ssl support?

Michael Johnson mj at mediatemple.net
Fri Aug 3 13:36:44 EDT 2012


Just in case anyone else is running into this same problem, it turns out
that the root cause is a failing in the way erlang R14B04.  This is the
version of erlang bundled in the basho provided riak 1.1.4 packages as well
as the version provided by centos 5 and centos 6.

This problem is resolved in the current version of erlang (R15B01).  Basho
currently does not plan on releasing new packages of riak 1.1.4 as riak 1.2
is about to be released and will be bundled with erlang R15B01 resolving
this problem.

If you need to resolve this problem with riak or any other erlang
application, you can build and install the current version of erlang and
then build the application against the newly installed erlang.

On Mon, Jul 16, 2012 at 8:48 AM, Michael Johnson <mj at mediatemple.net> wrote:

> I'll be filing this as a bug as it doesn't seem to be a configuration
> problem.  Perhaps most people aren't using SSL?  While we could potentially
> get away with network segregation, I would much prefer having the traffic
> encrypted as well.
> On Jul 13, 2012 3:08 PM, "Michael Johnson" <mj at mediatemple.net> wrote:
>
>> I gave compiling from source a try, but it did not make a difference.
>>
>> It turns out that for some reason, the method I have always used to
>> generate self-signed certificates doesn't seem to result in certificates
>> that work with riak even though they work for OpenLDAP, nginx, apache, and
>> other stuff.
>>
>> Here is the way I typically create certificates:
>>
>> openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout
>> /etc/riak/ssl.key -out /etc/riak/ssl.crt
>>
>> I like this because it's a simple one-liner.  Basho does point you to
>> http://www.akadia.com/services/ssh_test_certificate.html for directions
>> on how to generate a certificate, and if you follow those directions, you
>> do indeed get a certificate that works with riak.
>>
>> If this only affected my self-signed certificates, I would be fine moving
>> on at this point.  However, I have tried using certificates that a signed
>> by real ssl cert signing authorities and they have not been working either.
>>
>> I fully admit that I'm not an ssl expert, and have no idea what would be
>> the critical difference between my methodology for creating self-signed
>> certs, the methodology   basho points to, and the way the legit cert I
>> tried was created/signed.  Any insite?
>>
>> On Fri, Jul 13, 2012 at 2:06 PM, Michael Johnson <mj at mediatemple.net>wrote:
>>
>>> (reposting with the rest of the thread removed... it was too big and
>>> getting moderated)
>>>
>>> Yup, they are:
>>>
>>> [root at riak01 riak]# ls -al /etc/riak/ssl.*
>>> -rw-r--r--. 1 root root 2122 Jul 12 16:49 /etc/riak/ssl.crt
>>> -rw-r--r--. 1 root root 3272 Jul 12 16:49 /etc/riak/ssl.key
>>>
>>> In fact, I straced the beam process to see if that would show anything
>>> outside of what was showing up in the logs and noticed one thing that was
>>> somewhat interesting.  The process check to see if the cert and key files
>>> are writeable (which they are not).  On the off chance that that was
>>> problematic, I changed the owner and group of the cert and key to be 'riak'
>>> and the check for write access was succeeding, however it didn't change the
>>> end result.  Here is a snip from the strace before changing the owner and
>>> group:
>>>
>>> 31520 stat("/etc/riak/ssl.crt",  <unfinished ...>
>>> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0
>>> 31520 access("/etc/riak/ssl.crt", R_OK) = 0
>>> 31520 access("/etc/riak/ssl.crt", W_OK) = -1 EACCES (Permission denied)
>>> ...
>>> 31520 stat("/etc/riak/ssl.key",  <unfinished ...>
>>> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0
>>> 31520 access("/etc/riak/ssl.key", R_OK) = 0
>>> 31520 access("/etc/riak/ssl.key", W_OK) = -1 EACCES (Permission denied)
>>>
>>> And after:
>>> 31520 stat("/etc/riak/ssl.crt",  <unfinished ...>
>>> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=2122, ...}) = 0
>>> 31520 access("/etc/riak/ssl.crt", R_OK) = 0
>>> 31520 access("/etc/riak/ssl.crt", W_OK) = 0
>>> ...
>>> 31520 stat("/etc/riak/ssl.key",  <unfinished ...>
>>> 31520 <... stat resumed> {st_mode=S_IFREG|0644, st_size=3272, ...}) = 0
>>> 31520 access("/etc/riak/ssl.key", R_OK) = 0
>>> 31520 access("/etc/riak/ssl.key", W_OK) = 0
>>>
>>> On Fri, Jul 13, 2012 at 1:34 PM, Dave Parfitt <dparfitt at basho.com>wrote:
>>>
>>>> Hi Michael -
>>>>
>>>>    [root at riak01 riak]# openssl verify /etc/riak/ssl.crt
>>>>>>>
>>>>>>
>>>> I see you are using root to create/verify these certs - are they
>>>> readable by the riak user?
>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20120803/0100b7c2/attachment.html>


More information about the riak-users mailing list