Connect with client cert throws NoHostAvailableException

[Michael Colussi]

I have a working setup of client certificate auth using Cassandra 3.0.9. I am able to connect using "cqlsh --ssl".

However, when I try to connect with the C# driver (3.0.9) I get:

Cassandra.NoHostAvailableException: None of the hosts tried for query are available (tried: ...)

Am I not loading the cert correctly?  All the cert properties seem fine.

            // Create a collection object and populate it using the PFX file
            var collection = new X509Certificate2Collection();
            collection.Import(@"C:\client.pfx", "PASSWORD", X509KeyStorageFlags.PersistKeySet);
            // prep SSLOptions
            var options = new SSLOptions();
            // assign certs
            options.SetCertificateCollection(collection);
            // skip validation of remote cert (SSL)
            options.SetRemoteCertValidationCallback((a1, a2, a3, a4) => true);
            var cluster = Cluster.Builder()
                    .AddContactPoint(contactPoint)
                    .WithCredentials(user, pass)
                    .WithSSL(options)
                    .Build();
            try {
                var session = cluster.Connect();
            } catch (Exception ex) {
                Debug.WriteLine(ex.ToString());
                throw;
            }

Thanks,

Mike

[Mike]

I turned on .net verbose tracing and got a better error:
System.Net Information: 0 : [10224] SecureChannel#52077944 - We have user-provided certificates. The server has specified 2 issuer(s). Looking for certificates that match any of the issuers.

System.Net Information: 0 : [10224] SecureChannel#52077944 - Left with 0 client certificates to choose from.

Also, it works fine with a self-signed cert.  Seems like a .net intermediate cert problem.

[Jorge Bay Gondra]

Hi Mike,

You can check the ssl policy errors that are causing the client validation to fail using the RemoteCertificateValidationCallback.

A common issue is that certificate name must match the machine's hostname.

If you want to disable client/server identification within SSL, you can use a SslOptions instance with no client certificate.

Jorge

--
You received this message because you are subscribed to the Google Groups "DataStax C# Driver for Apache Cassandra User Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csharp-driver-user+unsub...@lists.datastax.com.

[משה באשר‎]

Hey, I have the same problem.

I am currently trying to test the 2 way ssl on my local computer and all certificates are self-signed.

(datastax) Cassandra 3.9.0 , cqlsh 5.0.1 , latest c# driver.

I too use client_auth = true and client_encryption = enabled

My code looks almost the same, I just added :

//custom host resolver to resolve server ip to certificate CN

options.SetHostNameResolver((internalIPAddress) =>

            {

                return "my-hostname"; // my hostname is also used as alias and as CN name in keytool so it matches 100%

            });

(+The certificate name matches server hostname..)

I cant find the cause to failure, any suggestions?

P.S: using cqlsh --ssl works!

[Jorge Bay Gondra]

Hi,

You should set use a remote certificate validation handler:

options.SetRemoteCertValidationCallback(handler);

Thanks,

Jorge

To unsubscribe from this group and stop receiving emails from it, send an email to csharp-driver-user+unsubscribe@lists.datastax.com.

[משה באשר‎]

I did, just like Mike.

I just found out that the problem was the way I generated the user's key.. (missing a flag)

What I did wrong: (works with cqlsh --ssl but not with c#)

keytool -importkeystore -srckeystore c:\keystore -destkeystore c:\userkey.p12 -deststoretype PKCS12

Solution:

keytool -importkeystore -srckeystore c:\keystore -destkeystore c:\userkey.p12 -srcstoretype JKS -deststoretype PKCS12

I dont know what the cqlsh doens't care, but the C# driver does.

Hope it helps others as well!

To unsubscribe from this group and stop receiving emails from it, send an email to csharp-driver-user+unsub...@lists.datastax.com.