Details
-
Bug
-
Resolution: Incomplete
-
Critical
-
None
-
None
-
1
Description
Repro:
setup single node cluster with explicitly specifying hostname as ip address (if leave blank it picks as 127.0.0.1 that works).
OR
setup multi node cluster which host ip become hostnames by default.
Also enable the encryption
As hostname setup TLS config has actual hosts not loop back address 127.0.0.1
connect the gocbcore using connection string couchbases://127.0.0.1 with http boot strap
with UseTLS=true
The connection fails with
_time=2021-04-15T18:08:45.621-07:00 _level=INFO _msg=(GOCBCORE) SDK Version: gocbcore/v9.1.3 |
_time=2021-04-15T18:08:45.622-07:00 _level=INFO _msg=(GOCBCORE) Creating new agent: {MemdAddrs:[] HTTPAddrs:[<sd>127.0.0.1:18091<sd>] BucketName:<md>default<md> UserAgent:default UseTLS:true NetworkType: Auth:0x3c0a550 TLSRootCAProvider:0x1fa29d0 UseMutationTokens:false UseCompression:false UseDurations:false DisableDecompression:false UseOutOfOrderResponses:false DisableXErrors:false DisableJSONHello:false DisableSyncReplicationHello:false UseCollections:true CompressionMinSize:0 CompressionMinRatio:0 HTTPRedialPeriod:0s HTTPRetryDelay:0s HTTPMaxWait:0s CccpMaxWait:0s CccpPollPeriod:0s ConnectTimeout:10s KVConnectTimeout:7s KvPoolSize:8 MaxQueueSize:32768 HTTPMaxIdleConns:0 HTTPMaxIdleConnsPerHost:0 HTTPIdleConnectionTimeout:0s Tracer:<nil> NoRootTraceSpans:false DefaultRetryStrategy:0xc0000e2330 CircuitBreakerConfig:{Enabled:false VolumeThreshold:0 ErrorThresholdPercentage:0 SleepWindow:0s RollingWindow:0s CompletionCallback:<nil> CanaryTimeout:0s} UseZombieLogger:false ZombieLoggerInterval:0s ZombieLoggerSampleSize:0 AuthMechanisms:[]} |
_time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) CCCP Looper starting. |
_time=2021-04-15T18:08:45.622-07:00 _level=INFO _msg=(GOCBCORE) CCCPPOLL: No nodes available to poll, return upstream |
_time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) HTTP Looper starting. |
_time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) Http Picked: https://127.0.0.1:18091. |
_time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) HTTP Hostname: 127.0.0.1. |
_time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) Requesting config from: https://127.0.0.1:18091//pools/default/bs/default. |
_time=2021-04-15T18:08:45.622-07:00 _level=TRACE _msg=(GOCBCORE) Writing HTTP request to https://127.0.0.1:18091/pools/default/bs/default ID=42a7ae90-530e-4d52-a48b-dc404a2d6e1f |
_time=2021-04-15T18:08:45.628-07:00 _level=TRACE _msg=(GOCBCORE) Received HTTP Response for ID=42a7ae90-530e-4d52-a48b-dc404a2d6e1f, errored |
_time=2021-04-15T18:08:45.628-07:00 _level=WARN _msg=(GOCBCORE) Failed to connect to host. Get https://127.0.0.1:18091/pools/default/bs/default: x509: certificate is valid for 172.23.97.79, not 127.0.0.1 |
_time=2021-04-15T18:08:45.628-07:00 _level=DEBUG _msg=(GOCBCORE) Pick Failed. |
_time=2021-04-15T18:08:45.628-07:00 _level=DEBUG _msg=(GOCBCORE) Looper waiting... |
_time=2021-04-15T18:08:48.806-07:00 _level=DEBUG _msg= Credentials for user <ud>@prometheus</ud> |
Server components (N1QL, FTS) only know local address http://127.0.0.1:8091 we can pass that to gocbcore. gocbcore should get cluster config. Based on cluster config derive actual host of the nodes and connect to it (useTLS set use SSL)
nodeServices gives actual hostname even run on local host
curl -u Administrator:password http://localhost:8091/pools/default/nodeServices |
{"rev":44,"nodesExt":[{"services":{"capi":8092,"capiSSL":18092,"indexAdmin":9100,"indexHttp":9102,"indexHttps":19102,"indexScan":9101,"indexStreamCatchup":9104,"indexStreamInit":9103,"indexStreamMaint":9105,"kv":11210,"kvSSL":11207,"mgmt":8091,"mgmtSSL":18091,"n1ql":8093,"n1qlSSL":18093,"projector":9999},"thisNode":true,"hostname":"172.23.97.79"}],"clusterCapabilitiesVer":[1,0],"clusterCapabilities":{"n1ql":["enhancedPreparedStatements"]}} |
I have checked with Abhi Dangeti they never set useTLS on config. Without that TLS never used.
NOTE: If i am right at present only remote nodes only encrypted not local nodes (this allows config receive faster on non-ssl). There is no option pass that info to gocbcore.
Attachments
Issue Links
- is triggered by
-
MB-45700 [TXN] Transaction fetch error on cluster with node to node encryption
- Closed
- relates to
-
GOCBC-1090 SDK should allow localhost nodes to use non-TLS when TLS is otherwise enabled.
- Resolved