Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.7.0
-
Security Level: Public
-
None
-
CBG Sprint 35, CBG Sprint 36
-
3
-
Critical
Description
SG 2.7.0 is not able to connect to CBS with x509 cert auth. Connection is working fine with password base auth.
Environment:
SG 2.7.0-137
CBS 6.5.0-4821
CBL (iOS) - 2.7.0-91
Steps to Reproduce:
- Install CBS and use gen_keystore.sh to install and generate certs for x509 based auth.Example command: ./gen_keystore.sh 172.16.1.205 travel-sample
- Install SG and use below sync_gateway.json
{"adminInterface": "0.0.0.0:4985","compressResponses": false,"databases": {"db": {"allow_conflicts": false,"bucket": "travel-sample","cacertpath": "/home/sync_gateway/certs/ca.pem","certpath": "/home/sync_gateway/certs/chain.pem","enable_shared_bucket_access": true,"import_docs": "continuous","keypath": "/home/sync_gateway/certs/pkey.key","server": "couchbases://172.16.1.205:","use_views": true}},"interface": ":4984","logging": {"debug": {"enabled": true}},"maxFileDescriptors": 90000,"maxIncomingConnections": 0}} - Run command service sync_gateway start
Actual Result:
SG fails to start and throws below error -
2019-11-20T12:40:27.746+05:30 ==== Couchbase Sync Gateway/2.7.0(137;05d5126) EE ====
|
2019-11-20T12:40:27.746+05:30 ==== Couchbase Sync Gateway/2.7.0(137;05d5126) EE ====
|
2019-11-20T12:40:27.865+05:30 [ERR] cbgt index creation failed: manager_api: failed to connect to or retrieve information from source, sourceType: couchbase, sourceName: travel-sample, sourceUUID: e56f6f4890b825fcabafdf1c1c2d0f4c, err: gocouchbase_helper: CouchbaseBucket connection failed, server: https://172.16.1.205:18091, poolName: default, bucketName: travel-sample, sourceParams: "{\"includeXAttrs\":true}", err: HTTP error 401 Unauthorized getting "https://172.16.1.205:18091/pools": , please check that your authUser and authPassword are correct and that your couchbase cluster ("https://172.16.1.205:18091") is available -- base.(*CbgtContext).StartManager() at dcp_sharded.go:286
|
2019-11-20T12:40:27.865+05:30 [ERR] Error opening database db: manager_api: failed to connect to or retrieve information from source, sourceType: couchbase, sourceName: travel-sample, sourceUUID: e56f6f4890b825fcabafdf1c1c2d0f4c, err: gocouchbase_helper: CouchbaseBucket connection failed, server: https://172.16.1.205:18091, poolName: default, bucketName: travel-sample, sourceParams: "{\"includeXAttrs\":true}", err: HTTP error 401 Unauthorized getting "https://172.16.1.205:18091/pools": , please check that your authUser and authPassword are correct and that your couchbase cluster ("https://172.16.1.205:18091") is available -- rest.RunServer() at config.go:1020
|
Expected Result:
SG should be able to connect to CBS with x509 cert without any error
Logs :
Available in attachment fields
Steps to generate Certs and installed in CBS:
1. Download all the files available here - https://github.com/couchbaselabs/mobile-testkit/tree/master/resources/x509_cert_gen
2. Add CBS IP at the last line of openssl-san.cnf
(venv) LFC:certs lfc$ cat openssl-san.cnf
|
[req]
|
x509_extensions = v3_req
|
distinguished_name = req_distinguished_name
|
|
|
|
|
[req_distinguished_name]
|
|
|
|
|
[ v3_req ]
|
|
|
|
|
# Extensions to add to a certificate request
|
|
|
|
|
basicConstraints = CA:true
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
subjectAltName = @alt_names
|
|
|
|
|
[alt_names]
|
IP.1 = 172.16.1.205
|
3. Create a user "travel-sample" in CBS with "Full Admin" access
4. run command ./gen_keystore.sh <CBS_IP> <CBS_USERNAME> <CBS_HOST_SSH_PASSWORD>
./gen_keystore.sh 172.16.1.205 travel-sample couchbase
|
