Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3093

Client side certificates for secure REST API fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.5.1
    • Fix Version/s: 2.5.3
    • Component/s: REST-API
    • Labels:
      None
    • Environment:
      Linux CentOS 7.7
    • Sprint:
      MXS-SPRINT-113

      Description

      WIth MariaDB MaxScale configured for TLS for REST like this:

      [maxscale]
      admin_ssl_key=/usr/local/certs/server-key.pem
      admin_ssl_cert=/usr/local/certs/server-cert.pem
      admin_ssl_ca_cert=/usr/local/certs/ca-cert.pem
      

      Then you get odd errors when trying to connect using client keys:

      $ maxctrl --secure --tls-key=/home/anders/src/blogs/maxscalessl/client-key.pem --tls-cert=/home/anders/src/blogs/maxscalessl/client-cert.pem --tls-ca-cert=/home/anders/src/blogs/maxscalessl/ca-cert.pem list servers
      TypeError: Converting circular structure to JSON
          at JSON.stringify (<anonymous>)
          at /snapshot/maxctrl/lib/common.js:0:0
          at process._tickCallback (internal/process/next_tick.js:68:7)
      

      Using --tls-verify-server-cert=false makes this work though. And then only the ca-cert is necessary:

      $ maxctrl --secure  --tls-ca-cert=/home/anders/src/blogs/maxscalessl/ca-cert.pem list servers --tls-verify-server-cert=false
      ┌─────────┬──────────────┬───────┬─────────────┬───────────────────────────────────────────┬────────────┐
      │ Server  │ Address      │ Port  │ Connections │ State                                     │ GTID       │
      ├─────────┼──────────────┼───────┼─────────────┼───────────────────────────────────────────┼────────────┤
      │ server1 │ 192.168.0.11 │ 3306  │ 0           │ Master, Slave of External Server, Running │ 0-1-837377 │
      ├─────────┼──────────────┼───────┼─────────────┼───────────────────────────────────────────┼────────────┤
      │ server2 │ 192.168.0.11 │ 10503 │ 0           │ Down                                      │            │
      └─────────┴──────────────┴───────┴─────────────┴───────────────────────────────────────────┴────────────┘
      

      Including only the client certificate cause yet another strange error message:

      $ maxctrl --secure --tls-cert=/home/anders/src/blogs/maxscalessl/client-cert.pem --tls-ca-cert=/home/anders/src/blogs/maxscalessl/ca-cert.pem list servers
      (node:5318) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'toString' of undefined
          at Request.getNewAgent (/snapshot/maxctrl/node_modules/request/request.js:656:63)
          at Request.init (/snapshot/maxctrl/node_modules/request/request.js:490:37)
          at Request.RP$initInterceptor [as init] (/snapshot/maxctrl/node_modules/request-promise-core/configure/request2.js:45:29)
          at new Request (/snapshot/maxctrl/node_modules/request/request.js:127:8)
          at request (/snapshot/maxctrl/node_modules/request/index.js:53:10)
          at module.exports.simpleRequest (/snapshot/maxctrl/lib/common.js:0:0)
          at module.exports.doAsyncRequest (/snapshot/maxctrl/lib/common.js:0:0)
          at module.exports.getJson (/snapshot/maxctrl/lib/common.js:0:0)
          at /snapshot/maxctrl/lib/list.js:0:0
          at /snapshot/maxctrl/lib/common.js:0:0
      (node:5318) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
      (node:5318) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
      

        Attachments

          Activity

            People

            Assignee:
            markus makela markus makela
            Reporter:
            karlsson Anders Karlsson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.