TLS connection - Error: 14 UNAVAILABLE: Connect Failed
mkucharz opened this issue · 4 comments
I'm trying to set up secure GRPC connection. What have I done so far:
- generate certs using
dgraph cert
- verify fingerprints and certs using open ssl (
openssl verify -verbose -CAfile ca.crt node.crt
) - check the connection and certs crescents with
openssl s_client -connect 176.9.122.98:9080 -CAfile ca.crt
- set up connection:
const rootCert = fs.readFileSync(path.join(__dirname, 'certs', 'ca.crt'))
const clientData = new dgraph.DgraphClientStub(
'<my_external_machine_IP_address>:9080',
grpc.credentials.createSsl(rootCert)
)
- try to connect:
Error: 14 UNAVAILABLE: Connect Failed
In addition i configured NGINX grpc proxy, first without SSL (works fine), then with SSL (same error as
above).
Any ideas what else to check and what can be wrong? Did anyone successfully configured dgraph-js
to work with TLS?
It's working for us (though we're not using nginx... couldnt set up gRPC and SSL through it successfully).
But anyways, our grpc credentials look like this:
grpc.credentials.createSsl(caCrt, clientKey, clientCrt)
@gorjuspixels is right. If the system isn't configured to trust the root CA generated by dgraph cert
then you must provide it along with the client certificate and client certificate key to be properly authenticated.
Also, you shouldn't set https://
in the address name. The address host and port is sufficient.
There is now example code for connecting dgraph-js and Dgraph with mutual TLS. Please see the TLS example linked in the README:
https://github.com/dgraph-io/dgraph-js#examples
https://github.com/dgraph-io/dgraph-js/tree/master/examples/tls
Try out the example feel free to re-open this issue if you're still having the issue.
@danielmai https
was left after testing dgraph-js-http
.. I've updated original question (because I still had a problem even without https).
Anyway, your @gorjuspixels and @danielmai responses were very helpful.
It turned out that the problem was in common name of the certificate... I forgot to generate it with additional host names, more info here:
https://docs.dgraph.io/deploy#file-naming-conventions
Leaving this message mainly for other people lost in similar place :)