Does EventStoreDb require a client cert?

Hi!

I have setup eventstoredb in a local kubernetes cluster running in secure mode following the guide in the documetnation.

After doing this I’m a unable to communicate with the server unless I supply a valid client certificate. This is true at least for the C# grpc client and the web admin ui. Is this expected behavior?

I was confused about this since the server documentation only mentions TLS and the client documentation says nothing about how to use a client certificate.

  • the client libraries either require
    • the root certifcate in the trusted store of the user the process the client is running under
    • ignore the TLS validation by adding &tlsVerifyCert=false to the connection string
  • The ui asking for a client cert is a web borwser issue (not all of them ask for it ) , you can just “cancel” on the popup and you should be good to go

Thanks for the fast reply. Yes you are right I can just click cancel in the web browser.

I don’t get the tlsVerifyCert=false to work though. I do the following:

var settings = EventStoreClientSettings.Create("esdb://localhost:30004?tls=true&tlsVerifyCert=false");
settings.ChannelCredentials = new SslCredentials(ReadCert("es-ca/ca.crt"));
settings.DefaultCredentials = new UserCredentials("admin", "changeit");
var client = new EventStoreClient(settings);
await client.AppendToStreamAsync("bepa", StreamState.Any, new[] { new EventData(Uuid.NewUuid(), "Apa", new ReadOnlyMemory<byte>(new byte[0])) });

This works but if I omit setting the root cert in ChannelCredentials it doesn’t. (I used to have my client cert there as well but I just realized it was not needed).

The error I get is this:
Unhandled exception. System.InvalidOperationException: Status(StatusCode=“Unavailable”, Detail=“failed to connect to all addresses”, DebugException=“Grpc.Core.Internal.CoreErrorDetailException: {“created”:”@1651148226.538325288",“description”:“Failed to pick subchannel”,“file”:"/var/local/git/grpc/src/core/ext/filters/client_channel/client_channel.cc",“file_line”:4166,“referenced_errors”:[{“created”:"@1651148226.538320196",“description”:“failed to connect to all addresses”,“file”:"/var/local/git/grpc/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc",“file_line”:398,“grpc_status”:14}]}")
—> Grpc.Core.RpcException: Status(StatusCode=“Unavailable”, Detail=“failed to connect to all addresses”, DebugException=“Grpc.Core.Internal.CoreErrorDetailException: {“created”:”@1651148226.538325288",“description”:“Failed to pick subchannel”,“file”:"/var/local/git/grpc/src/core/ext/filters/client_channel/client_channel.cc",“file_line”:4166,“referenced_errors”:[{“created”:"@1651148226.538320196",“description”:“failed to connect to all addresses”,“file”:"/var/local/git/grpc/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc",“file_line”:398,“grpc_status”:14}]}")
— End of inner exception stack trace —
at EventStore.Client.Interceptors.TypedExceptionInterceptor.b__5_0[TRequest,TResponse](Task1 t) at System.Threading.Tasks.ContinuationResultTaskFromResultTask2.InnerInvoke()
at System.Threading.Tasks.Task.<>c.<.cctor>b__274_0(Object obj)
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
— End of stack trace from previous location where exception was thrown —
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)

is this a cluster you created or a single node ?

It is a single node running in kubernetes on my local machine. Port 30004 is mapped to a service in kubernetes (nodeport). I run the client from my local machine outside of kubernetes.