Hi Stefan,
Does the combined glusterfs.ca includes client nodes pem? Also this file need to be placed in Client node as well.
--
Aravinda
Kadalu Technologies
---- On Fri, 26 Jan 2024 15:14:39 +0530 Stefan Kania <stefan@xxxxxxxxxxxxxxx> wrote ---
Hi to all,
The system is running Debian 12 with Gluster 10. All systems are using
the same versions.
I try to encrypt the communication between the peers and the clients via
TLS. The encryption between the peers works, but when I try to mount the
volume on the client I always get an error.
What have I done?
1. all hosts and clients can resolve the name of all systems involved.
2. the volume is running and all hosts and clients can mount the volume,
when TLS is not activated.
To activate TLS I did in /usr/lib/ssl on all participating systems with
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=c01.gluster" -out
glusterfs.pem
Keys and certificates created (CN customised)
Then combine all certificates into one and copy them to /usr/lib/ssl/ as
glusterfs.ca to all hosts.
Create the file /var/lib/glusterd/secure-access on the gluster peers.
Gluster volume stopped and glusterd restarted.
Then set the following parameters:
gluster volume set gv1 auth.ssl-allow '*'
gluster volume set gv1 client.ssl on
gluster volume set gv1 server.ssl on
When mounting the volume on the peers, I get the following messages:
-------------------
_64-linux-gnu/libglusterfs.so.0(runner_log+0x100) [0x7ffa11782640] )
0-management: Ran script:
/var/lib/glusterd/hooks/1/start/post/S30samba-start.sh --volname=gv1
--first=yes --version=1 --volume-op=start --gd-workdir=/var/lib/glusterd
0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED
certificate depth is 1 for peer 192.168.57.42:49147
0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED
certificate depth is 1 for peer 192.168.57.43:49147
0-socket.management: SSL support for MGMT is ENABLED IO path is ENABLED
certificate depth is 1 for peer 192.168.57.41:49151
-------------------
Looks good to me
Now trying to mount on the client with:
---------------
mount -t glusterfs c01.gluster:/gv1 /mnt
---------------
Then I get the following messages:
On the gluster node in /var/log/gluster/glusterd
------
[2024-01-26 09:27:34.987837 +0000] I
[socket.c:4288:ssl_setup_connection_params] 0-socket.management: SSL
support for MGMT is ENABLED IO path is ENABLED certificate depth is 1
for peer 192.168.57.51:49151
[2024-01-26 09:27:34.991908 +0000] E [socket.c:224:ssl_dump_error_stack]
0-socket.management: error:0A00010B:SSL routines::wrong version number
------
On the client in /var/log/gluster/mnt.log
-------
[2024-01-26 09:30:06.673990 +0000] I [MSGID: 100030]
[glusterfsd.c:2767:main] 0-/usr/sbin/glusterfs: Started running version
[{arg=/usr/sbin/glusterfs}, {version=10.5},
{cmdlinestr=/usr/sbin/glusterfs --process-name fuse
--volfile-server=c01.gluster --volfile-id=/gv1 /mnt}]
[2024-01-26 09:30:06.677184 +0000] I [glusterfsd.c:2447:daemonize]
0-glusterfs: Pid of current running process is 931
[2024-01-26 09:30:06.685814 +0000] I [MSGID: 101190]
[event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread
with index [{index=1}]
[2024-01-26 09:30:06.686116 +0000] I [MSGID: 101190]
[event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread
with index [{index=0}]
[2024-01-26 09:30:06.690443 +0000] I
[glusterfsd-mgmt.c:2681:mgmt_rpc_notify] 0-glusterfsd-mgmt: disconnected
from remote-host: c01.gluster
[2024-01-26 09:30:06.690512 +0000] I
[glusterfsd-mgmt.c:2720:mgmt_rpc_notify] 0-glusterfsd-mgmt: Exhausted
all volfile servers
[2024-01-26 09:30:06.691618 +0000] W
[glusterfsd.c:1458:cleanup_and_exit]
(-->/lib/x86_64-linux-gnu/libgfrpc.so.0(+0xfa35) [0x7f83ace13a35]
-->/usr/sbin/glusterfs(+0x14769) [0x55650549b769]
-->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x556505492447] ) 0-:
received signum (1), shutting down
[2024-01-26 09:30:06.691699 +0000] I [fuse-bridge.c:7065:fini] 0-fuse:
Unmounting '/mnt'.
[2024-01-26 09:30:06.694246 +0000] I [fuse-bridge.c:7069:fini] 0-fuse:
Closing fuse connection to '/mnt'.
[2024-01-26 09:30:06.694431 +0000] W
[glusterfsd.c:1458:cleanup_and_exit]
(-->/lib/x86_64-linux-gnu/libc.so.6(+0x89044) [0x7f83acc98044]
-->/usr/sbin/glusterfs(glusterfs_sigwaiter+0xc5) [0x556505499e05]
-->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x556505492447] ) 0-:
received signum (15), shutting down
-------
Testing with openssl on the client show:
root@cluster-client:~# openssl s_client -CAfile
/usr/lib/ssl/glusterfs.ca -connect c01.gluster:24007
CONNECTED(00000003)
depth=0 CN = c01.gluster
verify return:1
---
Certificate chain
0 s:CN = c01.gluster
i:CN = c01.gluster
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 26 08:27:12 2024 GMT; NotAfter: Feb 25 08:27:12
2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIULCwcIV9jWFzeZoeO1Xs5TJ9J5rkwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLYzAxLmdsdXN0ZXIwHhcNMjQwMTI2MDgyNzEyWhcNMjQw
MjI1MDgyNzEyWjAWMRQwEgYDVQQDDAtjMDEuZ2x1c3RlcjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANPQ+fSk2V+hAjSOViZJxDWEgkjO1g8r3JH47QmI
D8mhEAVoeUhzDdbDV2gWw26pgU1Z22cCQr72rnZaK9vV1xzvGVjdzbKwQU8NhqhR
XWGJVlHdc5LxcOXfU7FpY6XMDzDLvRuNTMzsc685vJ8hjMxMAZJSLMAXNmLPMPnW
NuaudBE+1f7oc9sdGWhUqmPcWXT6xUeEUEJCDbOrccH8nhUwBMbQFiU7S4pV3smB
bbYNHFtw7Liz9B/vMoX1HckUKAsWcaWqPlWYr1rFHHPneyuG2evVcfRDhGsA1Fmo
v7kamrGtXgEAdgXC6HdENFBJzdSSb77A89d8OSHOYNyEV5UCAwEAAaNTMFEwHQYD
VR0OBBYEFCFjInacsKnR6TuPf+BI30b8qWPtMB8GA1UdIwQYMBaAFCFjInacsKnR
6TuPf+BI30b8qWPtMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AKBZNCRxKO5rv4yezGZRa/SDdpEc/vrGD5jKbHxQjBP+0YX/hToOGt04oh48iNFT
A2vqUVby4JXml9FjPCNktHlRk/NYXIlQiTm//TBeG2D+HrAQRyLR6TXF62/4H3Pb
Yktzr+vNk/znd5AKv3g8kMMpAB0UGxjZ9CtMDTuAYrQPtFCgCy1rf6fvP3cKZwaK
kk/QjJyc9u6zTvL0ptOHdOdQbhrHjZHiQ1D6QvJu6LouMsY3gGlVXfh0rQHUzSvT
7MmDRb/l4jTs2sn/nexh9bpHUv/m3vzDWBbrWcwGzenKXR+lg1hvAZAP3Ds33S/+
W7sfZVptCwBXbYK0bSh+KiU=
-----END CERTIFICATE-----
subject=CN = c01.gluster
issuer=CN = c01.gluster
---
No client certificate CA names sent
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1534 bytes and written 777 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
A9CA3DA57FDA9BF9D9EFBBD0E5CE5D8F7A5DE091C10E54310D52A23DCB7DA95B
Session-ID-ctx:
Resumption PSK:
C7BA79D9FB045352371121AC97F891FBD4C2578AA48A7CD57747A941C6864CCE5163D5AF94BE01D75233148BD75E755E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 6e fd 36 f6 0f 16 dc d0-f1 9f 02 4b 32 20 5e 4b
n.6........K2 ^K
0010 - e4 98 1e 6f 4c 8d b3 71-c8 12 40 ed 75 3f f7 ce
...oL..q..@.u?..
Start Time: 1706261953
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
42BA7A7BFC9B64C030DB99E2D12B060052F53B5A771826199868A6AE913ED245
Session-ID-ctx:
Resumption PSK:
3E66E04230CDFDF569A87764318B3C0C67FEA910742784CBC31E0221C44DB4EB91C2EBCB471AEB31FFFD5AB452C899F3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 79 2a c8 0c 4c c7 2b f1-2d 3c 01 cf dd b3 e0 68
y*..L.+.-<.....h
0010 - 7c 19 e7 e3 96 d9 5d 77-19 a3 e1 a8 9e 6c 3a 37
|.....]w.....l:7
Start Time: 1706261953
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
40D7F609527F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof
while reading:../ssl/record/rec_layer_s3.c:303:
Any help?
Thank's
Stefan
________
Community Meeting Calendar:
Schedule -
Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC
Bridge: https://meet.google.com/cpu-eiue-hvk
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
https://lists.gluster.org/mailman/listinfo/gluster-users
________ Community Meeting Calendar: Schedule - Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC Bridge: https://meet.google.com/cpu-eiue-hvk Gluster-users mailing list Gluster-users@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-users