Self-Signed Certificate in AKS

[Cristiano Rodrigues]

Hello guys! I created a docker image with version 4.2.1 of RavenDB using a self-signed certificate and everything was working on my Kubernetes cluster. I decided to recreate the image with version 5.1.5 using the same self-signed certificate, but I can't add the nodes, because I get this error. 

--- 

System.InvalidOperationException: An exception was thrown while trying to connect to 'https://prod02.ravendb.XXXXXX.azure': Raven.Client.Exceptions.RavenException: An exception occurred while contacting https://prod02.ravendb.XXXXXX.azure/info/tcp?tag=Test-Connection. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Raven.Client.Http.RequestExecutor.SendAsync[TResult](ServerNode chosenNode, RavenCommand`1 command, SessionInfo sessionInfo, HttpRequestMessage request, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1075 at Raven.Client.Http.RequestExecutor.SendRequestToServer[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, HttpRequestMessage request, String url, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1037. The server at https://prod02.ravendb.XXXXXX.azure/info/tcp?tag=Test-Connection responded with status code: ServiceUnavailable. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken) at Raven.Client.Http.RequestExecutor.SendAsync[TResult](ServerNode chosenNode, RavenCommand`1 command, SessionInfo sessionInfo, HttpRequestMessage request, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1075 at Raven.Client.Http.RequestExecutor.SendRequestToServer[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, HttpRequestMessage request, String url, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1037 --- End of inner exception stack trace --- at Raven.Client.Http.RequestExecutor.ThrowFailedToContactAllNodes[TResult](RavenCommand`1 command, HttpRequestMessage request) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1150 at Raven.Client.Http.RequestExecutor.SendRequestToServer[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, HttpRequestMessage request, String url, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 1037 at Raven.Client.Http.RequestExecutor.ExecuteAsync[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Client\Http\RequestExecutor.cs:line 901 at Raven.Server.Utils.ReplicationUtils.GetTcpInfoAsync(String url, String databaseName, String databaseId, Int64 etag, String tag, X509Certificate2 certificate, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\Utils\ReplicationUtils.cs:line 44 at Raven.Server.Utils.ReplicationUtils.GetTcpInfoAsync(String url, String databaseName, String tag, X509Certificate2 certificate, CancellationToken token) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\Utils\ReplicationUtils.cs:line 29 at Raven.Server.ServerWide.ServerStore.TestConnectionToRemote(String url, String database) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\ServerWide\ServerStore.cs:line 3048 at Raven.Server.Documents.Handlers.Admin.RachisAdminHandler.AddNode() in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\Documents\Handlers\Admin\RachisAdminHandler.cs:line 336 at Raven.Server.Routing.RequestRouter.HandlePath(RequestHandlerContext reqCtx) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\Routing\RequestRouter.cs:line 351 at Raven.Server.RavenServerStartup.RequestHandler(HttpContext context) in C:\Builds\RavenDB-Stable-5.1\51018\src\Raven.Server\RavenServerStartup.cs:line 242

--- 

I have already excluded the entire cluster including PVCs. 

Thank you for your help!

[Oren Eini (Ayende Rahien)]

When using self signed certificates, you have to trust the certificate signer, so you need to add them to the machine trusted store.

--
You received this message because you are subscribed to the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/d0dadde2-16cf-49ec-beb6-e17e1da5971dn%40googlegroups.com.

[Cristiano Rodrigues]

Oren Eini, 

I'll explain further ... I followed the tutorial exposed in the RavenDB documentation to install on an AKS cluster and created my own image using my self-signed certificate exactly as described in the documentation.

This image worked very well with version 4.2 in my two environments. However, when upgrading to 5.1.5 in just one of the environments, the above error is showing that it does not allow including the nodes in the cluster. The other cluster is working very well. Here is my Dockerfile:

--- Dockerfile ---

DE ravendb / ravendb: 5.1-ubuntu-latest

ADD ./Certificate/XXXXXX.azure.crt /usr/local/share/ca-certificates/XXXXXX.azure.crt

RUN update-ca-certificates

---

This is the basis of my image that works on one AKS cluster and doesn't work on another AKS cluster, the only thing I did was to change the version of the RavenDB image that I was using previously 4.2-ubuntu-latest.

My big question is why it stopped working just by changing the version tag and why the new image works in one cluster and does not work in another, since it is the same image.

Thanks,

Cristiano Rodrigues

[Oren Eini (Ayende Rahien)]

Can we setup a call to look into this?

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/4392e091-ddd4-4ea7-a63e-57522197adf3n%40googlegroups.com.