Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.7.0
-
Security Level: Public
-
None
-
-
CBG Sprint 35, CBG Sprint 36
-
3
-
Critical
Description
SG 2.7.0 is not able to connect to CBS with x509 cert auth. Connection is working fine with password base auth.
Environment:
SG 2.7.0-137
CBS 6.5.0-4821
CBL (iOS) - 2.7.0-91
Steps to Reproduce:
- Install CBS and use gen_keystore.sh to install and generate certs for x509 based auth.Example command: ./gen_keystore.sh 172.16.1.205 travel-sample
- Install SG and use below sync_gateway.json
{
"adminInterface": "0.0.0.0:4985",
"compressResponses": false,
"databases": {
"db": {
"allow_conflicts": false,
"bucket": "travel-sample",
"cacertpath": "/home/sync_gateway/certs/ca.pem",
"certpath": "/home/sync_gateway/certs/chain.pem",
"enable_shared_bucket_access": true,
"import_docs": "continuous",
"keypath": "/home/sync_gateway/certs/pkey.key",
"server": "couchbases://172.16.1.205:",
"use_views": true
}
},
"interface": ":4984",
"logging": {
"debug": {
"enabled": true
}
},
"maxFileDescriptors": 90000,
"maxIncomingConnections": 0
}
}
- Run command service sync_gateway start
Actual Result:
SG fails to start and throws below error -
2019-11-20T12:40:27.746+05:30 ==== Couchbase Sync Gateway/2.7.0(137;05d5126) EE ====
|
2019-11-20T12:40:27.746+05:30 ==== Couchbase Sync Gateway/2.7.0(137;05d5126) EE ====
|
2019-11-20T12:40:27.865+05:30 [ERR] cbgt index creation failed: manager_api: failed to connect to or retrieve information from source, sourceType: couchbase, sourceName: travel-sample, sourceUUID: e56f6f4890b825fcabafdf1c1c2d0f4c, err: gocouchbase_helper: CouchbaseBucket connection failed, server: https://172.16.1.205:18091, poolName: default, bucketName: travel-sample, sourceParams: "{\"includeXAttrs\":true}", err: HTTP error 401 Unauthorized getting "https://172.16.1.205:18091/pools": , please check that your authUser and authPassword are correct and that your couchbase cluster ("https://172.16.1.205:18091") is available -- base.(*CbgtContext).StartManager() at dcp_sharded.go:286
|
2019-11-20T12:40:27.865+05:30 [ERR] Error opening database db: manager_api: failed to connect to or retrieve information from source, sourceType: couchbase, sourceName: travel-sample, sourceUUID: e56f6f4890b825fcabafdf1c1c2d0f4c, err: gocouchbase_helper: CouchbaseBucket connection failed, server: https://172.16.1.205:18091, poolName: default, bucketName: travel-sample, sourceParams: "{\"includeXAttrs\":true}", err: HTTP error 401 Unauthorized getting "https://172.16.1.205:18091/pools": , please check that your authUser and authPassword are correct and that your couchbase cluster ("https://172.16.1.205:18091") is available -- rest.RunServer() at config.go:1020
|
Expected Result:
SG should be able to connect to CBS with x509 cert without any error
Logs :
Available in attachment fields
Steps to generate Certs and installed in CBS:
1. Download all the files available here - https://github.com/couchbaselabs/mobile-testkit/tree/master/resources/x509_cert_gen
2. Add CBS IP at the last line of openssl-san.cnf
(venv) LFC:certs lfc$ cat openssl-san.cnf
|
[req]
|
x509_extensions = v3_req
|
distinguished_name = req_distinguished_name
|
|
|
[req_distinguished_name]
|
|
|
[ v3_req ]
|
|
|
# Extensions to add to a certificate request
|
|
|
basicConstraints = CA:true
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
subjectAltName = @alt_names
|
|
|
[alt_names]
|
IP.1 = 172.16.1.205
|
3. Create a user "travel-sample" in CBS with "Full Admin" access
4. run command ./gen_keystore.sh <CBS_IP> <CBS_USERNAME> <CBS_HOST_SSH_PASSWORD>
./gen_keystore.sh 172.16.1.205 travel-sample couchbase
|
Adam Fraser and Sridevi Saragadam,
So here are my findings -
Tests are passing with CBS 6.0.3 with and without x509. However, with 6.5.0 tests are passing only when indexing is through views but for GSI, SG is not able to connect to CBS.
Logs for SG and CBS 6.5.0 cluster - CBS_6.5.0-2783_SSL_2.7.0_145.zip