TLS connection - Error: 14 UNAVAILABLE: Connect Failed

Moved from GitHub dgraph-js/50

Posted by mkucharz:

I’m trying to set up secure GRPC connection. What have I done so far:

  • generate certs using dgraph cert
  • verify fingerprints and certs using open ssl (openssl verify -verbose -CAfile ca.crt node.crt)
  • check the connection and certs crescents with openssl s_client -connect 176.9.122.98:9080 -CAfile ca.crt
  • set up connection:
const rootCert = fs.readFileSync(path.join(__dirname, 'certs', 'ca.crt'))
const clientData = new dgraph.DgraphClientStub(
  '<my_external_machine_IP_address>:9080',
   grpc.credentials.createSsl(rootCert)
)
  • try to connect: Error: 14 UNAVAILABLE: Connect Failed

In addition i configured NGINX grpc proxy, first without SSL (works fine), then with SSL (same error as
above).

Any ideas what else to check and what can be wrong? Did anyone successfully configured dgraph-js to work with TLS?

gorjuspixels commented :

It’s working for us (though we’re not using nginx… couldnt set up gRPC and SSL through it successfully).

But anyways, our grpc credentials look like this:

grpc.credentials.createSsl(caCrt, clientKey, clientCrt)

danielmai commented :

@gorjuspixels is right. If the system isn’t configured to trust the root CA generated by dgraph cert then you must provide it along with the client certificate and client certificate key to be properly authenticated.

Also, you shouldn’t set https:// in the address name. The address host and port is sufficient.

danielmai commented :

There is now example code for connecting dgraph-js and Dgraph with mutual TLS. Please see the TLS example linked in the README:

Try out the example feel free to re-open this issue if you’re still having the issue.

mkucharz commented :

@danielmai https was left after testing dgraph-js-http… I’ve updated original question (because I still had a problem even without https).

Anyway, your @gorjuspixels and @danielmai responses were very helpful.

It turned out that the problem was in common name of the certificate… I forgot to generate it with additional host names, more info here:
https://docs.dgraph.io/deploy#file-naming-conventions

Leaving this message mainly for other people lost in similar place :slight_smile: