Ratel mTLS connection through ingress-nginx to Alpha

pcjun97 · September 25, 2020, 7:34am

Hi,

I’ve set up Alpha in a Kubernetes Cluster accessible through an Ingress (ingress-nginx). On the Ingress, I’ve enabled client certificate authentication with the following configuration:

nginx.ingress.kubernetes.io/auth-tls-verify-client: 'on'
nginx.ingress.kubernetes.io/auth-tls-secret: 'dgraph/alpha-cert'

Let’s assume the alpha is hosted at https://alpha.example.com:
Browsing https://alpha.example.com would prompt me for my client certificate

After submitting it, the page loads with the message “Dgraph browser is available for running separately using the dgraph-ratel binary”
Failure to submit an authorized cert would result in NGINX 400 Bad Request - No required SSL certificate was sent

However, when I attempt to connect to the Alpha through Ratel (both play.dgraph.io and locally hosted), the connection will simply fail without any prompt for client certificate. A bunch of 400 errors can be observed in the browser’s console, and further inspections would reveal that it’s the same 400 Bad Request error.

Is there any way to resolve this issue without setting up mTLS using Alpha itself?

joaquin · September 30, 2020, 12:59am

Do you want to use mTLS with client auth, or just simply HTTPS?

For TLS w/o client auth (i.e. w/o the mutual part), you can use cert-manager where the ingress (such as ingress-nginx) would terminate the certificate.

If you use cloud provider’s solution:

AWS allows you to create public trusted wild-card certs with ACM, as long as you can read/write DNS, such as Route53, for the verification process.
Google Cloud has Google-Managed Certificates which can be automated using their ManagedCertificate CRD. This one is not wild-card cert, but rather a SAN cert.

For mTLS w/ client auth, I have only tried this out with dgraph cert. Even with this, we found that it did not work with Firefox browsers, but seem to work with Chrome (linux/windows/mac) and Safari (mac). You have to install both root CA cert and client cert into local store. We recently updated the docs in this area:

https://dgraph.io/docs/master/deploy/tls-configuration/.

For mTLS w/ client auth outside of dgraph alpha, I would need to follow up on this, as I have yet tried this scenario yet.

Topic		Replies	Views
Support TLS client-cert authentication for Alphas configured with TLS cert Ratel kind:enhancement , ratel	5	456	July 11, 2020
Ratel UI not connecting to Alpha using TLS Ratel kind:question	4	822	October 27, 2020
Better practice... Google TLS ingress to non-encrypted backend vs. TLS to Dgraph Users discussion	3	848	October 2, 2020
Securing Ratel Server Connection Ratel	16	1593	September 5, 2020
Configuring/Troubleshooting TLS Connection with Ratel Dgraph	1	369	August 24, 2021

Ratel mTLS connection through ingress-nginx to Alpha

Related topics