Issue with certificate on Ubuntu 16.04
309 views
Skip to first unread message
Sonny TADJER
Sep 28, 2017, 1:10:07 PM9/28/17
to RavenDB - 2nd generation document database
Hi,
Recently installed RavenDB 4
This is behind VPN in a close infrastructure but I have the message
Running in a potentially unsafe mode
Server certificate information has not been set up and the server address is not configured within allowed unsecured access address range.
Please find the RavenDB settings file settings.json in the server directory and fill in your certificate information under either:
Security.Certificate.Path
The path to .pfx certificate file. If specified, RavenDB will use HTTPS/SSL for all network activities. You can use the '~/' prefix to refer to RavenDB's base directory.
or
Security.Certificate.Exec
A command or executable providing a .pfx certificate file. If specified, RavenDB will use HTTPS/SSL for all network activities.
If you would rather like to keep your server unsecured, please relax the Security.UnsecuredAccessAllowed configuration setting to match the ServerUrl setting value, which can be a combination of the following flags: None | Local | PrivateNetwork | PublicNetwork.
Add CommentSo I generated a certificate
And exported to have a pfx
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ravendb.key -out /etc/ssl/certs/ravendb.crt
openssl pkcs12 -export -out ravendb.pfx -inkey /etc/ssl/private/ravendb.key -in /etc/ssl/certs/ravendb.crt
I added it to the settings.json but then when I run it I have the follow error :
But then I have the following error :
System.InvalidOperationException: Unable to start the server due to invalid certificate configuration! Admin assistance required. ---> System.InvalidOperationException: Could not load certificate file /etc/ssl/certs/ravendb.pfx ---> Org.BouncyCastle.Security.EncryptionException: Server certificate from /etc/ssl/certs/ravendb.pfx must be defined with the following 'Enhanced Key Usages': Client Authentication (Oid 1.3.6.1.5.5.7.3.2) & Server Authentication (Oid 1.3.6.1.5.5.7.3.1)
Thanks for your help
Oren Eini (Ayende Rahien)
Sep 29, 2017, 10:05:35 AM9/29/17
to ravendb
The issue here is that RavenDB doesn't know that it is running in a closed environment. As you are listening to the network, we must assume that you are listening to the public network and we want to avoid unauthorized access to the db by all and sundry.
You need to run the generate-server-cert.sh script and note that you probably will want the open ssl cnf files as well.
The certificate you generated is not good for us because it is missing the EKU settings indicated.
You can use the script here to define it:
After you generated the server and started it, you'll need to access it a client certificate.
To generate the client certificate you need to ask the server for it using the server's own certificate.
This is done here:
For more complete discussion on security setup in 4.0, see:
Another thing to note is that since you'll be using self signed certs, you'll need to register the CA as trusted in your browser.
Hibernating Rhinos Ltd
Oren Eini l CEO l Mobile: + 972-52-548-6969
Office: +972-4-622-7811 l Fax: +972-153-4-622-7811
--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sonny TADJER
Oct 2, 2017, 4:57:47 AM10/2/17
to RavenDB - 2nd generation document database
Thank you Oren.
One question how do you configure allowed unsecured access address range in Ubuntu 1604 ?
Cheers
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
Oren Eini (Ayende Rahien)
Oct 2, 2017, 5:13:16 AM10/2/17
to ravendb
Security.UnsecuredAccessAllowed=PublicNetwork or Security.UnsecuredAccessAllowed=PrivateNetwork
Where PrivateNetwork is: 10.0.0.0, 192.168.0.0, 172.16 - 31.0.0 for IPV4 and IPV6 as defined here: https://en.wikipedia.org/wiki/Unique_local_address
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
Oren Eini (Ayende Rahien)
Oct 2, 2017, 5:13:48 AM10/2/17
to ravendb
Please note that this docker will typically use 10.x.x.x range and then expose _that_ to the outside world, so you need to be aware on who can directly or indirectly access the data
Sonny TADJER
Oct 2, 2017, 7:28:08 AM10/2/17
to RavenDB - 2nd generation document database
Thanks. Does that go in the settings.json ?
{
"ServerUrl": "http://0.0.0.0:8080",
"RunInMemory": false,
"Security.UnsecuredAccessAllowed"="PublicNetwork"
}
Oren Eini (Ayende Rahien)
Oct 2, 2017, 8:34:29 AM10/2/17
to ravendb
Yes
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages