TLS handshake error

Hello
I try to use TLS.
I use windows10 WSL(ubuntu 18.04)

[Decoder]: Using assembly version of decoder
I0214 01:23:05.240334 1022 init.go:98]

Dgraph version : v1.2.1
Dgraph SHA-256 : 3f18ff84570b2944f4d75f6f508d55d902715c7ca2310799cc2991064eb046f8
Commit SHA-1 : ddcda9296
Commit timestamp : 2020-02-06 15:31:05 -0800
Branch : HEAD
Go version : go1.13.5

$ ls
Server_output.txt Zero_output.txt badger dgraph dgraph-linux-amd64.tar.gz dgraph-ratel serverS zeroSingle

sudo ./dgraph cert
sudo ./dgraph cert -n localhost,127.0.0.1
sudo ./dgraph cert -c dgraphuser

sudo ./dgraph cert ls
[Decoder]: Using assembly version of decoder
-rw-r–r-- ca.crt - Dgraph Root CA certificate
Issuer: Dgraph Labs, Inc.
S/N: 5ee9be84c8c06852
Expiration: 11 Feb 30 23:03 UTC
SHA-256 Digest: C0F0BE6B 22B6EE6B 6DABD310 A20ECBDD 6CCECDF8 0460F7B5 0BE48BB9 581270A4

-r-------- ca.key - Dgraph Root CA key
Algorithm: RSA 2048 bits (PKCS#1)
SHA-256 Digest: C0F0BE6B 22B6EE6B 6DABD310 A20ECBDD 6CCECDF8 0460F7B5 0BE48BB9 581270A4

-rw-r–r-- client.dgraphuser.crt - Dgraph client certificate: dgraphuser
Issuer: Dgraph Labs, Inc.
CA Verify: PASSED
S/N: 6f43912b27790848
Expiration: 12 Feb 25 23:03 UTC
SHA-256 Digest: CA3E8607 87751E13 1EB5E2EA 305CCC82 50BC1E67 9AEA5E90 41EDCD47 29085718

-rw------- client.dgraphuser.key - Dgraph Client key
Algorithm: RSA 2048 bits (PKCS#1)
SHA-256 Digest: CA3E8607 87751E13 1EB5E2EA 305CCC82 50BC1E67 9AEA5E90 41EDCD47 29085718

-rw-r–r-- node.crt - Dgraph Node certificate
Issuer: Dgraph Labs, Inc.
CA Verify: PASSED
S/N: 6fd83332a9bee348
Expiration: 12 Feb 25 23:03 UTC
Hosts: 127.0.0.1, localhost
SHA-256 Digest: B492519E 2F379630 1734352E 2E6AA84E 1AA185D7 75F6266F D795799B 13B8B170

-rw------- node.key - Dgraph Node key
Algorithm: RSA 2048 bits (PKCS#1)
SHA-256 Digest: B492519E 2F379630 1734352E 2E6AA84E 1AA185D7 75F6266F D795799B 13B8B170

It’s ok:
sudo ./dgraph zero --my=localhost:5080 -w zeroSingle |& tee -a Zero_output.txt

Then I trying to start alpha:
sudo ./dgraph alpha --tls_client_auth VERIFYIFGIVEN --my=localhost:8080 --lru_mb=3512 --zero=localhost:5080 --tls_dir tls -p serverS/p -w serverS/w -o 0 |& tee -a Server_output.txt

OR

dgraph alpha --tls_dir tls

2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43101: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43102: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43103: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43104: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43105: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43106: tls: first record does not look like a TLS handshake

Could you tell me what I’m doing wrong here?

Does the error messages happen when you start Dgraph or when you try to connect to it via ratel or some client?

I google the error message and most of the pages that mention it say that it’s thrown out when you try to connect to a secure endpoint using HTTP (or some other protocol that does not understand TLS).

