Uploaded image for project: 'Couchbase Go SDK'
  1. Couchbase Go SDK
  2. GOCBC-1084

multinode cluster not able to use TLS when specified local host

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • Critical
    • None
    • None
    • library
    • 1

    Description

      Repro:

      setup single node cluster with explicitly specifying hostname as ip address (if leave blank it picks as 127.0.0.1 that works).
      OR
      setup multi node cluster which host ip become hostnames by default.

      Also enable the encryption

      As hostname setup TLS config has actual hosts not loop back address 127.0.0.1

      connect the gocbcore using connection string couchbases://127.0.0.1 with http boot strap
      with UseTLS=true
      The connection fails with 

      _time=2021-04-15T18:08:45.621-07:00 _level=INFO _msg=(GOCBCORE) SDK Version: gocbcore/v9.1.3
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=INFO _msg=(GOCBCORE) Creating new agent: {MemdAddrs:[] HTTPAddrs:[<sd>127.0.0.1:18091<sd>] BucketName:<md>default<md> UserAgent:default UseTLS:true NetworkType: Auth:0x3c0a550 TLSRootCAProvider:0x1fa29d0 UseMutationTokens:false UseCompression:false UseDurations:false DisableDecompression:false UseOutOfOrderResponses:false DisableXErrors:false DisableJSONHello:false DisableSyncReplicationHello:false UseCollections:true CompressionMinSize:0 CompressionMinRatio:0 HTTPRedialPeriod:0s HTTPRetryDelay:0s HTTPMaxWait:0s CccpMaxWait:0s CccpPollPeriod:0s ConnectTimeout:10s KVConnectTimeout:7s KvPoolSize:8 MaxQueueSize:32768 HTTPMaxIdleConns:0 HTTPMaxIdleConnsPerHost:0 HTTPIdleConnectionTimeout:0s Tracer:<nil> NoRootTraceSpans:false DefaultRetryStrategy:0xc0000e2330 CircuitBreakerConfig:{Enabled:false VolumeThreshold:0 ErrorThresholdPercentage:0 SleepWindow:0s RollingWindow:0s CompletionCallback:<nil> CanaryTimeout:0s} UseZombieLogger:false ZombieLoggerInterval:0s ZombieLoggerSampleSize:0 AuthMechanisms:[]}
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) CCCP Looper starting.
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=INFO _msg=(GOCBCORE) CCCPPOLL: No nodes available to poll, return upstream
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) HTTP Looper starting.
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) Http Picked: https://127.0.0.1:18091.
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) HTTP Hostname: 127.0.0.1.
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=DEBUG _msg=(GOCBCORE) Requesting config from: https://127.0.0.1:18091//pools/default/bs/default.
      		 
      _time=2021-04-15T18:08:45.622-07:00 _level=TRACE _msg=(GOCBCORE) Writing HTTP request to https://127.0.0.1:18091/pools/default/bs/default ID=42a7ae90-530e-4d52-a48b-dc404a2d6e1f
      		 
      _time=2021-04-15T18:08:45.628-07:00 _level=TRACE _msg=(GOCBCORE) Received HTTP Response for ID=42a7ae90-530e-4d52-a48b-dc404a2d6e1f, errored
      		 
      _time=2021-04-15T18:08:45.628-07:00 _level=WARN _msg=(GOCBCORE) Failed to connect to host. Get https://127.0.0.1:18091/pools/default/bs/default: x509: certificate is valid for 172.23.97.79, not 127.0.0.1
      		 
      _time=2021-04-15T18:08:45.628-07:00 _level=DEBUG _msg=(GOCBCORE) Pick Failed.
      		 
      _time=2021-04-15T18:08:45.628-07:00 _level=DEBUG _msg=(GOCBCORE) Looper waiting...
      		 
      _time=2021-04-15T18:08:48.806-07:00 _level=DEBUG _msg= Credentials for user <ud>@prometheus</ud>

      Server components (N1QL, FTS) only know local address http://127.0.0.1:8091 we can pass that to gocbcore. gocbcore should get cluster config. Based on cluster config derive actual host of the nodes and connect to it (useTLS set use SSL)

      nodeServices gives actual hostname even run on local host

      curl -u Administrator:password http://localhost:8091/pools/default/nodeServices
      		 
      {"rev":44,"nodesExt":[{"services":{"capi":8092,"capiSSL":18092,"indexAdmin":9100,"indexHttp":9102,"indexHttps":19102,"indexScan":9101,"indexStreamCatchup":9104,"indexStreamInit":9103,"indexStreamMaint":9105,"kv":11210,"kvSSL":11207,"mgmt":8091,"mgmtSSL":18091,"n1ql":8093,"n1qlSSL":18093,"projector":9999},"thisNode":true,"hostname":"172.23.97.79"}],"clusterCapabilitiesVer":[1,0],"clusterCapabilities":{"n1ql":["enhancedPreparedStatements"]}}

      I have checked with Abhi Dangeti they never set useTLS on config. Without that TLS never used.

      NOTE: If i am right at present only remote nodes only encrypted not local nodes (this allows config receive faster on non-ssl). There is no option pass that info to gocbcore.

      Attachments

        Issue Links

          is triggered by

          Bug - A problem which impairs or prevents the functions of the product. MB-45700 [TXN] Transaction fetch error on cluster with node to node encryption

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. GOCBC-1090 SDK should allow localhost nodes to use non-TLS when TLS is otherwise enabled.

          • Major - Major loss of function.
          • Resolved
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              brett19 Brett Lawson
              Sitaram.Vemulapalli Sitaram Vemulapalli
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty