diggy
February 15, 2019, 5:40pm
1
Moved from GitHub dgraph-js/50
Posted by mkucharz :
I’m trying to set up secure GRPC connection. What have I done so far:
generate certs using dgraph cert
verify fingerprints and certs using open ssl (openssl verify -verbose -CAfile ca.crt node.crt)
check the connection and certs crescents with openssl s_client -connect 176.9.122.98:9080 -CAfile ca.crt
set up connection:
const rootCert = fs.readFileSync(path.join(__dirname, 'certs', 'ca.crt'))
const clientData = new dgraph.DgraphClientStub(
'<my_external_machine_IP_address>:9080',
grpc.credentials.createSsl(rootCert)
)
try to connect: Error: 14 UNAVAILABLE: Connect Failed
In addition i configured NGINX grpc proxy, first without SSL (works fine), then with SSL (same error as
Any ideas what else to check and what can be wrong? Did anyone successfully configured dgraph-js to work with TLS?
diggy
February 20, 2019, 8:43pm
2
gorjuspixels commented :
It’s working for us (though we’re not using nginx… couldnt set up gRPC and SSL through it successfully).
But anyways, our grpc credentials look like this:
grpc.credentials.createSsl(caCrt, clientKey, clientCrt)
diggy
February 20, 2019, 11:56pm
3
danielmai commented :
@gorjuspixels is right. If the system isn’t configured to trust the root CA generated by dgraph cert then you must provide it along with the client certificate and client certificate key to be properly authenticated.
Also, you shouldn’t set https:// in the address name. The address host and port is sufficient.
diggy
February 21, 2019, 10:25pm
4
danielmai commented :
There is now example code for connecting dgraph-js and Dgraph with mutual TLS. Please see the TLS example linked in the README:
Try out the example feel free to re-open this issue if you’re still having the issue.
diggy
February 24, 2019, 10:55pm
5
mkucharz commented :
@danielmai https was left after testing dgraph-js-http… I’ve updated original question (because I still had a problem even without https).
Anyway, your @gorjuspixels and @danielmai responses were very helpful.
It turned out that the problem was in common name of the certificate… I forgot to generate it with additional host names, more info here:https://docs.dgraph.io/deploy#file-naming-conventions
Leaving this message mainly for other people lost in similar place
