Dgraph + TLS is not working

I love Dgraph, how may I get Dgraph + TLS working please? Self-managed cluster - Deploy

These commands successfully start Dgraph

dgraph zero --my=localhost:5080
dgraph alpha --my=localhost:7080 --lru_mb=2048 --zero=localhost:5080
dgraph-ratel

These commands leave an error in the alpha terminal

dgraph zero --my=localhost:5080
dgraph alpha --my=localhost:7080 --lru_mb=2048 --zero=localhost:5080 --tls_dir tls --tls_client_auth REQUEST
dgraph-ratel

The alpha terminal error is
2020/05/01 13:39:35 http: TLS handshake error from [::1]:51966: remote error: tls: unknown certificate

Here is what my tls folder looks like

Here is what Keychain access looks like

Thank you friends!

Hello. I was curious what does dgraph cert ls say.

2 Likes

I appreciate your assistance @joaquin

What client (curl, Ratel etc ?) are you using to connect to the Alpha Instance. And if it is a browser, then which one? Version?

My presumption is that the client does not trust the Dgraph Root CA (ca.crt) and hence this error.
(I see that you have added this to the KeyChain as Trusted Root, but some clients may not use the system Certificate Authorities).

Please also try the trouble-shooting steps here.
https://dgraph.io/docs/deploy/#troubleshooting-ratel-s-client-authentication

1 Like

Hello. I noticed that you created a node.crt for a hostname called live. If you do not want to use this as the host, then I would rm tls/node* and recreate the node cert.

I created my certs using this:

dgraph cert
dgraph cert -n $(hostname)
dgraph cert -c user

Let me know if this fixes your setup.

1 Like

I also wanted to proactively add some tips in case you try out dgraph live and run into the problems.

This is what I did to get live loader worker to load the 21million schema.

Run Alpha in Encrypted Mode

You don’t have to use REQUIREANDVERIFY, it was the one I chose for testing this out.

dgraph zero --my="$(hostname):5080" --idx 1
dgraph alpha --my="$(hostname):7080" \
  --zero "$(hostname):5080" \
  --lru_mb 2048 \
  --tls_dir=./tls \
  --tls_client_auth=REQUIREANDVERIFY

Run Live Loader

dgraph live \
  --tls_cacert ./tls/ca.crt \
  --tls_cert ./tls/client.user.crt \
  --tls_key ./tls/client.user.key \
  --tls_server_name "$(hostname)" \
  -s 21million.schema \
  -f 21million.rdf.gz

For the schema, this is that big 21 million record movie database used in tutorials, you can get these from: benchmarks/data at master · dgraph-io/benchmarks · GitHub.

2 Likes

Thank you for assisting me @Paras & @joaquin I appreciate you both! Dgraph Dream Team!

  1. ATM I’m using the Brave browser w/ the fetch api Version 1.7.98 Chromium: 81.0.4044.113 (Official Build) (64-bit)
  2. My goal client is to call my https dgraph database deployed @ High Frequency Compute - 3+ GHz cloud compute with NVMe storage - Vultr.com w/ https://cloudflareworkers.com/ as the client, sending requests via the fetch api. Last time I checked, the officially supported dgraph clients throw errors in Cloudflare Workers which is why I’m thinking fetch api.

Thank you for this link!

I’ll be honest with you @joaquin I don’t know if I’m using live loader b/c I’m confused about what it is but I don’t think I’m using this. I love your help about the HOSTS thank you, I updated my host to localhost, and I know the IP address of my Vultr cloud database but when I add that as a host I get the error

Chriss-MacBook-Pro-2:database cc$ dgraph cert -n x.30.193.y
[Decoder]: Using assembly version of decoder
Error: x509: cannot validate certificate for x.30.193.y because it doesn't contain any IP SANs

And now I’m a bit confused, do I do the keychain access thing again with these new keys and if so when I go into Keychain access what do I do please?!

Thank you brothers

If you are running dgraph alpha service on the vulture system, then you would use the that as the node:

dgraph cert -n $HOST_ADDRESS

Where host address is the dgraph alpha service. If you build a server for example and give it a DNS FQDN of dgraph.mycompany.com, you would then do this:

dgraph cert -n dgraph.mycompany.com

Until then, it looks like you are running the server on MacBook, and a client on MacBook, so you have to use localhost as the host address in this case for local MacBook development.

As for Brave (Chromium) browser, you need to import the client certificate, so that it will trust use the Dgraph CA root.

1 Like

To clarify,

  • You need to import the Dgraph Root CA as trusted “Root Authority” so that it will trust the Alpha server’s certificate sent on TLS Handshake.
  • Further, You may need to import the Dgraph client certificate in the Client/Your/Personal Certificates section if the alpha server has turned on Client-Authentication.
1 Like

Thank you @joaquin & @Paras for helping me through this!

I now have Dgraph + TLS working locally! :star_struck:

I love me some Dgraph, it’s a pleasure learning from you both, y’all know how to teach! :pray:

I’m now going to attempt this in the cloud @ Cloudflare Workers + Vultr.

I wish you both get huge raises very soon! :partying_face: Thank you both so much!

1 Like

Glad that it worked now. And thanks for the kind words.

Could you please state what was your issue and how it got fixed so that the rest of the community can benefit in future?

I think my error was the hostname. Updating the node.crt hostname to localhost helped a ton, thank you @joaquin! I made this error copy pasting from the docs where the hostname is live.

This was one of those novice mistakes when we copy / paste all the code provided, it does not work & then we’re like… :sweat_smile: lol Which is why I really appreciate your help @Paras, thank you Sir!

So I purchased a cloud server on vultr, lets say the IP address is a.b.c.d - I ssh’d into the server and ran

curl https://get.dgraph.io -sSf | bash
dgraph :+1:

dgraph zero --my=a.b.c.d:5080
dgraph alpha --my=a.b.c.d:7080 --lru_mb=2048 --zero=a.b.c.d:5080
dgraph-ratel

The terminal response looks great Connected: id:1 addr:"a.b.c.d:7080"

But I’m seeing the same This site can't be reached browser 404 response @
http://localhost:8000
http://a.b.c.d:8000
http://a.b.c.d:8080

Am I missing something to get the pre TLS Dgraph working in the cloud please?!

Since you’ve deployed this to a cloud machine, you’ll need to be on the cloud machine to access localhost. a.b.c.d would need to be publically accessible to access it from the outside.

Thank you for your assistance @dmai!

How may I validate if the server is publicly accessible and / or make this server publicly accessible please?

I have also tried these commands while SSH’d into the cloud server

dgraph zero --my=localhost:5080
dgraph alpha --my=localhost:7080 --lru_mb=2048 --zero=localhost:5080
dgraph-ratel

Which all seem to work great, with output like

Connected: id:1 addr:“localhost:7080”

But when I access http://a.b.c.d:8000/ > the site can’t be reached… :sweat_smile:

You can check access via your cloud provider. You’d need at least a public IP and configured firewall rules. If you don’t want to set up public access, you can create a private tunnel connection to your server

In Vultr, I found these resources that should help (I haven’t used Vultr myself though):

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.