What goes in TrustedRootCertificatesPath?

For SSL on my webserver I use a .pfx file with a password. I also have the corresponding .crt and .key files. I think these go in CertificateFile, CertificatePrivateKeyFile, and CertificatePassword. Is that right? And if that’s the case what does TrustedRootCertificatesPath want?

I followed this example https://www.albertocorrales.com/2020/11/setup-eventstoredb-on-aws-ec2-with.html and got things running, but of course the SSL was insecure and curl wouldn’t work.

For SSL on my webserver I only needed to generate set of cryptographic files { pfx, crt, key } , but looks like eventstore needs two sets.

this should help you setting that up

Hi Yves, thanks for your help, but I’m still missing something:

Are CertificateFile and CertificatePrivateKeyFile different for each node, or is it expecting my wildcard .crt and .key files I use to enable SSL on my webserver?

I tried putting { wwd.ai.pem, shop.wwd.ai.pem, *.wwd.ai.pem } into /etc/ssl/certs with the relevant CertificatePassword – eventstore runs but it didn’t like the SSL configuration and gives me browser warning : “this site is not safe”


Db: /var/lib/eventstore
Index: /var/lib/eventstore/index
Log: /var/log/eventstore

Certificates configuration

CertificateFile: /etc/eventstore/certs/node.crt #generated with es-gencert-cli (should it be my wildcard certificate?)
CertificatePrivateKeyFile: /etc/eventstore/certs/node.key #generated with es-gencert-cli (should it be my wildcard certificate?)
TrustedRootCertificatesPath: /etc/ssl/certs
CertificateReservedNodeCommonName: “*.wwd.ai” #surprised quotes are needed here.
CertificatePassword: “mypfxpassword” #quotes? or no quotes? # how does it know what this password applies to ?? This is the password for my wildcard certificate

Network configuration

IntHostAdvertiseAs: shop.wwd.ai
ExtHostAdvertiseAs: shop.wwd.ai
HttpPort: 2113
IntTcpPort: 1112
ExtTcpPort: 1113
EnableExternalTcp: true
EnableAtomPubOverHTTP: true

Projections configuration

RunProjections: All

@patrickinminneapolis Indeed, you can configure a certificate per node. However, as I see, the certs are configured, as you can access the browser page. Is your certificate generated by some public trusted authority? If not, then you need to add them to a trusted local store on the client machine not to see the warning.
See more in https://developers.eventstore.com/server/v20/server/security/configuration.html#certificate-installation-on-a-client-environment

I generated node.crt and node.key with es-gencert-cli, then copied node.crt to /usr/local/share/ca-certificates/ and ran sudo update-ca-certificates. This still results in browser warning.

Then I tried the crt and key i use for my webserver that was generated by a public authority CertificateFile and CertificatePrivateKeyFile, but then eventstore just died silently (nothing in the logs even)

#attempt 1: works but browser warning
CertificateFile: /etc/eventstore/certs/node.crt
CertificatePrivateKeyFile: /etc/eventstore/certs/node.key
TrustedRootCertificatesPath: /usr/local/share/ca-certificates

#attempt2 : just silently fails
CertificateFile: /etc/eventstore/real/wwd.ai.crt
CertificatePrivateKeyFile: /etc/eventstore/certs/real/wwd.ai.key
CertificateReservedNodeCommonName: “*.wwd.ai”
CertificatePassword: “mypassword”

Let me know anything jumps out at you, as I don’t even know what question to ask at this point

Self-signed certificates always give browser warnings because, well, they are self-signed. You need to add the CA certificate to your local trusted CA store and you won’t see the warning again.