TLS Configuration 'data_channel' strange error
raulk89
Community Edition User ✭
Hi
Vertica 11.1.1
I am trying to set TLS for data_channel, and get the following error.
dbadmin=> ALTER TLS CONFIGURATION data_channel CERTIFICATE imported_cert ADD CA CERTIFICATES imported_ca TLSMODE 'VERIFY_CA';
WARNING 10430: Verify error: unable to get local issuer certificate
ROLLBACK 10426: TLS Configuration 'data_channel' being used for data channel encryption must have a certificate chain that ends in a self signed CA certificate
I have used the same certificates for server as well.
name | owner | certificate | ca_certificate | cipher_suites | mode --------------+---------+---------------+----------------+---------------+--------- server | dbadmin | imported_cert | imported_ca | | ENABLE
I have another environments, where I used same certificates for server and data_channel. Both were signed with company CA. Although these were configured with vertica version 11.0.x
What does this error tell me exactly..?
Regards
Raul
0
Comments
You can get more detail on SSL/TLS configuration by running:
SELECT SECURITY_CONFIG_CHECK('ALL');
This might show any difference in configuration. Let us know whether this gives more info.
This is the only difference.
Left one is the one where I created new cluster with version 11.1.1
(right one was created before, 11.0.x etc..)
Both using same CA, key, and sert.
Regards
Raul
That only tells us that ALTER TLS CONFIGURATION isn't working on the new cluster. Is it possible that another certificate was imported on the existing cluster? Please check the following tables:
-- do NOT share this table. Let us know if any significant differences.
dbadmin=> select * from tls_configurations;
-- do NOT share this table. Use a tool like diff to compare fields/contents. Order by name may not produce same result on both clusters.
dbadmin=> select * from certificates order by name;
You may wish to open a support case to review configuration details.
Problem is only with the data_channel TLS configuration.
On previous cluster, where it is working, I only have 2 certs.
dbadmin=> select name, epoch, start_date, expiration_date from v_catalog.certificates; name | epoch | start_date | expiration_date ---------------+-------+------------------------+------------------------ imported_ca | | 2015-04-23 01:23:31+03 | 2030-04-23 01:33:27+03 imported_cert | | 2021-05-25 08:52:52+03 | 2024-05-24 08:52:52+03 (2 rows)Tried with the same certs on new 11.1.1 installation, "server" I was able to ENABLE, but "data_channel" not.
tls_configurations table does not have any secrets. This is the difference. Left one is the one where I have problem at the moment. I can not enable "data_channel".
Regards
Raul
Here is something that it creates self signed CA:
https://www.vertica.com/docs/11.1.x/HTML/Content/Authoring/Security/TLS/DataChannelTLS.htm
Does it mean, I cannot use company CA for data_channel..?
Seems strange.
Regards
Raul
You should be able to use the exact same certificates, CA's, commands in different 11.x versions.
Did you check vertica.log after running ALTER TLS CONFIGURATION on data_channel? There is likely more detailed logging and hopefully a more informative error in the log. Check on the node where you connect to run the ALTER TLS CONFIG statement for the detail log.
vertica.log file did not have anything in addition.
I noticed that vertica does not like certificate chain where there is intermediate as well:
At first I imported intermediateCA as a CA and certificate as cert. Then I got this error that I mentioned in first post.
But now what I did, I imported rootCA instead of intermediateCA as CA certificate and then concated "intermiediateCA+certificate" to sperate file and used this file as a certificate.
Also, this third command gave me a warning:
But then the data_channel TLS was enabled successfully
Glad you sorted it out. I raised an enhancement request for our documentation to better clarify how to configure certs with intermediate CAs.
Thanks for that..:)
Regards
Raul