Description
When setting "Require Client Certification" to "enable"
ns_server compiled with erlang26 returns an error when curl doesn't specific a client certification
$ curl -u Administrator:asdasd -v https://localhost:19000/pools/default -k
|
* Trying [::1]:19000...
|
* Connected to localhost (::1) port 19000
|
* ALPN: curl offers h2,http/1.1
|
* (304) (OUT), TLS handshake, Client hello (1):
|
* (304) (IN), TLS handshake, Server hello (2):
|
* (304) (IN), TLS handshake, Unknown (8):
|
* (304) (IN), TLS handshake, Request CERT (13):
|
* (304) (IN), TLS handshake, Certificate (11):
|
* (304) (IN), TLS handshake, CERT verify (15):
|
* (304) (IN), TLS handshake, Finished (20):
|
* (304) (OUT), TLS handshake, Certificate (11):
|
* (304) (OUT), TLS handshake, Finished (20):
|
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
|
* ALPN: server did not agree on a protocol. Uses default.
|
* Server certificate:
|
* subject: CN=Couchbase Server Node (127.0.0.1)
|
* start date: Feb 22 02:48:44 2024 GMT
|
* expire date: May 27 02:48:44 2026 GMT
|
* issuer: CN=Couchbase Server 71d7e566
|
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
|
* using HTTP/1.x
|
* Server auth using Basic with user 'Administrator'
|
> GET /pools/default HTTP/1.1
|
> Host: localhost:19000
|
> Authorization: Basic QWRtaW5pc3RyYXRvcjphc2Rhc2Q=
|
> User-Agent: curl/8.4.0
|
> Accept: */*
|
>
|
* LibreSSL SSL_read: LibreSSL/3.3.6: error:1404C45C:SSL routines:ST_OK:reason(1116), errno 0
|
* Closing connection
|
curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:1404C45C:SSL routines:ST_OK:reason(1116), errno 0
|
The cluster_test authn_test also fails
$ ./run.py --tests AuthnTests -c 127.0.0.1:9000 -u Administrator -p asdasd
|
|
Starting testset[1/1]: AuthnTests/edition=Enterprise...
|
AuthnTests.client_cert_optional_auth_test... failed [0.88s]
|
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=19000): Max retries exceeded with url: /pools/default (Caused by SSLError(SSLError(1, '[SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)')))
|
================== AuthnTests.client_cert_optional_auth_test output begin =================
|
Generated cert: -----BEGIN CERTIFICATE-----
|
MIIDODCCAiCgAwIBAgIIF7ZHqHEYF2AwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE
|
AxMZQ291Y2hiYXNlIFNlcnZlciAxYmVmNDI4YjAeFw0yNDAyMjExOTU4MTdaFw0y
|
NjA1MjYxOTU4MTdaMBsxGTAXBgNVBAMTEFRFU1QgQ0xJRU5UIENFUlQwggEiMA0G
|
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw5I81zj3dEyf7bzP8po3v2ZkUTyfy
|
/gaT7U9ds9Ie4XPoSW60U/ijiqpijpmicgGOXXWdgdfp7D/KHugrbh+zuNzTht0t
|
9OjeHiskeOkDwUXvmzqsteKRI5dRUrxihtxAI5YE2uTd7/3jXjh77tgCZ9m/UW3F
|
MndI6HrY9/DlhS9hBCwm88xvfGc+O/HaoDZO2PGeS5t1btyJyTaWUY++wcoE2K3e
|
pxKASu+Ktyha1BIyTuKq0D3Lbjc7Sw3XiiY7X4cNzQsPcVdwxnKwILfFlpJ3OvpU
|
