SSL doesn't work on linux.

[Василий Александрович]

Hello.

I've created self-signed cert.

httpcfg -list
Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

In config file I have

CertificateFile: eventstore.crt
SslValidateServer: False
CertificateThumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

But when I start eventstore

Starting Normal TCP listening on TCP endpoint: xxx.xxx.xx.xx:1113.

 [24864,13,13:53:30.032] Starting HTTP server on [http://xxx.xxx.xx.xx:2113/]...

[24864,13,13:53:30.036] HTTP server is up and listening on [http://xxx.xxx.xx.xx:2113/]

The idea is to configure all possible SSL(http tcp and so on).
At least http ssl have to work. But I cann't reach 443 port. In the same time http://xxx.xxx.xx.xx:2113/web/index.html#/ work fine :)

I also tried :

IntHttpPort: 443
ExtHttpPort: 443

 Doesn't work.

Does port in httpcfg have to be the same in config file? (443=443 or 2113=2113)

Could somebody point me the right direction?

Thank you.

[Greg Young]

there are a set of options around secure tcp/http that can be found
with --help. As example.

Interface Options
--int-secure-tcp-port Internal Secure TCP Port.
--int-secure-tcp-port-advertise-as Advertise Secure Internal Tcp Port As.
-IntSecureTcpPortAdvertiseAs
--use-internal-ssl Whether to use secure internal
communication.
-UseInternalSsl

> --
> You received this message because you are subscribed to the Google Groups
> "Event Store" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to event-store...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Studying for the Turing test

[Василий Александрович]

CONFIG:                   /etc/eventstore/eventstore.yaml (Command Line)
        DB:                       /opt/eventstore/db (Config File)
        INT IP:                   xxx.xxx.xx.xx (Config File)
        EXT IP:                   xxx.xxx.xx.xx (Config File)
        EXT SECURE TCP PORT:      2113 (Config File)
        INT SECURE TCP PORT:      2114 (Config File)
        CERTIFICATE FILE:         /etc/eventstore/ssl/eventstore.crt (Config File)
        SSL VALIDATE SERVER:      False (Config File)
        CERTIFICATE THUMBPRINT:   9B7C475FB829F3F6D14681942E56C9942BFEF0D9 (Config File)

Exit reason: HTTP async server failed to start listening at [http://xxx.xxx.xx.xx:2113/].

[Василий Александрович]

Port: 2113 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 2114 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

понедельник, 22 мая 2017 г., 16:23:36 UTC+2 пользователь Василий Александрович написал:

[Greg Young]

without testing try different ports it seems you are assigning to the
same as defaults which would have a problem opening.

[Василий Александрович]

CONFIG:                   /etc/eventstore/eventstore.yaml (Command Line)
        DB:                       /opt/eventstore/db (Config File)
        INT IP:                   xxx.xxx.xx.xx (Config File)
        EXT IP:                   xxx.xxx.xx.xx (Config File)

        EXT HTTP PORT:            443 (Config File)
        EXT HTTP PREFIXES:        https://xxx.xxx.xx.xx/ (Config File)
        EXT SECURE TCP PORT:      5113 (Config File)
        INT SECURE TCP PORT:      5114 (Config File)

        CERTIFICATE FILE:         /etc/eventstore/ssl/eventstore.crt (Config File)
        SSL VALIDATE SERVER:      False (Config File)
        CERTIFICATE THUMBPRINT:   9B7C475FB829F3F6D14681942E56C9942BFEF0D9 (Config File)

        ENABLE TRUSTED AUTH:      True (Config File)

httpcfg -list

Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 5113 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 5114 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

When I try to load eventstore page in browser

[ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: Remote prematurely closed connection.
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00015] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00080] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x0003c] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (Mono.Net.Security.AsyncOperation operation) [0x00024] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00057] in <443b64479cca4b0cb2d2b62eaf14a230>:0
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00078] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.HttpConnection.Init () [0x0001a] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00090] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00046] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x0000e] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.Sockets.Socket+<>c.<.cctor>b__306_0 (System.IAsyncResult ares) [0x00092] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Net.Sockets.SocketAsyncResult+<>c__DisplayClass27_0.<Complete>b__0 (System.Object _) [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00008] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00074] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0

[Greg Young]

load which port and with which protocol?

