external replication and connection string setup - AuthorizationException

[Wallace Turner]

I'm attempting to set up external replication but getting stuck setting up the connection between the two servers.

To give some background I have a simple two server setup; names have been changed but lets call them server-A and server-B

Both servers are using self-signed certificates and both machines can access each other via Chrome. The certs are working correctly via the browser.

When I add a connection string on Server-A connecting to Server-B and 'Test Url Connection' I get the error below.

From the error it looks like its trying to provide Server-A's certificate instead of Server-B's ??

I don't really know where to go from here. It doesnt make sense that I should have to do anything more to get this working as its working via the browser and there is nothing in the docs about specifying a certificate when setting up external replication. 

Please help

UPDATE:

I've managed to get past this error by adding Server-A's pfx to Server-B's certificates (Manage Server -> Certificates -> Client certificate ->  Upload client certificate)

It might be nice to mention this in the docs if thats always required (i.e. if no option to provide it from the calling server)

Also as a general comment can you show your errors a bit more gracefully? i.e. instead of showing the callstack perhaps you can catch the (known) exceptions and format them without the stacktrace and add some more useful information.

Connection test failed!

An exception was thrown while trying to connect to 'https://server-B.com:8080':

 Raven.Client.Exceptions.Security.AuthorizationException: Forbidden access to @https://server-B.com:8080, ravendb-server-TBUEK does not have permission to access it or is unknown. Method: GET, Request: https://server-B.com:8080/databases/TestDb/info/tcp?tag=Test-Connection

 {"Type":"InvalidAuth","Message":"The supplied client certificate 'O=ravendb., CN=server-A.com(Thumbprint: 03A525C81BC23E1DE56F0CD6BEF4C7245D231267)' is unknown to the server. In order to register your certificate please contact your system administrator."}

 at Raven.Client.Http.RequestExecutor.HandleUnsuccessfulResponse[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, HttpRequestMessage request, HttpResponseMessage response, String url, SessionInfo sessionInfo, Boolean shouldRetry, CancellationToken token) in C:\Builds\RavenDB-Stable-4.1\41013\src\Raven.Client\Http\RequestExecutor.cs:line 1061

 at Raven.Client.Http.RequestExecutor.ExecuteAsync[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, CancellationToken token) in C:\Builds\RavenDB-Stable-4.1\41013\src\Raven.Client\Http\RequestExecutor.cs:line 788

 at Raven.Client.Http.RequestExecutor.ExecuteAsync[TResult](ServerNode chosenNode, Nullable`1 nodeIndex, JsonOperationContext context, RavenCommand`1 command, Boolean shouldRetry, SessionInfo sessionInfo, CancellationToken token) in C:\Builds\RavenDB-Stable-4.1\41013\src\Raven.Client\Http\RequestExecutor.cs:line 828

 at Raven.Server.Utils.ReplicationUtils.GetTcpInfoAsync(String url, String databaseName, String tag, X509Certificate2 certificate, CancellationToken token) in C:\Builds\RavenDB-Stable-4.1\41013\src\Raven.Server\Utils\ReplicationUtils.cs:line 29

 at Raven.Server.ServerWide.ServerStore.TestConnectionToRemote(String url, String database) in C:\Builds\RavenDB-Stable-4.1\41013\src\Raven.Server\ServerWide\ServerStore.cs:line 2351

hide details

[Egor Shamanaev]

Hello,
Thanks for your feedback, I have opened a ticket to add this to our docs, you are welcomed to track the progress here:

https://issues.hibernatingrhinos.com/issue/RDoc-1553

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To post to this group, send email to rav...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/9d2bb2d9-9504-4554-92bb-561deadc71f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrej Krivulčík]

It is worth noting that after adding the certificate, the target server needs to be restarted. The connection didn't work for me when I only added the certificate. It started working after target server restart.

I'm not sure if this is intended behavior, I certainly didn't expect that. I could see that the certificate with the correct thumbprint was added to the target server and the source server kept failing because of the certificate not being present there.

Also, an option to choose which certificate should be used for connecting to the target would be good. Currently, the target cluster needs to have access to the certificate of the whole source cluster which might not be always desirable. Also, the cluster certificate gets renewed quite often (when provided by letsencrypt) so it needs to be refreshed on the target server after renewal.

To unsubscribe from this group and stop receiving emails from it, send an email to rav...@googlegroups.com.

[Oren Eini (Ayende Rahien)]

There should be no reason for the target server to be restarted. All the data is already fetched directly from the same place.

https://issues.hibernatingrhinos.com/issue/RavenDB-13970 

Might be related to connection pooling, though. 

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/019b46e5-8887-4454-9f62-acdaf280a122%40googlegroups.com.

--

Oren Eini CEO   /   Hibernating Rhinos LTD Mobile:  +972-52-548-6969 Sales:  sa...@ravendb.net Skype:  ayenderahien Support:  sup...@ravendb.net