lJ6LXx/EBiiccxVgzodsA8UePaOt4+mADi4+2LKtJjoVtfoNP2FG0nujAgMBAAGj
|
dzB1MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMB
|
Af8EAjAAMB8GA1UdIwQYMBaAFF4h6B5ePGPhk1ruJayx0jSDkSngMB8GA1UdEQQY
|
MBaBFHZvcm41OXlsQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCetQ52
|
AHfAlj4njX3bc5ckCINCvkqPe4ZDtbuyVm2GYnLNVaZ+Q9xskyFWtYoknTxYWkX7
|
kbaL5r5sc6Irxxa5SBCLbA1tVXq1HsG+YqpUQ30IPgOg2cM9QwWaZcMV8dfRPT3X
|
SmI1hHcnXMl46plBUCIQPM1rWp9qmAcoYEl3LFc8lH9FTwOwrW6u9zKWKWTRYeHd
|
Jge4htk9vLcgedN+7b7qoFcrA8fd+bv7j0NjHWl10VDvuY6781+nmVyHS+Or1rkV
|
3rrkXldA+8Gy8vir37Ra4s/Ox6rsjV17oDwgnzlHmrHzuzaZSfU/fKMyJvYHcQ0l
|
SOXs66ggTAKp4J9c
|
-----END CERTIFICATE-----
|
Generated key:
|
-----BEGIN RSA PRIVATE KEY-----
|
MIIEowIBAAKCAQEAsOSPNc493RMn+28z/KaN79mZFE8n8v4Gk+1PXbPSHuFz6Elu
|
tFP4o4qqYo6ZonIBjl11nYHX6ew/yh7oK24fs7jc04bdLfTo3h4rJHjpA8FF75s6
|
rLXikSOXUVK8YobcQCOWBNrk3e/94144e+7YAmfZv1FtxTJ3SOh62Pfw5YUvYQQs
|
JvPMb3xnPjvx2qA2TtjxnkubdW7cick2llGPvsHKBNit3qcSgErvircoWtQSMk7i
|
qtA9y243O0sN14omO1+HDc0LD3FXcMZysCC3xZaSdzr6VJSei18fxAYonHMVYM6H
|
bAPFHj2jrePpgA4uPtiyrSY6FbX6DT9hRtJ7owIDAQABAoIBAEnYcIyWt66104gc
|
iUhcw34wib43uUawk1Bnzi0g54PqvHdpSGTRdUfYmH6iZzKwg0PKclI5pUhLTuny
|
8xtGUse1UcKgV29bAWfQklQcgbIGmkqHs/vrxlSu1fmmH2zGPeYstPD77HVWPdgQ
|
OmZKdDS04+sBdGDRS4jNPJOdFhzKReyoeFNWgHj8isTDPEpq5OSDmE+QCL3UUNC3
|
Ie97LWWTQuXLhlhyLCXlLdClqodSGO++v0sYquLf/kPFj16SGWUz3QW50D2qG+7H
|
3ZfTGYeIZwx+LfIu9lke04GUPSP+Us17H4Hs0yB0n9Xai7IWnkbbRXxtHu7lBHon
|
+LKmSskCgYEA4Ehw6M3t+yC00/fq08xA/ZLgHC+zW8nuN7w9umNCwwYw0GGWOn1s
|
ZNsvvsbPaq4FjH18Km0eB1AH6zeQw62i6aC609p28BhmYqma6VNySfOLcBscUwAN
|
c18Cy1S9fDPLxISn1iQSBfazkwGADQAGk0ye+cZF2UJO+Pj8p+eRf5cCgYEAyeh8
|
T3K/NgEA5iNUrC8Su+qhkkP4VWX4OJaQL4gADdk0+zy9VfO8wTNZau4vcUZSgFY8
|
SSfF3OIOnrIgWI26vB6Ojx+fXxlEhkzWcJ2Q7qSFoanpie+tqwI+LOzlQduSnrQH
|
WxVRyYKV/h+LP9tccT8lEWnGsvZEasGYmsmRpdUCgYBk8TWgEc7iD75TCGmwGWXG
|
uqwTA4T98sw8WYSOts39aHPf1Yv/lyOJ4PyEKIaBxQDKUk/n6GRzdhmaS8/jwepo
|
q+ZqIxEUzmaGUT9fdCckEXDYa9s7n/Jt0n03dlQx6j3znKDNSD60YGxB5ZL0Ruau
|
tPV4BTy6o5VXiPhtuVNK0QKBgQCDeWqxBUQzczXVpf313PUy/lbVeoMTgMHAf3JG
|
MSXv3pdcXbHgbUVk/P3l3lFwTl1cikrZTBfQfDcO6WicoTWOV8t2sR3C/B4d4Zzl
|
WgTNEL6fhZe4JSUOLPi1olCqsMLpqsr7aYeHUww+nOW84Cdy6q5Fh35GfIwShBvN
|
9yFrPQKBgBnkk0c0w4EysUlIYviYcC/8IblkHDO7JFrxFHqf/4TfcIamEecbR97N
|
4nEIGm3DUxBOgdEUYbDpG3krwyOWuglDTttr5AJWVP4H6MovoNdU0pySwvhNvOZI
|
spRbeXd8yDF3+EhMrVo6L4Y273yrcRhzMNM96hKae+NXOjLGhMRk
|
-----END RSA PRIVATE KEY-----
|
|
sending POST http://127.0.0.1:9000/diag/eval {'data': 'path_config:component_path(data).', 'timeout': 60} (expected code 200)
|
result: 200
|
sending POST http://127.0.0.1:9000/node/controller/loadTrustedCAs {'timeout': 60} (expected code 200)
|
result: 200
|
====> ca_id is 1 <<<<
|
sending POST http://127.0.0.1:9000/settings/clientCertAuth {'json': {'prefixes': [{'delimiter': '@', 'path': 'san.email', 'prefix': ''}], 'state': 'enable'}, 'timeout': 60} (expected code None)
