verification will fail. A wildcard (or SANs) may be used to avoid generating different certificates for different nodes (Particularly helpful when behind a load balancer). | |
1. If you are using your local machine to check/test add to /etc/hosts the node name | |
2. Note that a Mac machine uses an old version of OpenSSL (could be checked using `openssl version`) it will have problems with the generated certificates | |
1. Generated working certificates using Ubuntu with OpenSSL version OpenSSL 1.0.1f 6 Jan 2014. | |
2. In Mac, upgrading SSL and changing the symlink to point to the homebrew version works fine. Homebrew installed OpenSSL 1.0.2e 3 Dec 2015 works. | |
3. When testing with a browser, you WILL need to confirm the security exception. | |
4. Make sure that you disable the listener.http.internal and enable `listener.https.internal` on the Riak config. | |
5. Please edit accordingly to adhere to security specifications. | |
6. HTTPS connections will NOT work without certificates (configured in riak.conf) even when security is disabled. | |
7. Protobuf connections via client will work without certificates ONLY IF security is disabled. | |
8. Protobuf connections will require certificates/or login creds if security IS enabled. | |
## Prep the directory | |
``` | |
cd ~ | |
mkdir certs | |
cd certs | |
``` | |
## Generate Root CA and CSR | |
``` | |
openssl genrsa -out rootCA.key 2048 | |
openssl req -new -key rootCA.key -out rootCA.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=RootCA/emailAddress=aortile@basho.com" | |
``` | |
## Self Sign Root CA CSR and Generate a Certificate | |
``` | |
openssl x509 -req -days 365 -in rootCA.csr -signkey rootCA.key -out rootCA.crt | |
``` | |
## Generate a Key and CSR for Riak Node | |
Note that you MAY use a wildcard as long as it is resolvable to the Riak node (ie. `*.myserver.com`) or a SAN. | |
``` | |
openssl genrsa -out riaknode.key 2048 | |
openssl req -new -key riaknode.key -out riaknode.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=<FQDN>/emailAddress=aortile@basho.com" | |
``` | |
## Sign the CSR with Root CA and Generate Certificate for Riak Node | |
``` | |
openssl x509 -req -days 365 -in riaknode.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out riaknode.crt | |
``` | |
## Configure the Certs in Riak Node | |
``` | |
##Comment out nodename, listener.http.internal and listener.protobuf.internal | |
listener.https.internal = 0.0.0.0:8098 | |
listener.protobuf.internal = 0.0.0.0:8087 | |
nodename = riak@riak1.myserver.com | |
ssl.certfile = /path/to/certificate/file/riaknode.crt | |
ssl.keyfile = /path/to/certificate/file/riaknode.key | |
ssl.cacertfile = /path/to/certificate/file/rootCA.crt | |
check_crl = off | |
``` | |
## If Using Riak Security w/ Cert Authentication, Generate User Keys | |
### Generate the Keys | |
``` | |
openssl genrsa -out riakuser.key 2048 | |
openssl req -new -key riakuser.key -out riakuser.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=riakuser/emailAddress=aortile@basho.com" | |
openssl x509 -req -days 365 -in riakuser.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out riakuser.crt | |
``` | |
### Create the User | |
``` | |
riak-admin security add-user riakuser | |
``` | |
### Add the Souce | |
``` | |
riak-admin security add-source riakuser 127.0.0.1/32 certificate | |
``` | |
### Add Grants | |
``` | |
riak-admin security grant riak_kv.get,riak_kv.put on any to riakuser | |
``` | |
### Enable Security | |
``` | |
riak-admin security enable | |
``` | |
## Notes on check_crl | |
There is a scenario when authenticating with certificates would fail and put out an error in `console.log` with the following line: | |
``` | |
2017-01-04 11:21:55.404 [error] <0.9404.35> gen_fsm <0.9404.35> in state wait_for_tls terminated with reason: {error,{startls_failed,{tls_alert,"certificate unknown"}}} | |
``` | |
One possible cause is that the CRL checks in riak and the SSL module is failing during `ssl_handshake`. If you dont plan on using CRLs, this can be mitigated by setting `check_crl=off` in `riak.conf`. A better handler and message would be written in the future. | |
* https://github.com/erlang/otp/blob/maint-r16b02/lib/ssl/src/ssl_handshake.erl#L341-L389 | |
* https://github.com/basho/riak_api/blob/develop/src/riak_api_ssl.erl#L62 | |
## Testing Your Certificates | |
Using the `rootCA.crt` file, use it as the `--cacert` value when performing request via `cURL`. Make sure that you are using the resolvable FQDN (used in generating the node certificates) as the URL of the request. | |
In the example above, if you have used a wildcard value on the `CN` and you have `riak1` as one of your servers with the FQDN `riak1.myserver.com` you will have to use it in your `cURL` command as follows: | |
``` | |
curl https://riak1.myserver.com:8098/ping --cacert /path/to/certificate/file/rootCA.crt | |
``` | |
## Using the ____ Riak Client | |
* NodeJS: https://github.com/pogzie/riak-security-tester/blob/master/nodejs/riak_auth.js | |
* Python: https://github.com/pogzie/riak-security-tester/blob/master/python/riak_auth.py | |
## References | |
``` | |
+-------------------+------------------+----------------------+ | |
| | HTTP | Protocol Buffer | | |
| | Requests | Requests | | |
+-------------------------------------------------------------+ | |
| Riak | Client needs | No certs needed | | |
| | rootCA.crt | | | |
+-------------------------------------------------------------+ | |
|Riak w/ SSL | Client needs | No certs needed | | |
|(No Riak Security) | rootCA.crt | | | |
+-------------------------------------------------------------+ | |
|Riak w/ SSL | Client needs | Client needs | | |
|(w/ Riak Security) | rootCA.crt | rootCA.crt | | |
| | and auth creds/ | and auth creds/ | | |
| | auth keypair | auth keypair | | |
+-------------------+------------------+----------------------+ | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment