SSL doesn't work on linux.

Hello.

I’ve created self-signed cert.

httpcfg -list
Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

In config file I have

CertificateFile: eventstore.crt
SslValidateServer: False
CertificateThumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

But when I start eventstore

Starting Normal TCP listening on TCP endpoint: xxx.xxx.xx.xx:1113.
[24864,13,13:53:30.032] Starting HTTP server on [http://xxx.xxx.xx.xx:2113/]…

[24864,13,13:53:30.036] HTTP server is up and listening on [http://xxx.xxx.xx.xx:2113/]

The idea is to configure all possible SSL(http tcp and so on).
At least http ssl have to work. But I cann’t reach 443 port. In the same time http://xxx.xxx.xx.xx:2113/web/index.html#/ work fine

I also tried :

IntHttpPort: 443
ExtHttpPort: 443
Doesn’t work.

Does port in httpcfg have to be the same in config file? (443=443 or 2113=2113)

Could somebody point me the right direction?

Thank you.

there are a set of options around secure tcp/http that can be found
with --help. As example.

   Interface Options
   --int-secure-tcp-port Internal Secure TCP Port.
   --int-secure-tcp-port-advertise-as Advertise Secure Internal Tcp Port As.
     -IntSecureTcpPortAdvertiseAs
   --use-internal-ssl Whether to use secure internal
communication.
     -UseInternalSsl

CONFIG: /etc/eventstore/eventstore.yaml (Command Line)
DB: /opt/eventstore/db (Config File)
INT IP: xxx.xxx.xx.xx (Config File)
EXT IP: xxx.xxx.xx.xx (Config File)
EXT SECURE TCP PORT: 2113 (Config File)
INT SECURE TCP PORT: 2114 (Config File)
CERTIFICATE FILE: /etc/eventstore/ssl/eventstore.crt (Config File)
SSL VALIDATE SERVER: False (Config File)
CERTIFICATE THUMBPRINT: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9 (Config File)

``

Exit reason: HTTP async server failed to start listening at [http://xxx.xxx.xx.xx:2113/].

without testing try different ports it seems you are assigning to the
same as defaults which would have a problem opening.

Port: 2113 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 2114 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

CONFIG: /etc/eventstore/eventstore.yaml (Command Line)
DB: /opt/eventstore/db (Config File)
INT IP: xxx.xxx.xx.xx (Config File)
EXT IP: xxx.xxx.xx.xx (Config File)
EXT SECURE TCP PORT: 2113 (Config File)
INT SECURE TCP PORT: 2114 (Config File)
CERTIFICATE FILE: /etc/eventstore/ssl/eventstore.crt (Config File)
SSL VALIDATE SERVER: False (Config File)
CERTIFICATE THUMBPRINT: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9 (Config File)

``

Exit reason: HTTP async server failed to start listening at [http://xxx.xxx.xx.xx:2113/].

CONFIG: /etc/eventstore/eventstore.yaml (Command Line)
DB: /opt/eventstore/db (Config File)
INT IP: xxx.xxx.xx.xx (Config File)
EXT IP: xxx.xxx.xx.xx (Config File)
EXT HTTP PORT: 443 (Config File)
EXT HTTP PREFIXES: https://xxx.xxx.xx.xx/ (Config File)
EXT SECURE TCP PORT: 5113 (Config File)
INT SECURE TCP PORT: 5114 (Config File)
CERTIFICATE FILE: /etc/eventstore/ssl/eventstore.crt (Config File)
SSL VALIDATE SERVER: False (Config File)
CERTIFICATE THUMBPRINT: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9 (Config File)
ENABLE TRUSTED AUTH: True (Config File)

``

httpcfg -list

Port: 443 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 5113 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9
Port: 5114 Thumbprint: 9B7C475FB829F3F6D14681942E56C9942BFEF0D9

When I try to load eventstore page in browser

[ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: Remote prematurely closed connection.
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00015] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00080] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x0003c] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.AsyncProtocolRequest.StartOperation (Mono.Net.Security.AsyncOperation operation) [0x00024] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00057] in <443b64479cca4b0cb2d2b62eaf14a230>:0
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00078] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.HttpConnection.Init () [0x0001a] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.HttpConnection…ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00090] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00046] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x0000e] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.Sockets.Socket+<>c.<.cctor>b__306_0 (System.IAsyncResult ares) [0x00092] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Net.Sockets.SocketAsyncResult+<>c__DisplayClass27_0.b__0 (System.Object _) [0x00000] in <443b64479cca4b0cb2d2b62eaf14a230>:0
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00008] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00074] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <8e4c7b80ba0942cb8aa6c8f9f3e5b12d>:0

``

load which port and with which protocol?

port 443
protocol https

https://xxx.xxx.xx.xx/web/index.html

I just have tried later ES with mono staticaly linked.

