Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48016

[BP 7.0.2] - XDCR - remoteClusterRef sanInCertificate not being set for full encryption

    XMLWordPrintable

Details

    • Untriaged
    • 1
    • Yes

    Description

      Pre-7.0, when contacting a remote cluster that is > 4.0 version, the sanInCertificate variable for a remote cluster reference will be set to true.

      This is evident from the log message as follows

      2021-08-18T10:33:58.988-07:00 INFO GOXDCR.RemClusterSvc: Set hostName=127.0.0.1:9001, httpsHostName=127.0.0.1:19001, SANInCertificate=true HttpAuthMech=Https for remote cluster reference remoteCluster/LvKr93CauVrLkxVJ2ljxtMpoixEBWDrEGPpkh2r_zuc=
      

      Since all supported cluster is now >4.0, there was no need to check against said version. The change to remove this check was introduced as part of changeset to MB-44823.
      Specifically http://review.couchbase.org/c/goxdcr/+/152288/3/utils/utils.go#b2682, the sanInCertificate that should have been set to true, was mistakenly not being returned as such.

      This leads to create messages like the following once a full-encryption secure reference is created (note the SANInCertificate change from <7.0):

      2021-08-18T10:14:52.263-07:00 INFO GOXDCR.RemClusterSvc: Set hostName=127.0.0.1:9001, httpsHostName=127.0.0.1:19001, SANInCertificate=false HttpAuthMech=Https for remote cluster reference remoteCluster/irMfuRAJh98VHg9Qz6dC94Eu7T8XBaplccOVfgDxc8U=
      

      Without SANInCertificate being set to true, there can be situations where REST commands come back with errors such as:

      certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0, statusCode=0
      

      The hint is that the error messages asked to "use SANs", where pre 7.0, the SANInCertificate is set to true so this error would have not shown up.

      The workaround is to add the environment variable GODEBUG=x509ignoreCN=0, thus why it is not marked a blocker.
      Regardless, this needs to be fixed and backported to 7.0.2.

      Attachments

        Issue Links

          For Gerrit Dashboard: MB-48016
          # Subject Branch Project Status CR V

          Activity

            Build couchbase-server-7.0.2-6544 contains goxdcr commit 142dfd2 with commit message:
            MB-48016 - https protocol should ensure sanInCertificate is set

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.2-6544 contains goxdcr commit 142dfd2 with commit message: MB-48016 - https protocol should ensure sanInCertificate is set

            PR for review: https://github.com/couchbase/docs-server/pull/2157/files

            Description for release notes:

            Summary: XDCR with full encryption may fail, with the message `certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0, statusCode=0`.

            Workaround: Temporarily enable Common Name matching, by adding the following environment variable: `GODEBUG=x509ignoreCN=0`.

            amarantha.kulkarni Amarantha Kulkarni (Inactive) added a comment - PR for review:  https://github.com/couchbase/docs-server/pull/2157/files Description for release notes: Summary : XDCR with full encryption may fail, with the message `certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0, statusCode=0`. Workaround : Temporarily enable Common Name matching, by adding the following environment variable: `GODEBUG=x509ignoreCN=0`.

            Verified on 7.0.2-6671.
            ./goxdcr.log:2021-09-14T14:20:46.326-07:00 INFO GOXDCR.RemClusterSvc: Set hostName=172.23.106.119:8091, httpsHostName=172.23.106.119:18091, SANInCertificate=true HttpAuthMech=Https for remote cluster reference remoteCluster/38FFquRvThBYj2H1PgCDNVibQL_aCh-7yNFUQTp72V0=

            pavithra.mahamani Pavithra Mahamani added a comment - Verified on 7.0.2-6671. ./goxdcr.log:2021-09-14T14:20:46.326-07:00 INFO GOXDCR.RemClusterSvc: Set hostName=172.23.106.119:8091, httpsHostName=172.23.106.119:18091, SANInCertificate=true HttpAuthMech=Https for remote cluster reference remoteCluster/38FFquRvThBYj2H1PgCDNVibQL_aCh-7yNFUQTp72V0=

            People

              pavithra.mahamani Pavithra Mahamani
              neil.huang Neil Huang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty