Open knowitall12 opened 6 months ago
I have tried:
Hi @knowitall12, does your certificate file contain empty lines? The error looks similar to the one reported here: https://github.com/EventStore/EventStore/issues/3312
This happened to me as well and it started suddenly(two months working fine and then this happened) :
{"@t":"2024-07-25T12:13:30.7090903+00:00","@mt":"[S{remoteEndPoint}, L{localEndPoint}]: Authentication exception on AuthenticateAsServerAsync.","@l":"Information","@i":3445664483,"@x":"System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.\n ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.\n ---> Interop+Crypto+OpenSslCryptographicException: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol\n --- End of inner exception stack trace ---\n at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan
1 input, Byte[]& sendBuf, Int32& sendCount)\n at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)\n --- End of inner exception stack trace ---\n at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)\n at EventStore.Transport.Tcp.TcpConnectionSsl.AuthenticateAsServerAsync(Func
1 serverCertificateSelector, Func1 intermediatesSelector) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Transport.Tcp/TcpConnectionSsl.cs:line 189","remoteEndPoint":"167.94.146.58:57834","localEndPoint":"10.158.15.245:1112","SourceContext":"EventStore.Transport.Tcp.TcpConnectionSsl","ProcessId":1294,"ThreadId":110}
{"@t":"2024-07-25T12:13:23.3126284+00:00","@mt":"[S{remoteEndPoint}, L{localEndPoint}]: Exception on AuthenticateAsServerAsync.","@l":"Information","@i":990159251,"@x":"System.ArgumentNullException: Value cannot be null. (Parameter 'cert')\n at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(X509Certificate cert)\n at EventStore.Common.Utils.CertificateExtensions.ConvertToCertificate2(X509Certificate certificate, X509Certificate2& certificate2) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Common/Utils/CertificateExtensions.cs:line 192\n at EventStore.Core.ClusterVNode
1.ValidateClientCertificate(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, Func1 intermediateCertsSelector, Func
1 trustedRootCertsSelector) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/ClusterVNode.cs:line 1781\n at EventStore.Transport.Tcp.TcpConnectionSsl.ValidateClientCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Transport.Tcp/TcpConnectionSsl.cs:line 285\n at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)\n at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)\n at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)\n at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)\n at EventStore.Transport.Tcp.TcpConnectionSsl.AuthenticateAsServerAsync(Func1 serverCertificateSelector, Func
1 intermediatesSelector) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Transport.Tcp/TcpConnectionSsl.cs:line 189","remoteEndPoint":"167.94.146.58:39064","localEndPoint":"10.158.15.245:1112","SourceContext":"EventStore.Transport.Tcp.TcpConnectionSsl","ProcessId":1294,"ThreadId":183}
`
Describe the bug We are deploying the event store db on docker. It's a single node deployment on a AWS EC2 instance. We are using the certificate file generated for EC2 instance. We are getting following error:
[ 1, 1,09:57:30.426,FTL] Host terminated unexpectedly. System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
To Reproduce Steps to reproduce the behavior:
sudo docker run --name esdb-node-security -it -p 2113:2113 -p 1113:1113 -v /home/eventStoreDB/eventStore/logs:/var/log/eventstore -v /home/eventStoreDB/eventStore:/var/lib/eventstore -v /etc/pki/tls/:/etc/pki/tls/ -e ASPNETCORE_Kestrel__Certificates__Default__Path="/etc/pki/tls/certs/file_name.pfx" -e ASPNETCORE_Kestrel__Certificates__Default__Password="password_masked" eventstore/eventstore:latest --run-projections=All --enable-external-tcp --enable-atom-pub-over-http --certificate-reserved-node-common-name 10.241.126.84 --trusted-root-certificates-path /etc/pki/tls/certs/ --certificate-file certificate.pem --certificate-private-key-file=/etc/pki/tls/certs/key.pem
Expected behavior Docker container should have started.
Actual behavior Docker container is failing.