[Василий Александрович]

понедельник, 22 мая 2017 г., 16:45:43 UTC+2 пользователь Greg Young написал:

load which port and with which protocol?

port 443
protocol https

 https://xxx.xxx.xx.xx/web/index.html

:(

[Василий Александрович]

I just have tried later ES with mono staticaly linked.

ES VERSION:               4.0.1.0 (HEAD/5f53330a4cc31fc6eb8b337cc630038b40a4f47a, Wed, 12 Apr 2017 15:28:32 +0200)

And I get less verbose error

The authentication or decryption has failed.
[26987,08,15:04:45.614] Global Unhandled Exception occurred.
The authentication or decryption has failed.

[Yorick Laupa]

As I use eventstore with ssl on linux, I can assure you it works. The documentation is lagging though. The java-8 client gives good instruction on how to do it:

https://github.com/msemys/esjc

--

You received this message because you are subscribed to the Google Groups "Event Store" group.

To unsubscribe from this group and stop receiving emails from it, send an email to event-store+unsubscribe@googlegroups.com.

[Василий Александрович]

Thank you. Will try.
Using this approach it is possible to encrypt nodes communication is cluster. Right?
But what about HTTP encryption?
And why we don't use httpcfg?

понедельник, 22 мая 2017 г., 17:49:41 UTC+2 пользователь Yorick Laupa написал:

To unsubscribe from this group and stop receiving emails from it, send an email to event-store...@googlegroups.com.

[Greg Young]

yes to encrypt internal communictions setup the int-sec network and
enable secure internal communications. The only communication in the
cluster itself that will not be encrypted then is the http gossip
traffic. There is currently an open issue to also support encrypting
this traffic but it has not been worked on as of now I believe

[Василий Александрович]

Thank you.

понедельник, 22 мая 2017 г., 17:49:41 UTC+2 пользователь Yorick Laupa написал:

As I use eventstore with ssl on linux, I can assure you it works. The documentation is lagging though. The java-8 client gives good instruction on how to do it:

https://github.com/msemys/esjc

 It works for single ES node!!!
Now I am going to test nodes encryption in cluster.

[Василий Александрович]

Looks like this is not comprehensive info
First. Except "int-sec network and enable secure internal communications" we need SslTargetHost as well.
But it doesn't matter because:

[29643,16,09:31:24.098] Internal TCP connection accepted: [Secure, xxx.xxx.xx.xx:57312, Lxxx.xxx.xx.xx:5111, {1c5a95d1-032e-42a7-b678-f508fd1851a1}].
[29643,21,09:31:24.101] [Sxxx.xxx.xx.xx:57312, Lxxx.xxx.xx.xx:5111]: Exception on EndAuthenticateAsServer.

The authentication or decryption has failed.

Configuration is following:

IntTcpPort: 0
ExtTcpPort: 0
ExtSecureTcpPort: 5113
IntSecureTcpPort: 5111
UseInternalSsl: True
CertificateFile: /opt/eventstore/ssl/es.p12
SslTargetHost: "eventstore.foo.com"
SslValidateServer: False
IntHttpPort: 2113
ExtHttpPort: 2114
ClusterSize: 3
ClusterDns: "eventstore.foo.com"
ClusterGossipPort: 2113
ExtHttpPrefixes: "http://eventstore.foo.com:2113/"

вторник, 23 мая 2017 г., 9:29:39 UTC+2 пользователь Greg Young написал:

[Василий Александрович]

Why is it so big difference between SSL configuration here https://github.com/msemys/esjc and here https://github.com/EventStore/EventStore/wiki/Setting-Up-SSL-In-Linux
Completely different approaches. And how it is possible third-party manual works(partially) official manual doesn't. :)

[Pieter Germishuys]

The documentation from the github repo for esjc refers to SSL configuration on linux. The wiki you pointed to is no longer in use and says that the documentation has moved. The documentation that is there shows how to setup SSL on Windows (http://docs.geteventstore.com/server/4.0.0/setting_up_ssl/). Someone is working on the documentation on how to setup SSL on linux and that should be up shortly.

