Ratel UI not connecting to Alpha using TLS

ggilmartin · October 22, 2020, 2:49pm

Hi guys,

I’m trying to run Dgraph in a docker network (Alpha, Zero and Ratel)
The network spins up fine and everything looks good until I try and connect to the Alpha via Ratel.

I followed this page https://dgraph.io/docs/deploy/tls-configuration/ but can’t get the connection to work with TLS.
My Alpha docker container is telling me no TLS cert was provided

TLS handshake error from X.X.X.X: remote error: tls: unknown certificate

and also

TLS handshake error from X.X.X.X: tls: client didn’t provide a certificate

I have the generated .p12 cert in my Mac keychain as per the above documentation, but nothing seems to work.

Any help would be much appreciated

MichelDiz · October 22, 2020, 6:09pm

Can you share the actual steps/commands used?

joaquin · October 23, 2020, 12:45am

As you are using keychain, I will deduce using Chrome for this. And as you are using the .p12 cert, I assume you want to use Mutual TLS, where the Alpha authenticates the client (Chrome) using the client cert/key in .p12 format?

Can you get this to work without Mutual Authentication, just TLS without client authentication? Then after we can verify Mutual Authentication works.

How is alpha configured (commandline and any applicable DGRAPH_ALPHA env vars if they were used)? Did you create the certificate using localhost as the server name? What does the output of dgraph cert ls?

ggilmartin · October 27, 2020, 10:07am

Sure!
Here’s the docker-compose file I’m using

version: ‘3.6’

services:

zero:
image: dgraph/dgraph:latest
container_name: test_dgraph_zero
ports:
- 5080:5080
- 6080:6080
restart: on-failure
command: dgraph zero --my=zero:5080

alpha:
image: dgraph/dgraph:latest
container_name: test_dgraph_alpha
ports:
- 8082:8080
- 9080:9080
restart: on-failure
command:
- bash
- “-c”
- |
dgraph cert --dir /tls -n ‘localhost’
dgraph cert --dir /tls -c ‘testing’
chmod a+r /tls/client.testing.key
dgraph alpha --tls_dir /tls --whitelist=0.0.0.0/0 --tls_client_auth REQUIREANDVERIFY --zero=zero:5080

ratel:
image: dgraph/dgraph:latest
container_name: test_dgraph_ratel
ports:
- 8100:8000
command: dgraph-ratel

After I run this, the network spins up and I can connect to the Ratel UI on my browser, but cannot connect to the Alpha.
I can make the connection to the Alpha when TLS is off.

ggilmartin · October 27, 2020, 1:48pm

That’s right, I’m using Chrome and want the browser to authenticate using the client cert/key. (I’ve also tried in Firefox with no success either)

The Alpha is setup in a docker-compose file as follows

alpha:
image: dgraph/dgraph:latest
container_name: test_dgraph_alpha
ports:
- 8082:8080
- 9080:9080
restart: on-failure
command:
- bash
- “-c”
- |
dgraph cert --dir /tls -n ‘localhost’
dgraph cert --dir /tls -c ‘testing’
chmod a+r /tls/client.testing.key
dgraph alpha --tls_dir /tls --whitelist=0.0.0.0/0 --tls_client_auth --zero=zero:5080

Yes, localhost was used as the server name.