Dgraph TLS on the azure aks failed to connect through client

vikashsingh009 · February 19, 2021, 11:54am

I have used the official helm chart to deploy dgraph on azure aks .i have used

make_tls_secrets.sh

and able to create certifcate and then i am starting helm with

helm install dgraph --values tls/secrets.yaml --values alpha-tls-config.yaml .

but i see in dgraph alpha log like error: Unsupported certificate when i did dgraph cert ls

But when i am trying to query its not connecting here the client code

const fs = require('fs');

const path = require('path');

require("tls").DEFAULT_ECDH_CURVE = "auto"

const dgraph = require("dgraph-js");

//const dgraph = require("dgraph-js-http");

const https = require("https");

// Create a client stub.

function newClientStub() {

    // First create the appropriate TLS certs with dgraph cert:

    //     $ dgraph cert

    //     $ dgraph cert -n localhost

    //     $ dgraph cert -c user

    console.log(path.join(__dirname, "tls", "ca.crt"));

    const rootCaCert = fs.readFileSync(path.join(__dirname, "tls", "ca.crt"));

    const clientCertKey = fs.readFileSync(

        path.join(__dirname, "tls", "client.visurqadgraph.key")

    );

    const clientCert = fs.readFileSync(

        path.join(__dirname, "tls", "client.visurqadgraph.crt")

    );

//     // create your https.Agent

// const agent = https.Agent({

//     clientCert,

//     rootCaCert,

//     clientCertKey,

// });

// const clientStub = new dgraph.DgraphClientStub(

//     "https://qadgraph.visur.tech:9080",

//     false,

//     { agent },

// );

// const dgraphClient = new dgraph.DgraphClient(clientStub);

// // Run query.

// const query = `query all($a: string) {

//     all(func: eq(name, $a))

//     {

//       name

//     }

//   }`;

//   const vars = { $a: "Alice" };

//   const res =  dgraphClient.newTxn().queryWithVars(query, vars);

//   const ppl = res.data;

  

//   // Print results.

//   console.log(`Number of people named "Alice": ${ppl.all.length}`);

//   ppl.all.forEach(person => console.log(person.name));

// const dgraphClient = new dgraph.DgraphClient(clientStub);

    return new dgraph.DgraphClientStub(

        "dgraph.test.tech:9080",

        dgraph.grpc.credentials.createSsl(rootCaCert, clientCertKey, clientCert)

    );

}

// Create a client.

function newClient(clientStub) {

    return new dgraph.DgraphClient(clientStub);

}

// Drop All - discard all data and start from a clean slate.

async function dropAll(dgraphClient) {

    const op = new dgraph.Operation();

    op.setDropAll(true);

    await dgraphClient.alter(op);

}

// Set schema.

async function setSchema(dgraphClient) {

    const schema = `

        name: string @index(exact) .

        age: int .

        married: bool .

        loc: geo .

        dob: datetime .

        friend: [uid] @reverse .

    `;

    const op = new dgraph.Operation();

    op.setSchema(schema);

    await dgraphClient.alter(op);

}

// Create data using JSON.

async function createData(dgraphClient) {

    // Create a new transaction.

    const txn = dgraphClient.newTxn();

    try {

        // Create data.

        const p = {

            uid: "_:alice",

            name: "Alice",

            age: 26,

            married: true,

            loc: {

                type: "Point",

                coordinates: [1.1, 2],

            },

            dob: new Date(1980, 1, 1, 23, 0, 0, 0),

            friend: [

                {

                    name: "Bob",

                    age: 24,

                },

                {

                    name: "Charlie",

                    age: 29,

                },

            ],

            school: [

                {

                    name: "Crown Public School",

                },

            ],

        };

        // Run mutation.

        const mu = new dgraph.Mutation();

        mu.setSetJson(p);

        const response = await txn.mutate(mu);

        // Commit transaction.

        await txn.commit();

        // Get uid of the outermost object (person named "Alice").

        // Response#getUidsMap() returns a map from blank node names to uids.

        // For a json mutation, blank node label is used for the name of the created nodes.

        console.log(

            `Created person named "Alice" with uid = ${response

                .getUidsMap()

                .get("alice")}\n`

        );

        console.log("All created nodes (map from blank node names to uids):");

        response

            .getUidsMap()

            .forEach((uid, key) => console.log(`${key} => ${uid}`));

        console.log();

    } finally {

        // Clean up. Calling this after txn.commit() is a no-op

        // and hence safe.

        await txn.discard();

    }

}

// Query for data.

async function queryData(dgraphClient) {

    // Run query.

    const query = `query all($a: string) {

        all(func: eq(name, $a)) {

            uid

            name

            age

            married

            loc

            dob

            friend {

                name

                age

            }

            school {

                name

            }

        }

    };

    const vars = { $a: "Alice" };

    const res = await dgraphClient

        .newTxn({ readOnly: true })

        .queryWithVars(query, vars);

    const ppl = res.getJson();

