0

What does arangod.conf look like for running TLS 1.2 on port 8529 with a self-signed certificate at /server.pem? The current documentation lists only the parameters for starting the server, but not the equivalent arangod.conf.

[database]
directory = /var/lib/arangodb3

[server]
endpoint = ssl://0.0.0.0:8529
authentication = true
threads = 0
statistics = true
uid = arangodb
enter code here

[scheduler]
threads = 0

[javascript]
startup-directory = /usr/share/arangodb3/js
app-path = /var/lib/arangodb3-apps

[log]
level = info
file = /var/log/arangodb3/arangod.log

[cluster]
data-path = /var/lib/arangodb3/cluster
log-path = /var/log/arangodb3/cluster
arangod-path = @SBINDIR@/arangod@PROGRAM_SUFFIX@
dbserver-config = @SYSCONFDIR@/arangod.conf

[ssl]
keyfile = /server.pem
protocol = 5

And when I start, nothing works.

I also tried, attempting to mirror the documentation,

[ssl]
keyfile = /server.pem /tmp/vocbase
protocol = 5

But still no luck.

Nate Gardner
  • 1,577
  • 1
  • 16
  • 37

2 Answers2

2

The steps I follow to get SSL running on port 8530 on Ubuntu 16.04 are:

  • Modify /etc/arangodb3/arangod.conf: endpoint = ssl://0.0.0.0:8530
  • Generate your self signed SSL cert, I use openssl
  • You should end up with a server.pem file which contains both your server.crt and server.key
  • Modify your /etc/init.d/arangodb3 file:
    Find the line that looks like this, about line 50:
    $DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false --supervisor $@
    Update it to something like this:
    $DAEMON --uid arangodb --gid arangodb --pid-file "$PIDFILE" --temp.path "/var/tmp/arangod" --log.foreground-tty false –-ssl.keyfile /etc/arangodb3/server.pem --supervisor $@
  • Restart the arangodb3 service to use the new ssl cert, you should be able to connect via port 8530 now

You could do SSL on port 8529, but I prefer to use port 8530 because then I can block 8529 access to ensure there is only SSL traffic to the server.

If you want to stop your web browser complaining about the untrusted SSL certs when you hit the server on 8530, just manually install the certificate on your client once you browse to the site.

David Thomas
  • 2,264
  • 2
  • 18
  • 20
  • 4
    This should work as described. Instead of modifying the `/etc/init.d/arangodb3` you can also modify the configuration file `/etc/arangodb3/arangod.conf` exactly as you suggest. Put a section `[ssl]` there and in there put `keyfile=`. This is equivalent to changing the command line arguments in `/etc/init.d/arangodb3`. If this does not work it is a bug and should be reported as a github issue with the exact error message. – Max Neunhöffer Oct 30 '16 at 18:26
  • Thanks! I tried putting the `[ssl]` section in the conf file, but it didn't work. – Nate Gardner Oct 31 '16 at 21:36
  • Just confirming, you added your .crt and .key to the server.pem file? e.g. `cat server.crt server.key > server.pem` – David Thomas Nov 02 '16 at 04:46
  • See if you can get SSL working on port 8530 before you move it over to 8529. By just ensuring you can get SSL working first on 8530 will test that your SSL cert generation was correct. Then move the port to 8529. By breaking the problem into two steps helps you isolate SSL issues from port issues. – David Thomas Nov 03 '16 at 03:15
0

you can you files and cli options the same time. But keep in mind that cli options win over options in files as stated here https://docs.arangodb.com/3.1/Manual/Administration/Configuration/#configuration-files.

You can configure the ssl endpoint and protocol in a config file and the keyfile in a cli option.

# config.conf
[ssl]
protocol = 5

[server]
endpoint = http+ssl://127.0.0.1:8000


arangod --configuration config.conf --ssl.keyfile /path/to/cert.pem
GhislainAdon
  • 31
  • 7