Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling mtls create issue with https web service #1771

Open
lorepas opened this issue Aug 17, 2023 · 4 comments
Open

Enabling mtls create issue with https web service #1771

lorepas opened this issue Aug 17, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@lorepas
Copy link
Contributor

lorepas commented Aug 17, 2023

What happened
Hello, I tried to enable mtls on immudb but I encountered some issue. In particular, I've executed the script ./generate.sh example.com testpsw present in immudb repo. In immudb.toml I've set:

certificate = '/etc/immudb/certs/example.com.cert.pem'
clientcas = '/etc/immudb/certs/ca-chain.cert.pem'
pkey = '/etc/immudb/certs/example.com.key.pem'
mtls = true

In particular the certificate and the key are the one present in folder /mtls/3_application.

Then, by checking the connection with immuadmin with the complete string as the following:

./immuadmin login immudb --certificate /etc/immudb/client_cert/example.com.cert.pem --clientcas /etc/immudb/certs/ca-chain.cert.pem --mtls --pkey /etc/immudb/client_cert/example.com.key.pem --servername example.com

I'm able to connect correctly. The certificate and key used now, are the one in /mtls/4_clients.
I tried also the following curl from my shell:

 curl -v https://example.com:8080 --cert client-cert.pem --key client-key.pem --cacert ca-cert-immudb.pem

And the response has been positive.

At this point, I've to connect against web server in HTTPS. I've imported the certificate in my browser in p12 format by executing the following command in /mtls/4_clients:

openssl pkcs12 -export -out immudb-client-localhost.p12 -in certs/example.com.cert.pem -inkey private/example.com.key.pem

I've also imported the CA chain certificate. However, if I try to login in HTTPS (https://example.com:8080) I encoutered the following error:
immagine

And from the logs I've checked the following error:

2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58789: EOF
2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58785: EOF
2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58786: EOF

The IP showed is the one of my client, so it is exactly the https connection.

What you expected to happen
I expect that HTTPS works fine after I've imported the client certificate.

How to reproduce it (as minimally and precisely as possible)
Some steps to follow are present in the description of the issue.
Environment

  • OS: Ubuntu 20.04
  • ImmuDB: v1.5.0

Additional info (any other context about the problem)

@lorepas lorepas added the bug Something isn't working label Aug 17, 2023
@lorepas
Copy link
Contributor Author

lorepas commented Oct 3, 2023

Hello @jeroiraz ! Any news about this issue?

@jeroiraz
Copy link
Contributor

jeroiraz commented Oct 3, 2023

Hello @jeroiraz ! Any news about this issue?

Hello @lorepas, we didn't have the time to work on it yet.

Because either we need to enable mtls for certain users or provide a way to provision certificates to the webconsole...

@lorepas
Copy link
Contributor Author

lorepas commented Oct 11, 2023

Hello @jeroiraz ! Any news about this issue?

Hello @lorepas, we didn't have the time to work on it yet.

Because either we need to enable mtls for certain users or provide a way to provision certificates to the webconsole...

Thank you for the reply @jeroiraz ! FYI as a workaround I exposed the UI under an NGINX (in this way I'm able to access with HTTPS) and the connection with the postgres protocol under the pgbouncer (in this way I'm able to connect with postgres in TLS).

@lorepas
Copy link
Contributor Author

lorepas commented Feb 15, 2024

Hi @jeroiraz do you think in version 2.x will be the possibility to access in mTLS both the Web UI and the ImmuDB database with the immuadmin and immuclient command line clients?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants