In Doc’s there is something regarding Certificate…
Using Ratel UI with Client authentication
is it works with my setup…if so…how it works with my setup
In Doc’s there is something regarding Certificate…
is it works with my setup…if so…how it works with my setup
Yes, it works. It is the TLS configuration. It is a bit complex, but it is recommended for your case. With TLS only clients with the certificate are able to communicate with the cluster.
can u please tell the steps how to configure.
it helps me a lot
Just follow the docs https://dgraph.io/docs/deploy/tls-configuration/#sidebar
I would recommend that you watch some video tutorials on youtube about TLS so you can understand the basics. That’s a type of thing that would require me to write a tutorial on this thread. For example, search on youtube “What is TLS”. You will found several videos with deep information about it.
I know about TLS, But need to how to configure…I followed these steps
I am following these steps
My question is where to pass Client Authentication Options & TLS options - means either in zero or alpha
While Pointing ratel to the https:// endpoint of alpha server i am not able to connect
How want u to look in to this please.
As you are using K8s, check these steps
About using Ratel with TLS, the docs shows how. But you basically need to install the certificate in the system.
I see, well there’s no YAML or something ready prior to this version.
If you follow the docs to the letter, you will succeed. As you can see below, all clients have flags to introduce the certificate and configure the authentication method. Also, the clients dgo, dgraph-js, and so on have their own way to configure the certificates documented on their repos.
➜ ~ dgraph zero -h | grep TLS
--tls_cacert string The CA Cert file used to initiate server certificates. Required for enabling TLS.
--tls_client_auth string Enable TLS client authentication (default "VERIFYIFGIVEN")
--tls_internal_port_enabled (optional) enable inter node TLS encryption between cluster nodes.
➜ ~ dgraph alpha -h | grep TLS
--tls_cacert string The CA Cert file used to initiate server certificates. Required for enabling TLS.
--tls_client_auth string Enable TLS client authentication (default "VERIFYIFGIVEN")
--tls_internal_port_enabled (optional) enable inter node TLS encryption between cluster nodes.
Bulk and live need the certs to be able to communicate with Zero and Alpha.
➜ ~ dgraph bulk -h | grep TLS
--tls_cacert string The CA Cert file used to verify server certificates. Required for enabling TLS.
--tls_internal_port_enabled enable inter node TLS encryption between cluster nodes.
➜ ~ dgraph live -h | grep TLS
--slash_grpc_endpoint string Path to Slash GraphQL GRPC endpoint. If --slash_grpc_endpoint is set, all other TLS options and connection options will be ignored
--tls_cacert string The CA Cert file used to verify server certificates. Required for enabling TLS.
--tls_internal_port_enabled enable inter node TLS encryption between cluster nodes.
I have opened the following tickets related to this question.
It’s Really Great to see,I appreciate your guidance to resolve all my issues.
Thanks a lot MichelDiz.
Hello MichelDiz,
I followed these steps for TLS.
$ dgraph cert
$ dgraph cert -n localhost,ip,ip
$ dgraph cert -c user
openssl pkcs12 -export
-out user.p12
-in tls/client.user.crt
-inkey tls/client.user.key
→ Use any password you like for export, it is used to encrypt the p12 file.
$ cp /path/to/ca.crt /usr/local/share/ca-certificates/ca.crt
$ sudo update-ca-certificates
After this
$ dgraph zero --my localhost:5080 --tls_dir /root/tls --tls_client_auth REQUIREANDVERIFY
$ dgraph alpha --lru_mb 5000 --zero localhost:5080 --tls_dir /root/tls --tls_client_auth REQUIREANDVERIFY
when i hit alpha ip with https on port 8080 in ratel, it is asking for client certificate.
Here my issue is it is taking the client cert which exported <user.p12> and also another certificate which i have from godady.
will you help out with issue.
Thanks