|
result: 202
|
>>> user: vorn59yl
|
>>> node: 127.0.0.1:9000
|
>>> cluster: Cluster#0(127.0.0.1:9000,127.0.0.1:9001,127.0.0.1:9002)
|
>>> endpoint: /pools/default
|
>>> creds: ('7mzk3gfw', '7hm5dv42')
|
>>> cert_file: /var/folders/76/kntts3f930z73d7k9v3yv13m0000gq/T/tmp2sh6j8f3
|
sending POST http://127.0.0.1:9000/diag/eval {'data': 'service_ports:get_port(ssl_rest_port).', 'timeout': 60} (expected code 200)
|
result: 200
|
sending GET https://127.0.0.1:19000/pools/default {'auth': ('7mzk3gfw', '7hm5dv42'), 'timeout': 60} (expected code 200)
|
sending DELETE http://127.0.0.1:9000/pools/default/trustedCAs/1 {'timeout': 60} (expected code None)
|
result: 204
|
sending POST http://127.0.0.1:9000/settings/clientCertAuth {'json': {'prefixes': [{'delimiter': '', 'path': 'subject.cn', 'prefix': ''}], 'state': 'disable'}, 'timeout': 60} (expected code None)
|
result: 202
|
=================== AuthnTests.client_cert_optional_auth_test output end ==================
|
|
Traceback with variables (most recent call last):
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testlib/testlib.py", line 190, in safe_test_function_call
|
res = apply_with_seed(testset, testfunction, args, seed)
|
testset = <testsets.authn_tests.AuthnTests object at 0x10d31b2e0>
|
testfunction = 'client_cert_optional_auth_test'
|
args = []
|
testiter = 0
|
verbose = True
|
intercept_output = True
|
seed = b'\xeb\x9ae\xd9\x90t\xa8\xf9\xa2\x88\xa5\xf6W\xac\n)'
|
dry_run = False
|
res = None
|
error = None
|
testname = 'AuthnTests.client_cert_optional_auth_test'
|
report_call = <contextlib._GeneratorContextManager object at 0x10d31bd60>
|
e = SSLError(MaxRetryError("HTTPSConnectionPool(host='127.0.0.1', port=19000): Max retries exceeded with url: /pools/default (Caused by SSLError(SSLError(1, '[SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)')))"))
|
cscheme = None
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testlib/testlib.py", line 203, in apply_with_seed
|
return getattr(obj, func)(*args)
|
obj = <testsets.authn_tests.AuthnTests object at 0x10d31b2e0>
|
func = 'client_cert_optional_auth_test'
|
args = []
|
seed = b'\xeb\x9ae\xd9\x90t\xa8\xf9\xa2\x88\xa5\xf6W\xac\n)'
|
rand_state = (3, (2147483648, 4130021285, 1344326035, 464273931, 2691385266, 2588328825, 2732298433, 1527149977, 2954443247, 1091678932, 807973114, 3925468277, 1574972460, 2282995440, 3279061862, 3060754177, 2416484401, 3852688122, 3165348227, 1286815716, 3724937724, 129691379, 4234597163, 3444129174, 981759962, 2096481210, 301847942, 4015551184, 3247459398, 783188307, 705099470, 1723253377, 2593896212, 1336550897, 3613640974, 3149071686, 425136596, 3140522703, 268961865, 1977062540, 1310243153, 3479575604, 3613632589, 835844572, 3415924863, 3655494789, 