Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-62308

Unable to support n2n encryption with client cert auth

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Critical
    • 7.6.4
    • 7.2.5, 7.6.2
    • fts
    • None
    • Untriaged
    • 0
    • Unknown

    Description

      While investigating MB-62181, I came across the following cascading failure when enabling n2n encryption with the "all" setting and setting TLS certificate requirements to "mandatory"

       

      2024-06-10T15:36:37.995+05:30 [WARN] (GOCBCORE) 0x14007141340 memdClient read failure on conn `1af0237dfea2ca93/7757d0b515457cf2` : remote error: tls: certificate required -- cbgt.GocbcoreLogger.Log() at gocbcore_utils.go:742
      		 
      2024-06-10T15:36:37.996+05:30 [WARN] (GOCBCORE) Pipeline Client 0x1400a339500 failed to bootstrap: EOF | {"document_key":"{\"a\":\"gocbcore/v10.2.10 fts:stats\",\"i\":\"1af0237dfea2ca93/7757d0b515457cf2\"}","bucket":"bkt1","last_dispatched_to":"127.0.0.1:11990","last_dispatched_from":"127.0.0.1:61334","last_connection_id":"1af0237dfea2ca93/7757d0b515457cf2"} -- cbgt.GocbcoreLogger.Log() at gocbcore_utils.go:742
      		 
      2024-06-10T15:36:37.996+05:30 [WARN] (GOCBCORE) Pipeline Client 0x1400a3394a0 failed to bootstrap: bucket not found -- cbgt.GocbcoreLogger.Log() at gocbcore_utils.go:742
      		 
      2024-06-10T15:36:38.002+05:30 [WARN] janitor: JanitorOnce, err: janitor: JanitorOnce errors: 1, []string{"#0: janitor: adding feed, err: feed_dcp_gocbcore: StartGocbcoreDCPFeed, could not prepare DCP feed, name: bkt1._default.test3_cc1c1b0282317eb5_4c1c5584, server: http://127.0.0.1:9000, bucketName: bkt1, indexName: bkt1._default.test3, err: newGocbcoreDCPFeed: error in setting up feed's stream options, err: agent setup failed, err: gocbcore_utils: createAgents (1), setup err: agent setup failed, err: EOF | {\"document_key\":\"{\\\"a\\\":\\\"gocbcore/v10.2.10 fts:stats\\\",\\\"i\\\":\\\"1af0237dfea2ca93/7757d0b515457cf2\\\"}\",\"bucket\":\"bkt1\",\"last_dispatched_to\":\"127.0.0.1:11990\",\"last_dispatched_from\":\"127.0.0.1:61334\",\"last_connection_id\":\"1af0237dfea2ca93/7757d0b515457cf2\"}"} -- cbgt.(*Manager).JanitorLoop() at manager_janitor.go:204 

      this resulted in the closing of existing DCP feeds.

       

       

      Steps to reproduce:

      1. Create a 2 node cluster with a 2 partitioned index.
      2. Disable auto failover using this Couchbase CLI command -

      curl -X POST http://localhost:9000/settings/autoFailover -u Administrator:asdasd -d enabled=false

          3. Enable n2n encryption with the following command - 

      ./couchbase-cli node-to-node-encryption --cluster localhost:9000 --username Administrator --password asdasd --enable

         4. In the UI, navigate to Security > Other Settings > Cluster Encryption > "all"
         5. Then, change the certificate requirement: Security > Certificates > Require Client Certificate > "Mandatory".
         6.  The FTS logs should show repeated errors.

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            aditi.ahuja Aditi Ahuja
            aditi.ahuja Aditi Ahuja
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty