Using CA generated PEM files for Dgraph tls

I’m trying to use LetsEncrypt-generated certificate/keyfile artifacts to allow a web app to query graphql. I tried placing the ‘fullchain.pem’ and ‘privkey.pem’ in the tls directory… Insomnia is OK with it but Chrome errors with ERR_CERT_AUTHORITY_INVALID.

dgraph cert ls yields

[Decoder]: Using assembly version of decoder
-rw-r--r-- ca.crt - <redacted-domain>.com certificate
        Issuer: Let's Encrypt
           S/N: 044d084b401XXXXde1b6ec6a8d4bc7bfd5e
    Expiration: 14 Feb 21 18:41 UTC
SHA-256 Digest: XXXXXXX 2BC75D05 139FAB42 F30E316F F2936468 C45380CF DB716D5B 6F9616D2

ca.key: error: Unknown PEM type: PRIVATE KEY


I tried converting the privkey.pem to a DER formatted key via

sudo openssl rsa -outform der -in privkey.pem -out tls/ca.key

But that dgraph cert ls balks at that too

ca.key: error: Failed to read key block

Maybe someone has used CA generated PEMs before?

An update for anyone searching for how to do this… the correct command to change the PEM to a RSA key format that dgraph likes:

openssl rsa -in privkey.pem -out tls/ca.key

That made dgraph cert ls happy, but not Chrome. I then tried copying ca.crt to node.crt and ca.key to node.key and voila: Chrome is happy to connect to dgraph via SSL now.

1 Like