Configuring/Troubleshooting TLS Connection with Ratel

What I want to do

I’m trying to configure TLS on the Dgraph server. However, with the TLS settings in place, I cannot connect from Ratel.

What I did

I’m running alpha and zero on a single node instance. A Ratel docker instance is running on a separate Centos server using the dgraph/ratel:latest image.

I’m trying to follow the steps on this page to setup TLS:

I’ve run the following command to generate all of the certificate files:

dgraph cert -n localhost -c dgraphuser --duration 1825

The files are stored in the ‘tls’ subdirectory of the working directory.

I’m starting alpha and zero using a config.yaml, which looks like:

  compression: zstd:1
  jaeger: http://jaeger:14268
  whitelist: <ip whitelist>
  ca_cert: /data/1/data/dgraph/tls/ca.crt
  client_auth_type: REQUEST
  server_cert: /data/1/data/dgraph/tls/node.crt
  server_key: /data/1/data/dgraph/tls/node.key
  use_system_ca: true
  internal_port: true
  client_cert: /data/1/data/dgraph/tls/client.dgraphuser.crt
  client_key: /data/1/data/dgraph/tls/client.dgraphuser.key

The alpha and zero processes seem to startup fine. I’m using REQUEST at the moment, just to try to keep things simple but will change that to REQUIREANDVERIFY once I get past these issues.

I added the Dgraph CA certificate to my browser.

I uploaded the CA.crt to the Ratel server. Since it’s Centos, I ran:

sudo cp ca.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

The update seemed to work, however, I cannot connect to the database using Ratel.

  • If I try to connect to http://:8080, the connection bar will show green halfway, but after the heart icon, it turns yellow.
  • If I try to connect to https://:8080, the whole connection status bar is yellow.

If I remove the TLS settings from the config.yaml and restart zero and alpha, then I can get back in from Ratel and query the database.

I’m not sure what I’ve missed or configured incorrectly. Any insight on how to fix or troubleshoot this would be much appreciated.

Thanks in advance!

Dgraph metadata

dgraph version

Dgraph version : v21.03.1
Dgraph codename : rocket-1
Dgraph SHA-256 : a00b73d583a720aa787171e43b4cb4dbbf75b38e522f66c9943ab2f0263007fe
Commit SHA-1 : ea1cb5f35
Commit timestamp : 2021-06-17 20:38:11 +0530
Branch : HEAD
Go version : go1.16.2
jemalloc enabled : true

I figured this part out. I ran the following commands on the Ratel server, but I needed to perform these on the Dgraph alpha/zero server.

Now on to configuring the REQUIREANDVERIFY.