[Василий Александрович]

четверг, 25 мая 2017 г., 12:51:38 UTC+2 пользователь Pieter Germishuys написал:

The documentation from the github repo for esjc refers to SSL configuration on linux. The wiki you pointed to is no longer in use and says that the documentation has moved. The documentation that is there shows how to setup SSL on Windows (http://docs.geteventstore.com/server/4.0.0/setting_up_ssl/). Someone is working on the documentation on how to setup SSL on linux and that should be up shortly.

This documentstion describs client -> eventstore encryption. Third-patry documentstion for such type encryption for Linux exists https://github.com/msemys/esjc
What about internal (cluster nodes) encryption and http encryption?

https://groups.google.com/forum/#!searchin/event-store/$20The$20authentication$20or$20decryption$20has$20failed%7Csort:relevance/event-store/V__RYzskdew/xGZUp_PMBAAJ
> Just put a note in internal list that we should solve this with a doc
> that goes through step by step. It will be up in a day or two.
Lets look at date. 08.11.15
:)

[Hayley-Jean Campbell]

We've added a new page to the docs for setting up SSL on Ubuntu 16.04, you can find it here

If you have any feedback or improvements for that page, please open an issue in the docs repo or open a PR.

[Василий Александрович]

среда, 31 мая 2017 г., 9:07:54 UTC+2 пользователь Hayley-Jean Campbell написал:

We've added a new page to the docs for setting up SSL on Ubuntu 16.04, you can find it here

Thank you.

If you have any feedback or improvements for that page, please open an issue in the docs repo or open a PR.

For everybody who will read this thread.
1. Confirm - it works.
2. If you use Centos. Instead of  /usr/local/share/ca-certificates/ copy to /etc/pki/tls/certs. Insead of update-ca-certificates use update-ca-trust
3.For UseInternalSsl: True you also need to add following:


   CertificateFile:
   ExtSecureTcpPort: xxxx
   IntSecureTcpPort: xxxx
   UseInternalSsl: True
   SslTargetHost: "bla-bla.com"


How to check that internal SSL works.
1. netstat -alnp | grep eventstore


tcp        0      0 0.0.0.0:2113            0.0.0.0:*               LISTEN      30507/eventstored  
tcp        0      0 0.0.0.0:2114            0.0.0.0:*               LISTEN      30507/eventstored  
tcp        0      0 192.168.3.194:35247    0.0.0.0:*               LISTEN      30507/eventstored  
tcp        0      0 192.168.3.194:1115     0.0.0.0:*               LISTEN      30507/eventstored  
tcp        0      0 192.168.3.194:1116     0.0.0.0:*               LISTEN      30507/eventstored  
tcp        0      0 192.168.3.194:1116     192.168.3.130:46312    ESTABLISHED 30507/eventstored  
tcp        0      0 192.168.3.194:2114     192.168.3.130:52828    ESTABLISHED 30507/eventstored  
tcp        0      0 192.168.3.194:52228    192.168.3.130:2114     ESTABLISHED 30507/eventstored  
tcp        0      0 192.168.3.194:2114     192.168.3.130:52782    ESTABLISHED 30507/eventstored  
tcp        0      0 192.168.3.194:52230    192.168.3.130:2114     ESTABLISHED 30507/eventstored

port 1116 is for internal SSL.
2. Log

PID:31425:006 2017.06.01 09:09:24.524 INFO  TcpConnectionSsl    ] [S192.168.5.194:1116, L192.168.5.130:46312]
[PID:31425:006 2017.06.01 09:09:24.525 INFO  TcpConnectionSsl    ] Cipher: Aes256 strength 256
[PID:31425:006 2017.06.01 09:09:24.527 INFO  TcpConnectionSsl    ] Hash: Sha1 strength 160
[PID:31425:006 2017.06.01 09:09:24.527 INFO  TcpConnectionSsl    ] Key exchange: RsaKeyX strength 2048
[PID:31425:006 2017.06.01 09:09:24.527 INFO  TcpConnectionSsl    ] Protocol: Tls
[PID:31425:006 2017.06.01 09:09:24.529 INFO  TcpConnectionSsl    ] Is authenticated: True as server? False
[PID:31425:006 2017.06.01 09:09:24.534 INFO  TcpConnectionSsl    ] IsSigned: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO  TcpConnectionSsl    ] Is Encrypted: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO  TcpConnectionSsl    ] Can read: True, write True
[PID:31425:006 2017.06.01 09:09:24.535 INFO  TcpConnectionSsl    ] Can timeout: True
[PID:31425:006 2017.06.01 09:09:24.535 INFO  TcpConnectionSsl    ] Certificate revocation list checked: False
[PID:31425:006 2017.06.01 09:09:24.535 INFO  TcpConnectionSsl    ] Local certificate is null.
[PID:31425:006 2017.06.01 09:09:24.541 INFO  TcpConnectionSsl    ] Remote certificate was issued to CN=bla-bla.com and is valid from 5/31/2017 12:49:22 PM until 5/31/2018 12:49:22 PM.

