Ratel mTLS connection through ingress-nginx to Alpha


I’ve set up Alpha in a Kubernetes Cluster accessible through an Ingress (ingress-nginx). On the Ingress, I’ve enabled client certificate authentication with the following configuration:

nginx.ingress.kubernetes.io/auth-tls-verify-client: 'on'
nginx.ingress.kubernetes.io/auth-tls-secret: 'dgraph/alpha-cert'

Let’s assume the alpha is hosted at https://alpha.example.com:
Browsing https://alpha.example.com would prompt me for my client certificate

  • After submitting it, the page loads with the message “Dgraph browser is available for running separately using the dgraph-ratel binary”
  • Failure to submit an authorized cert would result in NGINX 400 Bad Request - No required SSL certificate was sent

However, when I attempt to connect to the Alpha through Ratel (both play.dgraph.io and locally hosted), the connection will simply fail without any prompt for client certificate. A bunch of 400 errors can be observed in the browser’s console, and further inspections would reveal that it’s the same 400 Bad Request error.

Is there any way to resolve this issue without setting up mTLS using Alpha itself?

Do you want to use mTLS with client auth, or just simply HTTPS?

For TLS w/o client auth (i.e. w/o the mutual part), you can use cert-manager where the ingress (such as ingress-nginx) would terminate the certificate.

If you use cloud provider’s solution:

  • AWS allows you to create public trusted wild-card certs with ACM, as long as you can read/write DNS, such as Route53, for the verification process.
  • Google Cloud has Google-Managed Certificates which can be automated using their ManagedCertificate CRD. This one is not wild-card cert, but rather a SAN cert.

For mTLS w/ client auth, I have only tried this out with dgraph cert. Even with this, we found that it did not work with Firefox browsers, but seem to work with Chrome (linux/windows/mac) and Safari (mac). You have to install both root CA cert and client cert into local store. We recently updated the docs in this area:

For mTLS w/ client auth outside of dgraph alpha, I would need to follow up on this, as I have yet tried this scenario yet.