3425585320, 1651608657, 4153375932, 1521441191, 3819317218, 2460727111, 948323329, 2115654890, 688470395, 3919081565, 2308673621, 1948846737, 1777708226, 2598597264, 666302305, 1195703557, 4179863856, 1045972629, 831707185, 1943653386, 4233210914, 2486741071, 4141072623, 2212750679, 1135028693, 1415266633, 4189328434, 3753215766, 3873416615, 211440637, 2095092533, 2999936482, 3072762512, 3718774646, 1407626864, 1327002299, 3176119454, 934299710, 328...
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testsets/authn_tests.py", line 183, in client_cert_optional_auth_test
|
self.client_cert_auth_test_base(mandatory=False)
|
self = <testsets.authn_tests.AuthnTests object at 0x10d31b2e0>
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testsets/authn_tests.py", line 175, in client_cert_auth_test_base
|
testlib.get_succ(self.cluster, self.testEndpoint, https=True,
|
self = <testsets.authn_tests.AuthnTests object at 0x10d31b2e0>
|
mandatory = False
|
user = 'vorn59yl'
|
node = {'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}
|
client_cert_file = '/var/folders/76/kntts3f930z73d7k9v3yv13m0000gq/T/tmp2sh6j8f3'
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testlib/testlib.py", line 408, in get_succ
|
return request('GET', cluster_or_node, path, expected_code, **kwargs)
|
cluster_or_node = {'_nodes': [{'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}, {'url': 'http://127.0.0.1:9001', 'hostname_cached': '127.0.0.1:9001', 'host': '127.0.0.1', 'port': 9001, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': None, 'tls_port_cache': None, 'services_cached': None}, {'url': 'http://127.0.0.1:9002', 'hostname_cached': '127.0.0.1:9002', 'host': '127.0.0.1', 'port': 9002, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': None, 'tls_port_cache': None, 'services_cached': None}], 'connected_nodes': [{'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}, {'u...
|
path = '/pools/default'
|
expected_code = 200
|
kwargs = {'https': True, 'auth': ('7mzk3gfw', '7hm5dv42')}
|
File "/Users/steve.watanabe/morpheus3/ns_server/cluster_tests/testlib/testlib.py", line 371, in request
|
res = requests.request(method, url, **kwargs_with_auth)
|
method = 'GET'
|
cluster_or_node = {'_nodes': [{'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}, {'url': 'http://127.0.0.1:9001', 'hostname_cached': '127.0.0.1:9001', 'host': '127.0.0.1', 'port': 9001, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': None, 'tls_port_cache': None, 'services_cached': None}, {'url': 'http://127.0.0.1:9002', 'hostname_cached': '127.0.0.1:9002', 'host': '127.0.0.1', 'port': 9002, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': None, 'tls_port_cache': None, 'services_cached': None}], 'connected_nodes': [{'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}, {'u...
