My present version is 1.0.15 need to upgarde it to latest, can u help me out

Thulasidhar-Siva · January 22, 2021, 5:35pm

In Doc’s there is something regarding Certificate…

Using Ratel UI with Client authentication

is it works with my setup…if so…how it works with my setup

MichelDiz · January 22, 2021, 5:52pm

Yes, it works. It is the TLS configuration. It is a bit complex, but it is recommended for your case. With TLS only clients with the certificate are able to communicate with the cluster.

Thulasidhar-Siva · January 22, 2021, 5:58pm

can u please tell the steps how to configure.
it helps me a lot

MichelDiz · January 22, 2021, 6:04pm

Just follow the docs https://dgraph.io/docs/deploy/tls-configuration/#sidebar
I would recommend that you watch some video tutorials on youtube about TLS so you can understand the basics. That’s a type of thing that would require me to write a tutorial on this thread. For example, search on youtube “What is TLS”. You will found several videos with deep information about it.

Thulasidhar-Siva · January 22, 2021, 6:22pm

I know about TLS, But need to how to configure…I followed these steps

I am following these steps

Create rootCA and node certificates/keys
$ dgraph cert -n localhost
Copy the generated CA to the ca-certificates directory
$ cp /path/to/ca.crt /usr/local/share/ca-certificates/ca.crt
Update the CA store
$ sudo update-ca-certificates
Starting Zero
$ dgraph zero --my localhost:5080
Running alpha
$ dgraph alpha --lru_mb 5000 --zero localhost:5080
Running Ratel UI

My question is where to pass Client Authentication Options & TLS options - means either in zero or alpha
While Pointing ratel to the https:// endpoint of alpha server i am not able to connect

Thulasidhar-Siva · January 22, 2021, 6:22pm

How want u to look in to this please.

MichelDiz · January 22, 2021, 6:26pm

As you are using K8s, check these steps

github.com

dgraph-io/charts/blob/master/helmfiles/mutual_tls/README.md

# Dgraph Mutual TLS

This example demonstrates how to use TLS and MutualTLS for internal communications with Dgraph Alpha and starting with Dgraph `v20.11.0`, Dgraph Zero as well.

## Instructions

### Prerequisites

On the deploy workstation, that is, the system you will use to create certificates and deploy the helm charts, you will need the `dgraph` binary.  You can get this with:

```bash
## Install Dgraph
curl -sSf https://get.dgraph.io | bash
## Verify Version installed
dgraph version | awk -F: '/Dgraph version/{print $2}'
```

### Generate Certificates and Keys

First you need to generate certificates and keys for Dgraph Alpha service and Dgraph Zero service.  There's a script that can help automate creating certificates and keys, as well as a helm value `secrets.yaml` that can be used for the helm chart.  See [README.md](../../charts/dgraph/scripts/README.md).

This file has been truncated. show original

About using Ratel with TLS, the docs shows how. But you basically need to install the certificate in the system.

Thulasidhar-Siva · January 22, 2021, 6:32pm

is it for above 20.11?
my version is 20.07.3…
is there any yaml file i don’t want helm

MichelDiz · January 22, 2021, 6:42pm

I see, well there’s no YAML or something ready prior to this version.

If you follow the docs to the letter, you will succeed. As you can see below, all clients have flags to introduce the certificate and configure the authentication method. Also, the clients dgo, dgraph-js, and so on have their own way to configure the certificates documented on their repos.

➜  ~ dgraph zero -h | grep TLS
      --tls_cacert string             The CA Cert file used to initiate server certificates. Required for enabling TLS.
      --tls_client_auth string        Enable TLS client authentication (default "VERIFYIFGIVEN")
      --tls_internal_port_enabled     (optional) enable inter node TLS encryption between cluster nodes.

➜  ~ dgraph alpha -h | grep TLS
      --tls_cacert string                The CA Cert file used to initiate server certificates. Required for enabling TLS.
      --tls_client_auth string           Enable TLS client authentication (default "VERIFYIFGIVEN")
      --tls_internal_port_enabled        (optional) enable inter node TLS encryption between cluster nodes.

Bulk and live need the certs to be able to communicate with Zero and Alpha.

➜  ~ dgraph bulk -h | grep TLS
      --tls_cacert string                The CA Cert file used to verify server certificates. Required for enabling TLS.
      --tls_internal_port_enabled        enable inter node TLS encryption between cluster nodes.

➜  ~ dgraph live -h | grep TLS
      --slash_grpc_endpoint string   Path to Slash GraphQL GRPC endpoint. If --slash_grpc_endpoint is set, all other TLS options and connection options will be ignored
      --tls_cacert string            The CA Cert file used to verify server certificates. Required for enabling TLS.
      --tls_internal_port_enabled    enable inter node TLS encryption between cluster nodes.

MichelDiz · January 23, 2021, 12:59am

I have opened the following tickets related to this question.

Thulasidhar-Siva · January 23, 2021, 12:20pm

It’s Really Great to see,I appreciate your guidance to resolve all my issues.
Thanks a lot MichelDiz.

Thulasidhar-Siva · January 27, 2021, 2:36pm

Hello MichelDiz,

I followed these steps for TLS.

Create Dgraph Root CA, used to sign all other certificates.

$ dgraph cert

Create node certificate and private key

$ dgraph cert -n localhost,ip,ip

Generate a client certificate

$ dgraph cert -c user

Convert it to a .p12 file:

openssl pkcs12 -export
-out user.p12
-in tls/client.user.crt
-inkey tls/client.user.key
→ Use any password you like for export, it is used to encrypt the p12 file.

Copy the generated CA to the ca-certificates directory

$ cp /path/to/ca.crt /usr/local/share/ca-certificates/ca.crt

Update the CA store

$ sudo update-ca-certificates

After this

$ dgraph zero --my localhost:5080 --tls_dir /root/tls --tls_client_auth REQUIREANDVERIFY

$ dgraph alpha --lru_mb 5000 --zero localhost:5080 --tls_dir /root/tls --tls_client_auth REQUIREANDVERIFY

when i hit alpha ip with https on port 8080 in ratel, it is asking for client certificate.
Here my issue is it is taking the client cert which exported <user.p12> and also another certificate which i have from godady.
will you help out with issue.

Thanks

Topic		Replies	Views
Bulk load data from v1.2.x to 20.07.x not loading all data Dgraph kind:question	3	363	November 22, 2020
Bulk Loader - Deploy Documentation	0	793	December 16, 2020
Release notes v0.8.2 Users	1	562	November 28, 2017
Regarding to import the data which is in RDF format into the dgraph database which is running on ubuntu machine Dgraph dgraph	0	215	November 2, 2023
Dgraph Enhancement Proposal: bulk + live loader? Dgraph	2	561	August 9, 2019