Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-28665

[XDCR] x509: "Request doesn't have a client certificate" when client cert is passed in mandatory mode

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 5.5.0
    • 5.5.0
    • cbauth, ns_server
    • Untriaged
    • No

    Description

      Build
      5.5.0-2126

      Please note that neither of the following work in client-cert mandatory mode.

      $ curl -v --cacert /tmp/newcerts77/root.crt --cert-type PEM --cert /tmp/newcerts77/172.23.108.222.pem --key-type PEM --key /tmp/newcerts77/172.23.108.222.key -d name=C2 -d hostname=172.23.106.176:8091 -d username=Administrator -d password=password -d demandEncryption=1 --data-urlencode "certificate=$(cat cert.pem)" -X POST https://172.23.106.139:18091/pools/default/remoteClusters
       
      * About to connect() to 172.23.106.139 port 18091 (#0)
      *   Trying 172.23.106.139...
      * Connected to 172.23.106.139 (172.23.106.139) port 18091 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      *   CAfile: /tmp/newcerts77/root.crt
        CApath: none
      * NSS: client certificate from file
      * 	subject: CN=www.cb-cbadminbucket.com,O=My Company,L=Mountain View,ST=California,C=UA
      * 	start date: Mar 14 05:12:48 2018 GMT
      * 	expire date: Mar 14 05:12:48 2019 GMT
      * 	common name: www.cb-cbadminbucket.com
      * 	issuer: CN=My Company Intermediate CA,O=My Company,C=UA
      * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      * Server certificate:
      * 	subject: CN=www.cb-cbadminbucket.com,O=My Company,L=Mountain View,ST=California,C=UA
      * 	start date: Mar 14 05:12:48 2018 GMT
      * 	expire date: Jan 08 05:12:48 2019 GMT
      * 	common name: www.cb-cbadminbucket.com
      * 	issuer: CN=My Company Intermediate CA,O=My Company,C=UA
      > POST /pools/default/remoteClusters HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: 172.23.106.139:18091
      > Accept: */*
      > Content-Length: 1027
      > Content-Type: application/x-www-form-urlencoded
      > Expect: 100-continue
      > 
      < HTTP/1.1 100 Continue
      < HTTP/1.1 500 Internal Server Error
      < X-XSS-Protection: 1; mode=block
      < X-Permitted-Cross-Domain-Policies: none
      < X-Frame-Options: DENY
      < X-Content-Type-Options: nosniff
      < Server: Couchbase Server
      < Pragma: no-cache
      < Expires: Thu, 01 Jan 1970 00:00:00 GMT
      < Date: Wed, 14 Mar 2018 06:07:42 GMT
      < Content-Type: text/plain; charset=utf-8
      < Content-Length: 42
      < Connection: close
      < Cache-Control: no-cache,no-store,must-revalidate
      < 
      Request doesn't have a client certificate
      
      

      curl -v -X POST --cacert /tmp/newcerts77/root.crt --cert /tmp/newcerts77/172.23.108.222.pem --key /tmp/newcerts77/172.23.108.222.key -d name=C2 -d hostname=172.23.106.176:8091 -d username=Administrator -d password=password -d demandEncryption=1 --data-urlencode "certificate=$(cat cert.pem)"  https://Administrator:password@172.23.106.139:18091/pools/default/remoteClusters
      * About to connect() to 172.23.106.139 port 18091 (#0)
      *   Trying 172.23.106.139...
      * Connected to 172.23.106.139 (172.23.106.139) port 18091 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      *   CAfile: /tmp/newcerts77/root.crt
        CApath: none
      * NSS: client certificate from file
      * 	subject: CN=www.cb-cbadminbucket.com,O=My Company,L=Mountain View,ST=California,C=UA
      * 	start date: Mar 14 05:12:48 2018 GMT
      * 	expire date: Mar 14 05:12:48 2019 GMT
      * 	common name: www.cb-cbadminbucket.com
      * 	issuer: CN=My Company Intermediate CA,O=My Company,C=UA
      * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      * Server certificate:
      * 	subject: CN=www.cb-cbadminbucket.com,O=My Company,L=Mountain View,ST=California,C=UA
      * 	start date: Mar 14 05:12:48 2018 GMT
      * 	expire date: Jan 08 05:12:48 2019 GMT
      * 	common name: www.cb-cbadminbucket.com
      * 	issuer: CN=My Company Intermediate CA,O=My Company,C=UA
      * Server auth using Basic with user 'Administrator'
      > POST /pools/default/remoteClusters HTTP/1.1
      > Authorization: Basic QWRtaW5pc3RyYXRvcjpwYXNzd29yZA==
      > User-Agent: curl/7.29.0
      > Host: 172.23.106.139:18091
      > Accept: */*
      > Content-Length: 1027
      > Content-Type: application/x-www-form-urlencoded
      > Expect: 100-continue
      > 
      < HTTP/1.1 100 Continue
      < HTTP/1.1 500 Internal Server Error
      < X-XSS-Protection: 1; mode=block
      < X-Permitted-Cross-Domain-Policies: none
      < X-Frame-Options: DENY
      < X-Content-Type-Options: nosniff
      < Server: Couchbase Server
      < Pragma: no-cache
      < Expires: Thu, 01 Jan 1970 00:00:00 GMT
      < Date: Wed, 14 Mar 2018 06:04:46 GMT
      < Content-Type: text/plain; charset=utf-8
      < Content-Length: 42
      < Connection: close
      < Cache-Control: no-cache,no-store,must-revalidate
      < 
      Request doesn't have a client certificate
      * Closing connection 0
      
      

      However in disable mode, I'm able to create the remote cluster reference.

      Source cluster - https://s3.amazonaws.com/cb-engineering/Aruna/collectinfo-2018-03-14T065055-ns_1%40127.0.0.1.zip
      Target cluster - https://s3.amazonaws.com/cb-engineering/Aruna/collectinfo-2018-03-14T065114-ns_1%40127.0.0.1.zip

      Attachments

        Activity

          People

            ajit.yagaty Ajit Yagaty [X] (Inactive)
            apiravi Aruna Piravi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty