0

Hi I'm configuring RIAK KV to be used in SSL modus.

But when I try to do an https request I get an error that it's not able to connect with the server. IT say's something about setting up the protocol and using sha512 but can't find that in the openssl ciphers or in the rial-admin ciphers....

So hopefully somebody can help.

I have done the following steps.

#Generating certificate

## Generate Root CA and CSR

openssl genrsa -out rootCA.key 2048
openssl req -new -key rootCA.key -out rootCA.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=RootCA/emailAddress=dummy@dummy.com"

##Self Sign Root CA CSR and Generate a Certificate

openssl x509 -req -days 365 -in rootCA.csr -signkey rootCA.key -out rootCA-local.crt

## Generate a Key and CSR for Riak Node

openssl genrsa -out riaknode.key 2048
openssl req -new -key riaknode.key -out riaknode-local.csr -subj "/C=PH/ST=PH/L=PH/O=Basho/OU=CliServ/CN=riak/emailAddress=dummy@dummy.com"

## Sign the CSR with Root CA and Generate Certificate for Riak Node

openssl x509 -req -sha256 -days 365 -in riaknode.csr -CA rootCA-local.crt -CAkey rootCA.key -CAcreateserial -out riaknode-local.crt

mv rootCA-local.crt /etc/riak/
mv riaknode.key /etc/riak/
mv riaknode-local.crt /etc/riak/

#Configuration riak.Conf
listener.https.internal = 0.0.0.0:8098

Curl call

curl https://localhost:8098/ -k -v
* Hostname was NOT found in DNS cache
*   Trying ::1...
* connect to ::1 port 8098 failed: Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8098 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* Unknown SSL protocol error in connection to localhost:8098 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to localhost:8098

Error Log riak

2016-12-13 17:08:46.086 [error] <0.2026.0> gen_fsm <0.2026.0> in state hello terminated with reason: no function clause matching public_key:sign({digest,<<203,0,93,119,124,75,96,235,210,210,127,214,193,218,169,170,105,117,179,149,137,160,38,...>>}, sha512, undefined) line 402
2016-12-13 17:08:46.086 [error] <0.2026.0> CRASH REPORT Process <0.2026.0> with 0 neighbours exited with reason: no function clause matching public_key:sign({digest,<<203,0,93,119,124,75,96,235,210,210,127,214,193,218,169,170,105,117,179,149,137,160,38,...>>}, sha512, undefined) line 402 in gen_fsm:terminate/7 line 622
2016-12-13 17:08:46.087 [error] <0.94.0> Supervisor ssl_connection_sup had child undefined started with {tls_connection,start_link,undefined} at <0.2026.0> exit with reason no function clause matching public_key:sign({digest,<<203,0,93,119,124,75,96,235,210,210,127,214,193,218,169,170,105,117,179,149,137,160,38,...>>}, sha512, undefined) line 402 in context child_terminated
2016-12-13 17:08:46.088 [error] <0.336.0> application: mochiweb, "Accept failed error", "{'EXIT',\n    {{function_clause,\n         [{public_key,sign,\n              [{digest,\n                   <<203,0,93,119,124,75,96,235,210,210,127,214,193,218,169,\n                     170,105,117,179,149,137,160,38,55,117,175,204,212,231,69,\n                     131,51,123,20,141,186,237,133,174,61,99,146,95,35,21,134,\n                     153,134,130,138,230,235,232,149,119,107,181,244,53,198,\n                     162,193,202,208>>},\n               sha512,undefined],\n              [{file,\"public_key.erl\"},{line,402}]},\n          {ssl_handshake,enc_server_key_exchange,6,\n              [{file,\"ssl_handshake.erl\"},{line,660}]},\n          {tls_connection,key_exchange,1,\n              [{file,\"tls_connection.erl\"},{line,1626}]},\n          {tls_connection,server_certify_and_key_exchange,1,\n              [{file,\"tls_connection.erl\"},{line,1550}]},\n          {tls_connection,new_server_hello,2,\n              [{file,\"tls_connection.erl\"},{line,1467}]},\n          {tls_connection,next_state,4,\n              [{file,\"tls_connection.erl\"},{line,2558}]},\n          {gen_fsm,handle_msg,7,[{file,\"gen_fsm.erl\"},{line,505}]},\n          {proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,239}]}]},\n     {gen_fsm,sync_send_all_state_event,\n         [<0.2026.0>,{start,infinity},infinity]}}}"
2016-12-13 17:08:46.089 [error] <0.336.0> CRASH REPORT Process <0.336.0> with 0 neighbours exited with reason: {error,accept_failed} in mochiweb_acceptor:init/3 line 33
2016-12-13 17:08:46.089 [error] <0.335.0> {mochiweb_socket_server,320,{acceptor_error,{error,accept_failed}}}
Rob
  • 1

1 Answers1

0

The third argument to public_key:sign/3 is the private key. That error message seems to be indicating it is undefined.

You need to configure, among others, ssl.keyfile. See http://docs.basho.com/riak/kv/2.2.0/using/security/basics/#enabling-ssl

You may find useful information at How to create a pkcs12-certificate using sha512 for creating a certificate with sha512 enabled.

Joe
  • 25,000
  • 3
  • 22
  • 44