How to setup TLS and connect with Javascript client

Users Dgraph
1

Hi,

I need help. I am not able to configure TLS on server and connect to server with Javascript client.
I use self-signed certificates generated with:

openssl genrsa -aes256 -out dgraph_key.pem 4096
openssl req -new -key dgraph_key.pem -out dgraph.csr
cp dgraph_key.pem dgraph_key.pem.org
openssl rsa -in dgraph_key.pem.org -out dgraph_key.pem
openssl x509 -req -days 7300 -in dgraph.csr -signkey dgraph_key.pem -out dgraph.crt

I run dGraph with docker compose:

version: "3.2"
services:
  zero:
    image: dgraph/dgraph:master
    volumes:
      - type: bind
        source: /data/dgraph/data
        target: /dgraph
    ports:
      - 5080:5080
      - 6080:6080
    restart: on-failure
    command: dgraph zero --my=zero:5080
  server:
    image: dgraph/dgraph:master
    volumes:
      - type: bind
        source: /data/dgraph/data
        target: /dgraph
      - type: bind
        source: /data/dgraph/ssl
        target: /etc/ssl/private
    ports:
      - 8080:8080
      - 9080:9080
    restart: on-failure
    command: dgraph server --my=server:7080 --lru_mb=2048 --zero=zero:5080 --tls_on --tls_cert='/etc/ssl/private/dgraph.crt' --tls_cert_key='/etc/ssl/private/dgraph_key.pem' --tls_client_auth='REQUEST'
  ratel:
    image: dgraph/dgraph:master
    volumes:
      - type: volume
        source: dgraph
        target: /dgraph
        volume:
          nocopy: true
    ports:
      - 8000:8000
    command: dgraph-ratel

volumes:
  dgraph:

My configuration for client is:

const dgraph = require("dgraph-js");
const grpc = require("grpc");
const fs = require("fs");

const clientStub = new dgraph.DgraphClientStub(
  "localhost:9080",
  grpc.credentials.createSsl(fs.readFileSync('/data/dgraph/ssl/dgraph.crt'))
);
const dgraphClient = new dgraph.DgraphClient(clientStub);

When I run query I get only this error:

Error: 14 UNAVAILABLE: Connect Failed

What I am doing wrong?

Thank you

2

Have you tried running it without TLS? Because the error it is returning is documented in grpc-go as:

	// Unavailable indicates the service is currently unavailable.
	// This is a most likely a transient condition and may be corrected
	// by retrying with a backoff.
	//
	// See litmus test above for deciding between FailedPrecondition,
	// Aborted, and Unavailable.
	Unavailable Code = 14

In case of TLS misconfiguration, it should return error code 16 - Unauthenticated

1 Like
3

Hi @gpahal,

according to logs, server is listening

server_1  | 2018/06/03 14:16:14 groups.go:78: Current Raft Id: 1
server_1  | 2018/06/03 14:16:14 worker.go:89: Worker listening at address: [::]:7080
server_1  | 2018/06/03 14:16:14 pool.go:108: == CONNECT ==> Setting zero:5080
server_1  | 2018/06/03 14:16:14 groups.go:105: Connected to group zero. Assigned group: 0
server_1  | 2018/06/03 14:16:14 draft.go:170: Node ID: 1 with GroupID: 1
server_1  | 2018/06/03 14:16:14 gRPC server started.  Listening on port 9080
server_1  | 2018/06/03 14:16:14 HTTP server started.  Listening on port 8080
server_1  | 2018/06/03 14:16:15 node.go:213: Found Snapshot, Metadata: {ConfState:{Nodes:[1] XXX_unrecognized:[]} Index:992 Term:10 XXX_unrecognized:[]}
server_1  | 2018/06/03 14:16:15 node.go:228: Found hardstate: {Term:29 Vote:1 Commit:4030 XXX_unrecognized:[]}
server_1  | 2018/06/03 14:16:15 node.go:240: Group 1 found 3038 entries
server_1  | 2018/06/03 14:16:15 draft.go:926: Restarting node for group: 1
server_1  | 2018/06/03 14:16:15 raft.go:567: INFO: 1 became follower at term 29
server_1  | 2018/06/03 14:16:15 raft.go:315: INFO: newRaft 1 [peers: [1], term: 29, commit: 4030, applied: 992, lastindex: 4030, lastterm: 29]

And this logs looks same as logs from server without TLS.

How I can check if Server is really listening?

4

@selmeci take a look here: TLS connection - Error: 14 UNAVAILABLE: Connect Failed · Issue #50 · dgraph-io/dgraph-js · GitHub

You can use openssl just to verify connection.