I'm trying to start a dgraph server with TLS enabled, my server config file is defined as following:
# Folder in which to store exports.
export: export
# Fraction of dirty posting lists to commit every few seconds.
gentlecommit: 0.33
# RAFT ID that this server will use to join RAFT groups.
idx: 1
# Port to run server on. (default 8080)
port: 8080
# GRPC port to run server on. (default 9080)
grpc_port: 9080
# Port used by worker for internal communication.
workerport: 12345
# Estimated memory the process can take. Actual usage would be slightly more
memory_mb: 4096
# The ratio of queries to trace.
trace: 0.33
# Directory to store posting lists.
p: p
# Directory to store raft write-ahead logs.
w: w
# Debug mode for testing.
debugmode: true
# Address of dgraphzero
peer: localhost:8888
# Use TLS connections with clients.
tls.on: true
# CA Certs file path.
#tls.ca_certs: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Include System CA into CA Certs.
tls.use_system_ca: true
# Certificate file path.
tls.cert: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Certificate key file path.
tls.cert_key: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key
# Certificate key passphrase.
#tls.cert_key_passphrase string
# Enable TLS client authentication
#tls.client_auth string
# TLS max version. (default "TLS12")
#tls.max_version string
# TLS min version. (default "TLS11")
#tls.min_version string
As soon as I start dgraphzero and dgraph, if the configuration tls.on is equal true, this output is shown:
Setting up listener at: localhost:8888
Setting up listener at: localhost:8889
2017/10/19 16:09:36 main.go:163: Loading configuration from file: development.conf
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["export" = export]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["grpc_port" = 9080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["workerport" = 12345]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["p" = p]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.ca_certs" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["memory_mb" = 4096]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["peer" = localhost:8888]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["gentlecommit" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["idx" = 1]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["port" = 8080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["trace" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.on" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["w" = w]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["debugmode" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.use_system_ca" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert_key" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key]
Dgraph version : v0.8.3
Commit SHA-1 : 40175d0
Commit timestamp : 2017-10-18 15:55:02 +1100
Branch : HEAD
2017/10/19 16:09:36 node.go:234: Found hardstate: {Term:2 Vote:1 Commit:4 XXX_unrecognized:[]}
2017/10/19 16:09:36 node.go:246: Group 0 found 4 entries
2017/10/19 16:09:36 raft.go:292: Restarting node for dgraphzero
2017/10/19 16:09:36 raft.go:567: INFO: 1 became follower at term 2
2017/10/19 16:09:36 raft.go:315: INFO: newRaft 1 [peers: [], term: 2, commit: 4, applied: 0, lastindex: 4, lastterm: 2]
Running Dgraph zero...
2017/10/19 16:09:36 open : no such file or directory
I can't find what is causing the error open : no such file or directory, anyone experienced this? I'm using MacOS 10.12.3 (16D32) and installed dgraph version v0.8.3 using the command curl https://get.dgraph.io -sSf | bash
Thanks in advance.
I think this is a bug (update: it actually was confirmed as a bug and was fixed).
I've tried running it on Ubuntu and I've got the same error with tls.on.
Next I found the semi-manual test suite for tls here.
Running it confirmed the error, tests required small adjustments (add --memory_mb 2048), but after that the same failure was reproduced.
To confirm it I also downloaded dgraph sources and checked what's going on under delve debugger:
1) The config file is parsed and parameters are saved into global vars
2) TLS-related parameters are used to create the tlsCfg
- Here we already can see the problem: not all the parameters are passed, for example, tlsKey and tlsKeyPath are missing
3) If we look deeper, into tls_helper.go, where the TLS actually configured, we can find that parameters from the config are
passed into the parseCertificate method
4) Here we use config.Key and config.KeyPassphrase, but they are empty
182: func GenerateTLSConfig(config TLSHelperConfig) (tlsCfg *tls.Config, reloadConfig func(), err error) {
183: wrapper := new(wrapperTLSConfig)
184: tlsCfg = new(tls.Config)
185: wrapper.config = tlsCfg
186:
=> 187: cert, err := parseCertificate(config.CertRequired, config.Cert, config.Key, config.KeyPassphrase)
188: if err != nil {
189: return nil, nil, err
190: }
191:
192: if cert != nil {
(dlv) p config.CertRequired
true
(dlv) p config.Cert
"/home/seb/web/dgraph-test/test2.crt"
(dlv) p config.Key
""
(dlv) p config.KeyPassphrase
Then it fails inside the parseCertificate when it tries to read the file with certificate key.
I posted the issue on github.