Hope I don't missed anything.


And now. Last question. How to configure HTTP encryption without reverse proxy?
httpcfg -list
Port: 5114 Thumbprint: E4A68B65AE4A5788C056E18438199B31BD21B560
port 5114 is configured, but https doesn't work. :(

[Greg Young]

Will wait for Hayley or Pieter but you most likely need to setup an
appropriate http prefix.

[Василий Александрович]

четверг, 1 июня 2017 г., 11:45:16 UTC+2 пользователь Greg Young написал:

Will wait for Hayley or Pieter but you most likely need to setup an
appropriate http prefix.

Will wait.
While I was testing HTTP encryption I added followinf to the config file

AddInterfacePrefixes: False
ExtHttpPort: 5114
ExtHttpPrefixes: "https://*:5114/"

netstat shows opened  port.
telnet can connect to this port but browsed gives an error "

This site can’t be reached

"

[Василий Александрович]

So some progress with HTTPS
First you need to execute httpcfg under eventstore user.
But

[PID:00512:013 2017.06.01 12:37:25.510 DEBUG ElectionsService    ] ELECTIONS: (V=200) VIEWCHANGE FROM [192.168.5.194:2114, {e7f53c10-dcdc-4dc7-8481-fae868ebabb0}].
[PID:00512:006 2017.06.01 12:37:26.464 FATAL GLOBAL-LOGGER       ] Global Unhandled Exception occurred.
System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The client stopped the handshake.

at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (System.IAsyncResult asyncResult) [0x000b9] in <1d0bb82c94e7435eb09324cf5ef20e36>:0
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <1d0bb82c94e7435eb09324cf5ef20e36>:0
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00057] in <1d0bb82c94e7435eb09324cf5ef20e36>:0
  at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00011] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
  at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean
checkCertificateRevocation) [0x0000e] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0

Eventstore crashs :(

[Василий Александрович]

I don't know but seems to me I've found something interesting.
Actually browser receives HTML

<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=1024"><meta http-equiv=X-UA-Compatible content="IE=edge,chrome=1"><title>Event Store - {{ $state.current.data.title }}</title><link rel=stylesheet href=css/main.min.css><link rel=apple-touch-icon href=apple-touch-icon.png><link rel=icon type=image/png href=favicon.png><meta name=msapplication-TileImage content=es-tile.png><meta name=msapplication-TileColor content=#6BA300></head><body><div ui-view></div><script data-main=js/app.min.js src=js/requirejs.min.js></script></body></html>

here is title tag.

And this https://forums.sonarr.tv/t/cannot-connect-webif-via-https/13612/4

At this time you're probably better off using a reverse proxy for SSL since mono's implementation is out of date and is rejected by Chrome as being too insecure.

[Василий Александрович]

I just tried console lynx.
eventstore hasn't crashed this time.
In log file

[PID:01104:018 2017.06.01 13:52:07.664 INFO  IOStreams           ] Error while closing stream : This SslStream is already authenticated

And it shows only title without html BODY :(


четверг, 1 июня 2017 г., 15:59:43 UTC+2 пользователь Василий Александрович написал:

[Василий Александрович]

Any update?
info here https://forums.sonarr.tv/t/cannot-connect-webif-via-https/13612/4  is it true or false?

понедельник, 22 мая 2017 г., 16:07:13 UTC+2 пользователь Василий Александрович написал:

[Hayley-Jean Campbell]

We are currently investigating a few issues with HTTPS on mono. You can see some more information about it in this github issue.

We will also have a look into the certificate issue you have linked at the same time, thank you for bringing it to our attention.

Currently the easiest way to get https working on mono would likely be to use a proxy.