HTTPS/SSL configuration on Windows

Hi group-

Having a devil of a time trying to support HTTPS.

I’m using a self-signed TLS-ready cert in dev. I have a self-signed root cert in my trusted authority that was used to create the SSL cert that is in LocalMachine/My. Private key is associated, Windows shows valid cert path.

I’ve added an HTTP listener in Windows using netsh, to ports 2113, and 443 just in case. I have matching urlacls.

I believe I’ve configured the appropriate target host name and certificate values in my config file:

db: “./data”

log: “./logs”

ext-ip: 10.X.X.X

ssl-Target-Host:
“X.Y.Z”

#ssl-Validate-Server: false

certificate-Store-Location:
“LocalMachine”

certificate-Store-Name:
“My”

certificate-Subject-Name:
“CN=X.Y.Z”

certificate-Thumbprint:
“955ec9f4c98232e02660a29ff0860e4dbda15213”

certificate-File:
“./EventStoreSSLCert.cer”

#http-prefixes: “https://*:443/”

I’ve tried this with default http-prefixes values (none), as well as just https://:2113/ and https://:443/ and tried setting the external port to 443, all without success.

I cannot seem to configure multiple http-prefixes using a YAML array - EventStore seems to like the config file, but startup fails.

I am completely unable to load my endpoints using SSL encryption. My outcomes seem to either be “Turn on TLS 1.0, 1.1, 1.2” in IE, and they’re already enabled, “ERR_SSL_PROTOCOL_ERROR” in Chrome, or 503 Service Unavailable in either.

Am I missing something obvious here?

First question: when the Event Store starts, what does the dump of the effective configuration say?

Thanks,

James

I believe it appropriately reflects everything in the config file. I can grab a dump in a few, but I gotta hop machines.

CONFIG: EsConfig.yml (Command Line)

DB: ./data (Config File)

LOG: ./logs (Config File)

EXT IP: 10.1.2.3 (Config File)

SSL TARGET HOST: A.B.C (Config File)

CERTIFICATE STORE LOCATION: LocalMachine (Config File)

CERTIFICATE STORE NAME: My (Config File)

CERTIFICATE SUBJECT NAME: CN=A.B.C (Config File)

CERTIFICATE THUMBPRINT: 955ec9f4c98232e02660a29ff0860e4dbda15213 (Config File)

CERTIFICATE FILE: ./EventStoreSSLCert.cer (Config File)

DEFAULT OPTIONS:

HELP: False ()

VERSION: False ()

DEFINES: ()

WHAT IF: False ()

DEVELOPMENT MODE: False ()

MONO MIN THREADPOOL SIZE: 10 ()

INT IP: 127.0.0.1 ()

INT HTTP PORT: 2112 ()

EXT HTTP PORT: 2113 ()

INT TCP PORT: 1112 ()

INT SECURE TCP PORT: 0 ()

EXT TCP PORT: 1113 ()

EXT SECURE TCP PORT: 0 ()

INT TCP HEARTBEAT TIMEOUT: 700 ()

EXT TCP HEARTBEAT TIMEOUT: 1000 ()

INT TCP HEARTBEAT INTERVAL: 700 ()

EXT TCP HEARTBEAT INTERVAL: 2000 ()

FORCE: False ()

CLUSTER SIZE: 1 ()

NODE PRIORITY: 0 ()

MIN FLUSH DELAY MS: 2 ()

COMMIT COUNT: -1 ()

PREPARE COUNT: -1 ()

ADMIN ON EXT: True ()

STATS ON EXT: True ()

GOSSIP ON EXT: True ()

DISABLE SCAVENGE MERGING: False ()

DISCOVER VIA DNS: True ()

CLUSTER DNS: fake.dns ()

CLUSTER GOSSIP PORT: 30777 ()

GOSSIP SEED: ()

STATS PERIOD SEC: 30 ()

CACHED CHUNKS: -1 ()

CHUNKS CACHE SIZE: 536871424 ()

MAX MEM TABLE SIZE: 1000000 ()

MEM DB: False ()

SKIP DB VERIFY: False ()

RUN PROJECTIONS: System ()

PROJECTION THREADS: 3 ()

WORKER THREADS: 5 ()

HTTP PREFIXES: ()

ENABLE TRUSTED AUTH: False ()

CERTIFICATE PASSWORD: ()