ES VERSION: 4.0.1.0 (HEAD/5f53330a4cc31fc6eb8b337cc630038b40a4f47a, Wed, 12 Apr 2017 15:28:32 +0200)
And I get less verbose error

As I use eventstore with ssl on linux, I can assure you it works. The documentation is lagging though. The java-8 client gives good instruction on how to do it:

https://github.com/msemys/esjc

Thank you. Will try.
Using this approach it is possible to encrypt nodes communication is cluster. Right?
But what about HTTP encryption?
And why we don’t use httpcfg?

yes to encrypt internal communictions setup the int-sec network and
enable secure internal communications. The only communication in the
cluster itself that will not be encrypted then is the http gossip
traffic. There is currently an open issue to also support encrypting
this traffic but it has not been worked on as of now I believe

Thank you.

Looks like this is not comprehensive info
First. Except “int-sec network and enable secure internal communications” we need SslTargetHost as well.
But it doesn’t matter because:

[29643,16,09:31:24.098] Internal TCP connection accepted: [Secure, xxx.xxx.xx.xx:57312, Lxxx.xxx.xx.xx:5111, {1c5a95d1-032e-42a7-b678-f508fd1851a1}].
[29643,21,09:31:24.101] [Sxxx.xxx.xx.xx:57312, Lxxx.xxx.xx.xx:5111]: Exception on EndAuthenticateAsServer.
The authentication or decryption has failed.

Configuration is following:

Why is it so big difference between SSL configuration here https://github.com/msemys/esjc and here https://github.com/EventStore/EventStore/wiki/Setting-Up-SSL-In-Linux
Completely different approaches. And how it is possible third-party manual works(partially) official manual doesn’t.

The documentation from the github repo for esjc refers to SSL configuration on linux. The wiki you pointed to is no longer in use and says that the documentation has moved. The documentation that is there shows how to setup SSL on Windows (http://docs.geteventstore.com/server/4.0.0/setting_up_ssl/). Someone is working on the documentation on how to setup SSL on linux and that should be up shortly.

The documentation from the github repo for esjc refers to SSL configuration on linux. The wiki you pointed to is no longer in use and says that the documentation has moved. The documentation that is there shows how to setup SSL on Windows (http://docs.geteventstore.com/server/4.0.0/setting_up_ssl/). Someone is working on the documentation on how to setup SSL on linux and that should be up shortly.

This documentstion describs client -> eventstore encryption. Third-patry documentstion for such type encryption for Linux exists https://github.com/msemys/esjc
What about internal (cluster nodes) encryption and http encryption?

https://groups.google.com/forum/#!searchin/event-store/$20The$20authentication$20or$20decryption$20has$20failed|sort:relevance/event-store/V__RYzskdew/xGZUp_PMBAAJ

Just put a note in internal list that we should solve this with a doc

that goes through step by step. It will be up in a day or two.
Lets look at date. 08.11.15

We’ve added a new page to the docs for setting up SSL on Ubuntu 16.04, you can find it here

If you have any feedback or improvements for that page, please open an issue in the docs repo or open a PR.

We’ve added a new page to the docs for setting up SSL on Ubuntu 16.04, you can find it here

Thank you.

If you have any feedback or improvements for that page, please open an issue in the docs repo or open a PR.

For everybody who will read this thread.

1. Confirm - it works.
2. If you use Centos. Instead of /usr/local/share/ca-certificates/ copy to /etc/pki/tls/certs. Insead of ``update-ca-certificates use update-ca-trust 3.For UseInternalSsl: True you also need to add following:

CertificateFile:
ExtSecureTcpPort: xxxx
IntSecureTcpPort: xxxx
UseInternalSsl: True
SslTargetHost: "bla-bla.com"
``
`
How to check that internal SSL works.

1. netstat -alnp | grep eventstore
   `

tcp 0 0 0.0.0.0:2113 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 0.0.0.0:2114 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:35247 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1115 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1116 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1116 192.168.3.130:46312 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:2114 192.168.3.130:52828 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:52228 192.168.3.130:2114 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:2114 192.168.3.130:52782 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:52230 192.168.3.130:2114 ESTABLISHED 30507/eventstored

port 1116 is for internal SSL.
2. Log

PID:31425:006 2017.06.01 09:09:24.524 INFO TcpConnectionSsl ] [S192.168.5.194:1116, L192.168.5.130:46312]
[PID:31425:006 2017.06.01 09:09:24.525 INFO TcpConnectionSsl ] Cipher: Aes256 strength 256
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Hash: Sha1 strength 160
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Key exchange: RsaKeyX strength 2048
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Protocol: Tls
[PID:31425:006 2017.06.01 09:09:24.529 INFO TcpConnectionSsl ] Is authenticated: True as server? False
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] IsSigned: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] Is Encrypted: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] Can read: True, write True
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Can timeout: True
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Certificate revocation list checked: False
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Local certificate is null.
[PID:31425:006 2017.06.01 09:09:24.541 INFO TcpConnectionSsl ] Remote certificate was issued to CN=bla-bla.com and is valid from 5/31/2017 12:49:22 PM until 5/31/2018 12:49:22 PM.

Hope I don’t missed anything.
And now. Last question. How to configure HTTP encryption without reverse proxy?
httpcfg -list
Port: 5114 Thumbprint: E4A68B65AE4A5788C056E18438199B31BD21B560
port 5114 is configured, but https doesn’t work.

Will wait for Hayley or Pieter but you most likely need to setup an
appropriate http prefix.