无法使用 TLS 启动 dgraph
Trouble starting dgraph with TLS
我正在尝试启动启用了 TLS 的 dgraph 服务器,我的服务器配置文件定义如下:
# Folder in which to store exports.
export: export
# Fraction of dirty posting lists to commit every few seconds.
gentlecommit: 0.33
# RAFT ID that this server will use to join RAFT groups.
idx: 1
# Port to run server on. (default 8080)
port: 8080
# GRPC port to run server on. (default 9080)
grpc_port: 9080
# Port used by worker for internal communication.
workerport: 12345
# Estimated memory the process can take. Actual usage would be slightly more
memory_mb: 4096
# The ratio of queries to trace.
trace: 0.33
# Directory to store posting lists.
p: p
# Directory to store raft write-ahead logs.
w: w
# Debug mode for testing.
debugmode: true
# Address of dgraphzero
peer: localhost:8888
# Use TLS connections with clients.
tls.on: true
# CA Certs file path.
#tls.ca_certs: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Include System CA into CA Certs.
tls.use_system_ca: true
# Certificate file path.
tls.cert: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Certificate key file path.
tls.cert_key: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key
# Certificate key passphrase.
#tls.cert_key_passphrase string
# Enable TLS client authentication
#tls.client_auth string
# TLS max version. (default "TLS12")
#tls.max_version string
# TLS min version. (default "TLS11")
#tls.min_version string
一旦我启动 dgraphzero 和 dgraph,如果配置 tls.on 等于 true,则会显示此输出:
Setting up listener at: localhost:8888
Setting up listener at: localhost:8889
2017/10/19 16:09:36 main.go:163: Loading configuration from file: development.conf
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["export" = export]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["grpc_port" = 9080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["workerport" = 12345]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["p" = p]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.ca_certs" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["memory_mb" = 4096]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["peer" = localhost:8888]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["gentlecommit" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["idx" = 1]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["port" = 8080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["trace" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.on" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["w" = w]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["debugmode" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.use_system_ca" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert_key" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key]
Dgraph version : v0.8.3
Commit SHA-1 : 40175d0
Commit timestamp : 2017-10-18 15:55:02 +1100
Branch : HEAD
2017/10/19 16:09:36 node.go:234: Found hardstate: {Term:2 Vote:1 Commit:4 XXX_unrecognized:[]}
2017/10/19 16:09:36 node.go:246: Group 0 found 4 entries
2017/10/19 16:09:36 raft.go:292: Restarting node for dgraphzero
2017/10/19 16:09:36 raft.go:567: INFO: 1 became follower at term 2
2017/10/19 16:09:36 raft.go:315: INFO: newRaft 1 [peers: [], term: 2, commit: 4, applied: 0, lastindex: 4, lastterm: 2]
Running Dgraph zero...
2017/10/19 16:09:36 open : no such file or directory
我找不到导致错误的原因打开:没有那个文件或目录,有人遇到过这个吗?我正在使用 MacOS 10.12.3 (16D32) 并使用命令 curl https://get.dgraph.io -sSf | 安装了 dgraph 版本 v0.8.3 | bash
提前致谢。
我认为这是一个错误(更新:它实际上被确认为一个错误并且是 fixed)。
我在 Ubuntu 上试过 运行 它,但我在 tls.on
.
上遇到了同样的错误
接下来我找到了 tls here 的半手动测试套件。
运行 确认错误,测试需要小幅调整(添加 --memory_mb 2048
),但之后重现了同样的错误。
为了确认这一点,我还下载了 dgraph 源并检查了 delve debugger:
下的情况
1) 配置文件是parsed and parameters are saved into global vars
2) TLS相关参数are used to create the tlsCfg
- 在这里我们已经可以看出问题所在:不是所有的参数都传递了,例如 tlsKey
和 tlsKeyPath
都丢失了
3) 如果我们更深入地查看 tls_helper.go,实际配置 TLS 的地方,我们可以发现配置中的参数是
passed into the parseCertificate
method
4) 这里我们使用config.Key
和config.KeyPassphrase
,但是它们是空的
182: func GenerateTLSConfig(config TLSHelperConfig) (tlsCfg *tls.Config, reloadConfig func(), err error) {
183: wrapper := new(wrapperTLSConfig)
184: tlsCfg = new(tls.Config)
185: wrapper.config = tlsCfg
186:
=> 187: cert, err := parseCertificate(config.CertRequired, config.Cert, config.Key, config.KeyPassphrase)
188: if err != nil {
189: return nil, nil, err
190: }
191:
192: if cert != nil {
(dlv) p config.CertRequired
true
(dlv) p config.Cert
"/home/seb/web/dgraph-test/test2.crt"
(dlv) p config.Key
""
(dlv) p config.KeyPassphrase
然后在 parseCertificate
中尝试使用证书密钥读取文件时失败。
我在 github 上发布了 issue。
我正在尝试启动启用了 TLS 的 dgraph 服务器,我的服务器配置文件定义如下:
