search

ClickHouse / clickhouse-go

Golang driver for ClickHouse
Apache License 2.0
2.82k stars 546 forks source link

TLS Client Authentication Not Functional in Go with Clickhouse Docs on Client Cert Generation #1300

Open abraithwaite opened 1 month ago

abraithwaite commented 1 month ago

Generate a client certificate according to the docs on clickhouse's docs:

https://clickhouse.com/docs/en/guides/sre/ssl-user-auth

Use the certificate to authenticate directly with the host:

$  cat ./clickhouse-client.yml
user: runreveal
password: 'xxxx'
secure: true
openSSL:
  client:
    caConfig: '/home/ubuntu/ca.pem'
    certificateFile: '/home/ubuntu/client.pem'
    privateKeyFile: '/home/ubuntu/client.key'

$  ./clickhouse client -h X.X.X.X --secure --port 9440
ClickHouse client version 24.5.1.1239 (official build).
Connecting to X.X.X.X:9440 as user runreveal.
Connected to ClickHouse server version 24.2.2.

clickhouse.internal :) Bye.

Go program using this client at the latest version (v2):

https://gist.github.com/abraithwaite/f80a83a88ab75cb31c9b0d39c635215d

The error returned:

$ ./chcertauth -clientKeyFile client.key -clientCertFile client.pem -caCertFile ca.pem
[clickhouse-std][opener] [connect] error connecting to x.x.x.x:9440 on connection 1: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
2024/05/16 22:22:44 Failed to ping ClickHouse: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

CFSSL cert info:

$ ./cfssl certinfo -cert ca.pem

{
  "subject": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "issuer": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "serial_number": "xxxx",
  "not_before": "2024-05-15T18:34:43Z",
  "not_after": "2124-04-21T18:34:43Z",
  "sigalg": "SHA256WithRSA"
  }

  $ ./cfssl certinfo -cert client.pem

  {
  "subject": {
    "common_name": "1.2.3.4",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "1.2.3.4"
    ]
  },
  "issuer": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "serial_number": "xxxxxx",
  "not_before": "2024-05-15T18:41:24Z",
  "not_after": "2124-04-21T18:41:24Z",
  "sigalg": "SHA256WithRSA"
  }

I recommend either updating the clickhouse docs with an example that works in Go, or figuring out a good (and secure!) way to ensure that the client certificates generated by clickhouse server documentation works in the Go client as well.

jkaflik commented 1 month ago

thanks @abraithwaite for reporting.

It seems ClickHouse docs should be extend with subject alt name provided for certificate generate command: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line