TLS Configuration 'data_channel' strange error

raulk89raulk89 Community Edition User
edited June 2022 in General Discussion

Hi

Vertica 11.1.1

I am trying to set TLS for data_channel, and get the following error.

dbadmin=> ALTER TLS CONFIGURATION data_channel CERTIFICATE imported_cert ADD CA CERTIFICATES imported_ca TLSMODE 'VERIFY_CA';
WARNING 10430: Verify error: unable to get local issuer certificate
ROLLBACK 10426: TLS Configuration 'data_channel' being used for data channel encryption must have a certificate chain that ends in a self signed CA certificate

I have used the same certificates for server as well.

     name     |  owner  |  certificate  | ca_certificate | cipher_suites |  mode
--------------+---------+---------------+----------------+---------------+---------
server       | dbadmin | imported_cert | imported_ca    |               | ENABLE

I have another environments, where I used same certificates for server and data_channel. Both were signed with company CA. Although these were configured with vertica version 11.0.x

What does this error tell me exactly..?

Regards
Raul

Comments

  • Bryan_HBryan_H Vertica Employee Administrator

    You can get more detail on SSL/TLS configuration by running:
    SELECT SECURITY_CONFIG_CHECK('ALL');
    This might show any difference in configuration. Let us know whether this gives more info.

  • raulk89raulk89 Community Edition User

    This is the only difference.
    Left one is the one where I created new cluster with version 11.1.1
    (right one was created before, 11.0.x etc..)
    Both using same CA, key, and sert.

    Regards
    Raul

  • Bryan_HBryan_H Vertica Employee Administrator

    That only tells us that ALTER TLS CONFIGURATION isn't working on the new cluster. Is it possible that another certificate was imported on the existing cluster? Please check the following tables:
    -- do NOT share this table. Let us know if any significant differences.
    dbadmin=> select * from tls_configurations;
    -- do NOT share this table. Use a tool like diff to compare fields/contents. Order by name may not produce same result on both clusters.
    dbadmin=> select * from certificates order by name;
    You may wish to open a support case to review configuration details.

  • raulk89raulk89 Community Edition User
    edited June 2022

    Problem is only with the data_channel TLS configuration.

    On previous cluster, where it is working, I only have 2 certs.

    dbadmin=> select name, epoch, start_date, expiration_date from v_catalog.certificates;
         name      | epoch |       start_date       |    expiration_date
    ---------------+-------+------------------------+------------------------
     imported_ca   |       | 2015-04-23 01:23:31+03 | 2030-04-23 01:33:27+03
     imported_cert |       | 2021-05-25 08:52:52+03 | 2024-05-24 08:52:52+03
    (2 rows)
    

    Tried with the same certs on new 11.1.1 installation, "server" I was able to ENABLE, but "data_channel" not.

    tls_configurations table does not have any secrets. This is the difference. Left one is the one where I have problem at the moment. I can not enable "data_channel".

    Regards
    Raul

  • raulk89raulk89 Community Edition User

    Here is something that it creates self signed CA:
    https://www.vertica.com/docs/11.1.x/HTML/Content/Authoring/Security/TLS/DataChannelTLS.htm

    Does it mean, I cannot use company CA for data_channel..?
    Seems strange.

    Regards
    Raul

  • Bryan_HBryan_H Vertica Employee Administrator

    You should be able to use the exact same certificates, CA's, commands in different 11.x versions.
    Did you check vertica.log after running ALTER TLS CONFIGURATION on data_channel? There is likely more detailed logging and hopefully a more informative error in the log. Check on the node where you connect to run the ALTER TLS CONFIG statement for the detail log.

  • raulk89raulk89 Community Edition User
    edited June 2022

    vertica.log file did not have anything in addition.

    I noticed that vertica does not like certificate chain where there is intermediate as well:

    "rootCA -> intermediateCA -> certificate"

    At first I imported intermediateCA as a CA and certificate as cert. Then I got this error that I mentioned in first post.

    But now what I did, I imported rootCA instead of intermediateCA as CA certificate and then concated "intermiediateCA+certificate" to sperate file and used this file as a certificate.

    echo "CREATE CA CERTIFICATE imported_ca_root AS '$(cat /etc/pki/tls/certs/RootCA.crt)';" | vsql
    echo "CREATE KEY imported_key TYPE 'RSA' AS '$(cat /etc/pki/tls/private2/vertica-rsa.key)';" | vsql
    echo "CREATE CERTIFICATE imported_cert AS '$(cat /home/dbadmin/fullchain.crt)' SIGNED BY imported_ca_root KEY imported_key;" | vsql
    

    Also, this third command gave me a warning:

    $ echo "CREATE CERTIFICATE imported_cert AS '$(cat /home/dbadmin/fullchain.crt)' SIGNED BY imported_ca_root KEY imported_key;" | vsql
    WARNING 9552: A chain of certificates and SIGNED BY was given. Using the chain of certs as the signer

    But then the data_channel TLS was enabled successfully

    dbadmin=> ALTER TLS CONFIGURATION data_channel CERTIFICATE imported_cert;
    ALTER TLS CONFIGURATION
    
  • SergeBSergeB - Select Field - Employee

    Glad you sorted it out. I raised an enhancement request for our documentation to better clarify how to configure certs with intermediate CAs.

  • raulk89raulk89 Community Edition User

    Thanks for that..:)

    Regards
    Raul

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file