    // Print results.

    console.log(`Number of people named "Alice": ${ppl.all.length}`);

    ppl.all.forEach((person) => console.log(person));

}

async function main() {

    const dgraphClientStub = newClientStub();

    const dgraphClient = newClient(dgraphClientStub);

   // await dropAll(dgraphClient);

   // await setSchema(dgraphClient);

    await createData(dgraphClient);

    await queryData(dgraphClient);

    // Close the client stub.

    dgraphClientStub.close();

}

main()

    .then(() => {

        console.log("\nDONE!");

    })

    .catch((e) => {

        console.log("ERROR: ", e);

    });

joaquin · February 19, 2021, 6:00pm

Hello @vikashsingh009,

On one of the alpha pods, could you run these commands and let me know the output:

hostname -f 
dgraph cert ls --dir /dgraph/tls
cat /dgraph/config/config.yaml

vikashsingh009 · February 20, 2021, 6:05am

here is the output of above command

and output for cat /dgraph/config/config.yaml
tls_client_auth: REQUIREANDVERIFY
tls_use_system_ca: true

TLS configuration (before v20.11.0)

tls_dir: tls

TLS configuration (after v20.11.0)

#tls_cacert: /dgraph/tls/ca.crt
#tls_node_cert: /dgraph/tls/node.crt
#tls_node_key: /dgraph/tls/node.key

lru_mb deprecated after v20.11.0 and is no longer needed

lru_mb: 2048

vikashsingh009 · February 21, 2021, 8:25pm

@joaquin,i have also tried to trust Root certificate for window where helm is building and deploying,but not able to connect tls at all on grpc port 9080.i am using aks Loadbalancer there .here is sample python test

joaquin · February 22, 2021, 8:20pm

@vikashsingh009 As I was looking at the output I spotted an issue. The current node certificate will only work with alpha0 and localhost. Anything other hostname used will not be able to connect.

You would also need to configure these:

Alpha 1: qadgraph-dgraph-alpha-1.qadgraph-dgraph-alpha-headless.default.svc.cluster.local
Alpha 2: qadgraph-dgraph-alpha-2.qadgraph-dgraph-alpha-headless.default.svc.cluster.local
Alpha SVC qadgraph-dgraph-alpha-headless.default.svc.cluster.local

Additionally, as you are accessing this through a DNS name, you need to add that name as well:

DNS name: qadgraph.visur.tech

Thus for this scenario, here’s a solution to generate the certificates with the desired support FQDN hostnames, using a Dgraph container (for dgraph, bash, curl, GNU tools):

docker run --detach --name dgraph-cert \
  --volume $PWD/dgraph_tls:/dgraph/dgraph_tls \
  dgraph/standalone:v20.11.1

# download script
curl -O https://raw.githubusercontent.com/dgraph-io/charts/master/charts/dgraph/scripts/make_tls_secrets.sh

# copy to a dgraph container
docker cp ./make_tls_secrets.sh dgraph-cert:/dgraph

# create certificates with extra FQDN names
docker exec -t dgraph-cert \
  bash /dgraph/make_tls_secrets.sh --release qadgraph --extra qadgraph.visur.tech,qadgraph-dgraph-alpha-headless.default.svc.cluster.local

# verify host names created
docker exec -t dgraph-cert \
  dgraph cert ls --dir /dgraph/dgraph_tls/alpha | grep -oP '(?<=Hosts: ).*' | tr -s ', ' '\n'

The output should be the following:

qadgraph-dgraph-alpha-0.qadgraph-dgraph-alpha-headless.default.svc.cluster.local
qadgraph-dgraph-alpha-1.qadgraph-dgraph-alpha-headless.default.svc.cluster.local
qadgraph-dgraph-alpha-2.qadgraph-dgraph-alpha-headless.default.svc.cluster.local
qadgraph.visur.tech
qadgraph-dgraph-alpha-headless.default.svc.cluster.local

vikashsingh009 · February 23, 2021, 11:29am

Thanks @joaquin worked for me ,now able to connect javascript and python client but issues in C#/.net i will create seprate tickets for that

Topic		Replies	Views
Dgraph Helm Chart TLS Config .Net Client Dgraph Clients kind:question	0	485	February 18, 2021
TLS Enabled dgraph Alpha Grpc.Core.RpcException: Status(StatusCode=Unavailable, Detail="channel is in state TRANSIENT_FAILURE Dgraph dgraph	1	624	February 26, 2021
Feature request: Support for TLS Issues untagged , charts	2	674	July 20, 2020
Charts.dgraph.io certificate issues breaking helm install Issues charts	1	470	July 25, 2022
Dgraph TLS with the Dgraph helm charts Dgraph	4	1079	February 20, 2021

Dgraph TLS on the azure aks failed to connect through client

TLS configuration (before v20.11.0)

TLS configuration (after v20.11.0)

lru_mb deprecated after v20.11.0 and is no longer needed

Related topics