USE INTERNAL SSL: False ()

SSL VALIDATE SERVER: True ()

AUTHENTICATION TYPE: internal ()

PREPARE TIMEOUT MS: 2000 ()

COMMIT TIMEOUT MS: 2000 ()

UNSAFE DISABLE FLUSH TO DISK: False ()

WRITE THROUGH: False ()

UNBUFFERED: False ()

INDEX CACHE DEPTH: 16 ()

GOSSIP INTERVAL MS: 1000 ()

GOSSIP ALLOWED DIFFERENCE MS: 60000 ()

GOSSIP TIMEOUT MS: 500 ()

ENABLE HISTOGRAMS: False ()

Any help here? The HTTPS/SSL documentation for this product is crap. In spite of that, I think I’ve done everything right. If this is a vendor cop-out where you have to purchase paid support in order to do something simple like SSL over HTTPS, could someone let me know, so I can put this to bed until my client finished approving the paid support purchase?

–ab

What is result of

Httpcfg.exe query ssl

Also I want to point out this httpcfg stuff is not part of event
store. This is windows http.sys you are configuring once its
configured you just need to bind us to the configured port.

Also have you done this step?

Httpcfg.exe set ssl -i 0.0.0.0:999 -h
e81bada10ffddf6fce0628ab491eecf8d2a4d070 -Personal as example?

All the other things you are setting are for SSH over TCP not over http.

As noted in my original post, I used netsh instead of httpcfg.exe - httpcfg.exe has been obsolete since Vista & Server 2008.

A trusted self-signed root cert is installed. Its child self-signed SSL/TLS cert is bound to 0.0.0.0:2113. When I bind the cert and perform no other configuration on EventStore, I get the TLS 1.0/1.1/1.2 error in IE, and the ERR_SSL_PROTOCOL in Chrome, whether I call default port 2113, or explicitly or implicitly call 443.

That example uses port 999 but I assume that’s completely irrelevant to EventStore since it’s not an EventStore-specific HTTP listener configuration example.

All the rest of the stuff in your config doesn't need to be there in
regard to ssl that is for internal/external TCP communications if you
want them over SSL. You probably want to remove it.

Event Store should work the exact same as anything else using windows
SSL (we don't do anything special). I would try the instructions here
https://msdn.microsoft.com/en-us/library/ms733791(v=vs.110).aspx. Also
I might try deleting the ones already setup and start from scratch.

From our perspective we are just an httplistener in windows the
mapping is handled by http.sys

I’ve started from scratch three times already.

I’ve configured hundreds of HTTP listeners in Windows since the mid 2000s. I’ve also verified my steps with multiple current, up-to-date blogs.

EventStore is not serving up HTTPS. Not on its default port, not on 443, and not on 999, which I just tried binding to as well.

EventStore doesn't decide the protocol http.sys does Event Store is
just a listener bound to a route this is the whole point of the layer
of abstraction in windows. Personally I think its a very stupid
abstraction but ...

We have internally validated the following steps work. Same as here
roughly https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx

1. makecert.exe
2. netsh http add sslcert ipport=0.0.0.0:9000 certhash={thumbprint}
appid={yourappid}
3. EventStore.ClusterNode.exe —add-interface-prefixes=false
—ext-http-prefixes=http://*:9000/

The node is then up and running on port 9000 with SSL

Greg

Thanks, haven’t done add-interface-prefixes, will try here in a few.

Ah, I see this is new in 3.1.0, which just came out of beta, right?

This was in 3.1.0 3.0.5 is similar (http-prefix only IIRC) the
add-interface-prefixes is a new thing in 3.1.0 that is DISABLING the
new functionality

Is everything ok now with 3.0.5?

We’re actually running 3.0.4. Is that bad?

Spent way too much time on this at this point.

Fortunately we can terminate SSL at LTMs on an edge, and just send HTTP traffic to EventStore. Would have been nice to have a choice however.

3.0.4 is fine too the only difference from above is that would
wouldn't put add-interface-prefixes=false command line argument. This
functionality (add-interfaces-prefixes) is new in 3.1.0 this statement
is disabling that functionality. In 3.0.4 you would do everything else
the same and just leave off that command line argument.

Many run today with ES + SSL

I did give it a try yesterday with 3.1.0 without success; copied my old config file, added the new option, still couldn’t get it to return HTTPS.