# Folder in which to store exports.
export: export
# Fraction of dirty posting lists to commit every few seconds.
gentlecommit: 0.33
# RAFT ID that this server will use to join RAFT groups.
idx: 1
# Port to run server on. (default 8080)
port: 8080
# GRPC port to run server on. (default 9080)
grpc_port: 9080
# Port used by worker for internal communication.
workerport: 12345
# Estimated memory the process can take. Actual usage would be slightly more
memory_mb: 4096
# The ratio of queries to trace.
trace: 0.33
# Directory to store posting lists.
p: p
# Directory to store raft write-ahead logs.
w: w
# Debug mode for testing.
debugmode: true
# Address of dgraphzero
peer: localhost:8888
# Use TLS connections with clients.
tls.on: true
# CA Certs file path.
#tls.ca_certs: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Include System CA into CA Certs.
tls.use_system_ca: true
# Certificate file path.
tls.cert: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem
# Certificate key file path.
tls.cert_key: /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key
# Certificate key passphrase.
#tls.cert_key_passphrase string
# Enable TLS client authentication
#tls.client_auth string
# TLS max version. (default "TLS12")
#tls.max_version string
# TLS min version. (default "TLS11")
#tls.min_version string
一旦我启动 dgraphzero 和 dgraph,如果配置 tls.on 等于 true,则会显示此输出:
Setting up listener at: localhost:8888
Setting up listener at: localhost:8889
2017/10/19 16:09:36 main.go:163: Loading configuration from file: development.conf
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["export" = export]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["grpc_port" = 9080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["workerport" = 12345]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["p" = p]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.ca_certs" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["memory_mb" = 4096]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["peer" = localhost:8888]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["gentlecommit" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["idx" = 1]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["port" = 8080]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["trace" = 0.33]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.on" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.pem]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["w" = w]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["debugmode" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.use_system_ca" = true]
2017/10/19 16:09:36 init.go:74: Picked flag from config: ["tls.cert_key" = /Users/pauloferreira/Workspace/RagnarTech/Node/base_backend_njs/certificates/development/development-server-root-CA.key]
Dgraph version : v0.8.3
Commit SHA-1 : 40175d0
Commit timestamp : 2017-10-18 15:55:02 +1100
Branch : HEAD
2017/10/19 16:09:36 node.go:234: Found hardstate: {Term:2 Vote:1 Commit:4 XXX_unrecognized:[]}
2017/10/19 16:09:36 node.go:246: Group 0 found 4 entries
2017/10/19 16:09:36 raft.go:292: Restarting node for dgraphzero
2017/10/19 16:09:36 raft.go:567: INFO: 1 became follower at term 2
2017/10/19 16:09:36 raft.go:315: INFO: newRaft 1 [peers: [], term: 2, commit: 4, applied: 0, lastindex: 4, lastterm: 2]
Running Dgraph zero...
2017/10/19 16:09:36 open : no such file or directory
我找不到导致错误的原因打开:没有那个文件或目录,有人遇到过这个吗?我正在使用 MacOS 10.12.3 (16D32) 并使用命令 curl https://get.dgraph.io -sSf | 安装了 dgraph 版本 v0.8.3 | bash
提前致谢。
我认为这是一个错误(更新:它实际上被确认为一个错误并且是 fixed)。
我在 Ubuntu 上试过 运行 它,但我在 tls.on
.
接下来我找到了 tls here 的半手动测试套件。
运行 确认错误,测试需要小幅调整(添加 --memory_mb 2048
),但之后重现了同样的错误。
为了确认这一点,我还下载了 dgraph 源并检查了 delve debugger:
下的情况1) 配置文件是parsed and parameters are saved into global vars
2) TLS相关参数are used to create the tlsCfg
- 在这里我们已经可以看出问题所在:不是所有的参数都传递了,例如 tlsKey
和 tlsKeyPath
都丢失了
3) 如果我们更深入地查看 tls_helper.go,实际配置 TLS 的地方,我们可以发现配置中的参数是
passed into the parseCertificate
method
4) 这里我们使用config.Key
和config.KeyPassphrase
,但是它们是空的
182: func GenerateTLSConfig(config TLSHelperConfig) (tlsCfg *tls.Config, reloadConfig func(), err error) {
183: wrapper := new(wrapperTLSConfig)
184: tlsCfg = new(tls.Config)
185: wrapper.config = tlsCfg
186:
=> 187: cert, err := parseCertificate(config.CertRequired, config.Cert, config.Key, config.KeyPassphrase)
188: if err != nil {
189: return nil, nil, err
190: }
191:
192: if cert != nil {
(dlv) p config.CertRequired
true
(dlv) p config.Cert
"/home/seb/web/dgraph-test/test2.crt"
(dlv) p config.Key
""
(dlv) p config.KeyPassphrase
然后在 parseCertificate
中尝试使用证书密钥读取文件时失败。
我在 github 上发布了 issue。