-proto_dist inet_tls

Michael Johnson mj at mediatemple.net
Fri Oct 12 16:56:21 EDT 2012


Well, I have ruled out this being an erlang problem.  I've been able to
follow the erlang documentation to create 2 nodes (each in it's own virtual
machine) and connect successfully from one to the other in the same way
that nodetool tries to.  This means something about the way riak is doing
things does not play nicely when proto_dist is set to inet_tls.

I'm going to be doing some more poking and proding, but maybe someone else
can provide some insight?  Thanks.

On Fri, Oct 12, 2012 at 11:49 AM, Michael Johnson <mj at mediatemple.net>wrote:

> Has anyone successfully configured riak so that the erlang cluster
> communication happens over SSL?  I ask because as near as I can tell it
> simply does not work.  The default vm.args (
> https://github.com/basho/riak/blob/master/rel/files/vm.args) contains the
> following lines:
>
>
> ## To enable SSL encryption of the Erlang intra-cluster communication,
> ## un-comment the three lines below and make certain that the paths
> ## point to correct PEM data files.  See docs TODO for details.
>
> ## -proto_dist inet_ssl
> ## -ssl_dist_opt client_certfile "{{platform_etc_dir}}/erlclient.pem"
> ## -ssl_dist_opt server_certfile "{{platform_etc_dir}}/erlserver.pem"
>
> This information is not correct for current versions of erlang (including
> the one basho bundles in the binary packages).  Instead of '-proto_dist
> inet_ssl' it should be '-proto_dist inet_tls'
>
> Once I correct that problem, the beam process will start, however,
> nodetool cannot talk to the node and thus the initscript fails (while
> leaving a running riak process).  At first I suspected this might be a
> problem with nodetool, but I cannot join the nodes together.
>
> I am starting to think this may be a problem with erlang and thus just not
> going to work.  I'm going to try following the instructions at
> http://www.erlang.org/doc/apps/ssl/ssl_distribution.html to build a
> simple test app that handles the cluster communication over SSL, so then I
> should know if this is a riak problem or if it is an erlang problem.
>
> In the mean time, if anyone has information one way or the other, it would
> be appreciated.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20121012/7f96b2aa/attachment.html>


More information about the riak-users mailing list