|
path = '/pools/default'
|
expected_code = 200
|
https = True
|
verbose = True
|
kwargs = {'auth': ('7mzk3gfw', '7hm5dv42'), 'timeout': 60}
|
kwargs_with_auth = {'auth': ('7mzk3gfw', '7hm5dv42'), 'timeout': 60, 'verify': '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem'}
|
node = {'url': 'http://127.0.0.1:9000', 'hostname_cached': '127.0.0.1:9000', 'host': '127.0.0.1', 'port': 9000, 'auth': ('Administrator', 'asdasd'), 'data_path_cache': '/Users/steve.watanabe/morpheus/ns_server/data/n_0', 'tls_port_cache': 19000, 'services_cached': None}
|
url = 'https://127.0.0.1:19000/pools/default'
|
server_ca_file = '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem'
|
File "/Users/steve.watanabe/.pyenv/versions/3.10.13/lib/python3.10/site-packages/requests/api.py", line 59, in request
|
return session.request(method=method, url=url, **kwargs)
|
method = 'GET'
|
url = 'https://127.0.0.1:19000/pools/default'
|
kwargs = {'auth': ('7mzk3gfw', '7hm5dv42'), 'timeout': 60, 'verify': '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem'}
|
session = <requests.sessions.Session object at 0x10d31bdf0>
|
File "/Users/steve.watanabe/.pyenv/versions/3.10.13/lib/python3.10/site-packages/requests/sessions.py", line 589, in request
|
resp = self.send(prep, **send_kwargs)
|
self = <requests.sessions.Session object at 0x10d31bdf0>
|
method = 'GET'
|
url = 'https://127.0.0.1:19000/pools/default'
|
params = None
|
data = None
|
headers = None
|
cookies = None
|
files = None
|
auth = ('7mzk3gfw', '7hm5dv42')
|
timeout = 60
|
allow_redirects = True
|
proxies = {}
|
hooks = None
|
stream = None
|
verify = '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem'
|
cert = None
|
json = None
|
req = <Request [GET]>
|
prep = <PreparedRequest [GET]>
|
settings = {'proxies': OrderedDict(), 'stream': False, 'verify': '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem', 'cert': None}
|
send_kwargs = {'timeout': 60, 'allow_redirects': True, 'proxies': OrderedDict(), 'stream': False, 'verify': '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem', 'cert': None}
|
File "/Users/steve.watanabe/.pyenv/versions/3.10.13/lib/python3.10/site-packages/requests/sessions.py", line 703, in send
|
r = adapter.send(request, **kwargs)
|
self = <requests.sessions.Session object at 0x10d31bdf0>
|
request = <PreparedRequest [GET]>
|
kwargs = {'timeout': 60, 'proxies': OrderedDict(), 'stream': False, 'verify': '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem', 'cert': None}
|
allow_redirects = True
|
stream = False
|
hooks = {'response': []}
|
adapter = <requests.adapters.HTTPAdapter object at 0x10d31b790>
|
start = 1708631898.1298292
|
File "/Users/steve.watanabe/.pyenv/versions/3.10.13/lib/python3.10/site-packages/requests/adapters.py", line 517, in send
|
raise SSLError(e, request=request)
|
self = <requests.adapters.HTTPAdapter object at 0x10d31b790>
|
request = <PreparedRequest [GET]>
|
stream = False
|
timeout = Timeout(connect=60, read=60, total=None)
|
verify = '/Users/steve.watanabe/morpheus/ns_server/data/n_0/config/certs/ca.pem'
|
cert = None
|
proxies = OrderedDict()
|
conn = <urllib3.connectionpool.HTTPSConnectionPool object at 0x10d31bee0>
|
url = '/pools/default'
|
chunked = False
|
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=19000): Max retries exceeded with url: /pools/default (Caused by SSLError(SSLError(1, '[SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)')))
|
|
================================================================================
|
Tests finished (1 executed, 1 error)
|
Total time: 0m1.5s
|
Total clusters prep time: 0m0.0s
|
Test time (no prep): 0m1.5s
|
Avg. test time: 0m1.5s
|
Avg. test time (no prep): 0m1.5s
|
|
Seed: k56jqjy8wr3ulkwz
|
|
In AuthnTests/edition=Enterprise:
|
AuthnTests.client_cert_optional_auth_test failed: HTTPSConnectionPool(host='127.0.0.1', port=19000): Max retries exceeded with url: /pools/default (Caused by SSLError(SSLError(1, '[SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2578)')))
|
|
Tests finished with errors
|