Example: SSL https weird message: first record does not look like a tls handshake [SOLVED] - Getting Help - Go Forum

First I run the dgraph zero without tls.
sudo ./dgraph zero --my=localhost:5080 -w zeroSingle |& tee -a Zero_output.txt

Secondly, I run the dgraph alpha with TLS
sudo ./dgraph alpha --tls_client_auth VERIFYIFGIVEN --my=localhost:8080 --lru_mb=3512 --zero=localhost:5080 --tls_dir tls -p serverS/p -w serverS/w -o 0 |& tee -a Server_output.txt

And I saw errors at runtime
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43101: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43102: tls: first record does not look like a TLS handshake
2020/02/14 02:07:52 http: TLS handshake error from 127.0.0.1:43103: tls: first record does not look like a TLS handshake

The commands look alright to me. My question was whether you were doing something with the cluster at the time the errors appeared in the log. Are you running some process that connects to the alphas (e.g running Ratel or some tests that connect to Dgraph)?

The TLS options are used to connect between the alphas and the clients and from what I can find this message appears when a client that does not understand TLS tries to connect to a server that requires TLS. The TLS options don’t affect communication between alphas and zeros so if there weren’t any clients connecting to the cluster I don’t think this error would be showing.

It’s a video of my actions

Hello.
Can you fix this bug?

Hello.
I try start Dgraph into centos http://mirror.yandex.ru/centos/8.1.1911/isos/x86_64/CentOS-8.1.1911-x86_64-boot.torrent

I get the errors mentioned above again

Do you have ratel open or a client (application) code running? I think that something is running in the background that is trying to connect to Alpha over insecure connection causing this log.

Hello.
This is step by step my actions.

gigihont@ubn:~$ sudo netstat -plnt

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      641/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      766/sshd
tcp6       0      0 :::6080                 :::*                    LISTEN      1379/dgraph
tcp6       0      0 :::7080                 :::*                    LISTEN      1498/dgraph
tcp6       0      0 :::8080                 :::*                    LISTEN      1498/dgraph
tcp6       0      0 :::22                   :::*                    LISTEN      766/sshd
tcp6       0      0 :::9080                 :::*                    LISTEN      1498/dgraph
tcp6       0      0 :::5080                 :::*                    LISTEN      1379/dgraph

Thank you for the information, I am able to reproduce the issue. Let me figure out what is going on.

Your alpha command is incorrect. You need to use port 7080 instead of 8080, for example --my=<IP>:7080 Let me know if you still face problems.

I tried to fix the port and again got the same error
This is my commands:

dgraph zero --my=192.168.1.38:5080 -w zeroSingle |& tee -a Zero_output.txt

dgraph alpha --tls_client_auth VERIFYIFGIVEN --my=192.168.1.38:7080 --lru_mb=3512 --zero=192.168.1.38:5080 --tls_dir tls -p serverS/p -w serverS/w -o 0 |& tee -a Server_output.txt

Could you delete the z,w & zw directories and try from scratch? I am assuming that you don’t have any useful data in the cluster.

gigihont@ubn:~/dgraph$ rm -rf *

dgraph cert
dgraph cert -n 192.168.1.38
dgraph cert -c dgraphuser
dgraph cert ls

gigihont@ubn:~/dgraph$ ls -la tls
total 32
drwx------ 2 gigihont gigihont 4096 Feb 18 07:28 .
drwxrwxr-x 3 gigihont gigihont 4096 Feb 18 07:28 ..
-rw-rw-r-- 1 gigihont gigihont 1172 Feb 18 07:28 ca.crt
-r-------- 1 gigihont gigihont 1675 Feb 18 07:28 ca.key
-rw-rw-r-- 1 gigihont gigihont 1168 Feb 18 07:28 client.dgraphuser.crt
-rw------- 1 gigihont gigihont 1675 Feb 18 07:28 client.dgraphuser.key
-rw-rw-r-- 1 gigihont gigihont 1204 Feb 18 07:28 node.crt
-rw------- 1 gigihont gigihont 1675 Feb 18 07:28 node.key

dgraph zero --my=192.168.1.38:5080 -w zeroSingle |& tee -a Zero_output.txt

dgraph alpha --tls_client_auth VERIFYIFGIVEN --my=192.168.1.38:7080 --lru_mb=3512 --zero=192.168.1.38:5080 --tls_dir tls -p serverS/p -w serverS/w -o 0 |& tee -a Server_output.txt

Thank you, it works perfectly

When I start alpha, for security, I must to put only the node.crt certificate to the tls folder?

Perfect, it was hard to notice the wrong port until I tried it on my PC. Providing detailed steps really helps. Alpha needs everything except the client keys, because it needs to verify all the communication, from clients and from other alphas.