ssl issues on k8s

[Siva Balusu]

Hi,

I have deployed to k8s cluster using helm chart, pod started fine and conf looks like this:
########## Start ##########
allow_register_during_netsplit=on
allow_unsubscribe_during_netsplit=on
accept_eula=yes
allow_publish_during_netsplit=on
listener.ssl.default=0.0.0.0:8883
listener.ssl.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.cafile=/etc/ssl/vernemq/ca.crt
listener.tcp.localhost=127.0.0.1:1883
allow_anonymous=on
listener.ssl.certfile=/etc/ssl/vernemq/tls.crt
allow_subscribe_during_netsplit=on
listener.tcp.default = 10.105.0.86:1883
listener.ws.default = 10.105.0.86:8080
listener.vmq.clustering = 10.105.0.86:44053
listener.http.metrics = 10.105.0.86:8888
########## End ##########



but pod logs shows this error:

20:13:35.558 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[sect571r1,sect571k1,secp521r1,brainpoolP512r1,sect409k1,sect409r1,brainpoolP384r1,secp384r1,sect283k1,sect283r1,brainpoolP256r1,secp256k1,secp256r1,sect239k1,sect233k1,sect233r1,secp224k1,secp224r1,sect193r1,sect193r2,secp192k1,secp192r1,sect163k1,sect163r1,sect163r2,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.461.0>}

I tried using " openssl s_client -connect :8883 -key tls.key.pem -cert tls.cert.pem", got back the info below.

CONNECTED(00000003) 

write:errno=54 

--- no peer certificate available 

--- No client certificate CA names sent

 --- SSL handshake has read 0 bytes and written 287 bytes 

--- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1670975815 Timeout : 7200 (sec) Verify return code: 0 (ok)

Can some one help please?

Thanks,

Siva

[André Fatton]

Hi Siva,

we somehow have too many listener definitions here. Can you try and disable all listeners in the values.yaml file?

Actually, just set the default one to false: https://github.com/vernemq/docker-vernemq/blob/master/helm/vernemq/values.yaml#L34

If this doesn't work, can you scan the full vernemq.conf file and check all listener definitions (tcp and ssl).

Kind regards,

André

**** DISCLAIMER **** 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

--
You received this message because you are subscribed to the Google Groups "vernemq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vernemq-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vernemq-users/66c3a424-d946-46ac-9167-de4ca45be14en%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
"Forward!", said the engineer. - Jules Verne, The Mysterious Island