"A security error occurred" communicating with server

[Mark Warpool]

I'm working on a new project and wanting to use Raven 4, I've set up a document store and provided the client certificate I generated using the studio.  The DocumentStore initializes fine, but as soon as I try to open a session I get an error that the replication topology couldn't be retrieved.  Examining the exception deeper, there's an inner exception of type WinHttpException - "A security error occurred ...".  This is presumably because the SSL certificate presented by the database has a SN of "a.xxxxx.dbs.local.ravendb.net", which is quite different than the URL I'm using to access it (I'm using the IP address).

Am I missing something obvious, or do I need to put another gateway in front of my server to present an SSL certificate that matches up with the URLs I would use to access it?  Unless I fake out the DNS using the hosts file on every single machine I deploy too (which I don't think is even possible for my situation) how would the certificate generated by the setup ever match the accessible URL?

[Oren Eini (Ayende Rahien)]

Mark,

when you setup the server using the wizard, you provided the IP to bind to this machine, right?

Try hitting that URL in the browser. We have updated the _global_ DNS setting with the IP you specified for this url.

In other words, you should be able to just use that url and everything Just Works.

See this video for a demo:

https://www.youtube.com/watch?v=K-2iZ_lJVag&t=26s

And this for the gory details:

https://ayende.com/blog/180802/ravendb-setup-how-the-automatic-setup-works

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

On Thu, Jan 11, 2018 at 12:42 AM, Mark Warpool <ma...@warpool.org> wrote:

I'm working on a new project and wanting to use Raven 4, I've set up a document store and provided the client certificate I generated using the studio.  The DocumentStore initializes fine, but as soon as I try to open a session I get an error that the replication topology couldn't be retrieved.  Examining the exception deeper, there's an inner exception of type WinHttpException - "A security error occurred ...".  This is presumably because the SSL certificate presented by the database has a SN of "a.xxxxx.dbs.local.ravendb.net", which is quite different than the URL I'm using to access it (I'm using the IP address).

Am I missing something obvious, or do I need to put another gateway in front of my server to present an SSL certificate that matches up with the URLs I would use to access it?  Unless I fake out the DNS using the hosts file on every single machine I deploy too (which I don't think is even possible for my situation) how would the certificate generated by the setup ever match the accessible URL?

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mark Warpool]

Thanks for the quick reply Oren.  Yes, it works fine from the host machine(s), but those host machines are located on an isolated network behind a gateway/firewall.  So the IP/DNS that I use will be quite different.  I fear I'm going to have to do all kinds of magic to make this work.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

[Mark Warpool]

So in digging through the client code, I found that I could attach a 'ServerCertificateCustomValidationCallback' to the RequestExecutor.  So I wrote a little code to check the certificate against an "acceptable" list of certificate subject names (just to make sure it's not just an open door).  But then I get a new error stating that it was unable to communicate with any of the cluster nodes.  It appears that the DocumentStore.Urls are only used to retrieve the topology, but then the actual sessions/commands use the DNS name registered to each individual nodes.

So, as far as I can tell unless your application is on the same subnet (or is able to route directly to the subnet) that the cluster/nodes are on, you can never use ravendb?  So I guess it would never be possible to set up a virtual machine in Azure and develop locally (which is actually what I'm doing).  This seems awful limiting.

[Oren Eini (Ayende Rahien)]

Mark,

The setup wizard is intended to use for a common scenario. In particular, where you can access the server and you are on a flat network.

If you have a more constrained situation, you'll need to configure things manually.

In this case, there are a few settings you need to pay attention to:

ServerUrl - determine where the server will listen to. On the cloud, that is the internal server IP, usually.

PublicServerUrl - determine the URL that the _clients_ are going to use to talk to the server. On the cloud, usually the external IP or hostname mapped to it.

Security.Certificate.Path - the path to the pfx for securing the communication. It can be from Let's Encrypt or can be self signed. If it is self signed, you need to use ServerCertificateCustomValidationCallback to ensure that it is trusted on the client.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.