Config/Logs/Screenshots [ 1, 1,09:57:29.854,INF] "ES VERSION:" "23.10.1.0" ("oss-v23.10.1"/"3ce7f59f2", "2024-01-17T12:51:15+00:00") [ 1, 1,09:57:29.862,INF] "OS ARCHITECTURE:" X64 [ 1, 1,09:57:29.889,INF] "OS:" Linux ("Unix 5.10.209.198") [ 1, 1,09:57:29.893,INF] "RUNTIME:" ".NET 6.0.27/80de56dad" (64-bit) [ 1, 1,09:57:29.895,INF] "GC:" "3 GENERATIONS" "IsServerGC: False" "Latency Mode: Interactive" [ 1, 1,09:57:29.895,INF] "LOGS:" "/var/log/eventstore" [ 1, 1,09:57:29.959,INF] MODIFIED OPTIONS: CERTIFICATE OPTIONS: CERTIFICATE RESERVED NODE COMMON NAME: 10.x.x.x (Command Line) TRUSTED ROOT CERTIFICATES PATH: /etc/pki/tls/certs/ (Command Line)
DEFAULT OPTIONS: APPLICATION OPTIONS: ALLOW ANONYMOUS ENDPOINT ACCESS: False ()
ALLOW ANONYMOUS STREAM ACCESS: False ()
ALLOW UNKNOWN OPTIONS: False ()
CONFIG: /etc/eventstore/eventstore.conf ()
DISABLE HTTP CACHING: False ()
ENABLE HISTOGRAMS: False ()
HELP: False ()
INSECURE: False ()
LOG FAILED AUTHENTICATION ATTEMPTS: False ()
LOG HTTP REQUESTS: False ()
MAX APPEND SIZE: 1048576 ()
OVERRIDE ANONYMOUS ENDPOINT ACCESS FOR GOSSIP: True ()
SKIP INDEX SCAN ON READS: False ()
STATS PERIOD SEC: 30 ()
TELEMETRY OPTOUT: False ()
VERSION: False ()
WHAT IF: False ()
WORKER THREADS: 0 ()
[ 1, 1,09:57:29.964,WRN] DEPRECATED The Legacy TCP Client Interface has been deprecated as of version 20.6.0. It is recommended to use gRPC instead. AtomPub over HTTP Interface has been deprecated as of version 20.6.0. It is recommended to use gRPC instead 1, 1,11:39:10.486,INF] Cannot find plugins path: "/usr/share/eventstore/plugins" [ 1, 1,11:39:10.780,DBG] MessageHierarchy initialization took 00:00:00.2687165. [ 1, 1,11:39:10.888,INF] Loading the node's certificate(s) from file: "certificate.pem" [ 1, 1,11:39:10.978,FTL] Host terminated unexpectedly. Interop+Crypto+OpenSslCryptographicException: error:10000080:BIO routines::no such file at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at EventStore.Core.CertificateUtils.LoadFromFile(String certificatePath, String privateKeyPath, String certificatePassword, String certificatePrivateKeyPassword) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/Certificates/CertificateUtils.cs:line 148 at EventStore.Core.ClusterVNodeOptionsExtensions.LoadNodeCertificate(ClusterVNodeOptions options) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/ClusterVNodeOptionsExtensions.cs:line 239 at EventStore.Core.Certificates.OptionsCertificateProvider.LoadCertificates(ClusterVNodeOptions options) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/Certificates/OptionsCertificateProvider.cs:line 17 at EventStore.Core.ClusterVNode
1.ReloadCertificates(ClusterVNodeOptions options) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/ClusterVNode.cs:line 1862 at EventStore.Core.ClusterVNode
1..ctor(ClusterVNodeOptions options, ILogFormatAbstractorFactory1 logFormatAbstractorFactory, AuthenticationProviderFactory authenticationProviderFactory, AuthorizationProviderFactory authorizationProviderFactory, IReadOnlyList
1 additionalPersistentSubscriptionConsumerStrategyFactories, CertificateProvider certificateProvider, MetricsConfiguration metricsConfiguration, IExpiryStrategy expiryStrategy, Nullable1 instanceId, Int32 debugIndex) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/ClusterVNode.cs:line 249 at EventStore.Core.ClusterVNode.Create[TStreamId](ClusterVNodeOptions options, ILogFormatAbstractorFactory
1 logFormatAbstractorFactory, AuthenticationProviderFactory authenticationProviderFactory, AuthorizationProviderFactory authorizationProviderFactory, IReadOnlyList1 factories, CertificateProvider certificateProvider, MetricsConfiguration metricsConfiguration, Nullable
1 instanceId, Int32 debugIndex) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.Core/ClusterVNode.cs:line 85 at EventStore.ClusterNode.ClusterVNodeHostedService..ctor(ClusterVNodeOptions options, CertificateProvider certificateProvider, MetricsConfiguration metricsConfiguration) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.ClusterNode/ClusterVNodeHostedService.cs:line 105 at EventStore.ClusterNode.Program.Main(String[] args) in /home/runner/work/TrainStation/TrainStation/build/oss-eventstore/src/EventStore.ClusterNode/Program.cs:line 171EventStore details
EventStore server version: v23.10
Operating system: NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" SUPPORT_END="2025-06-30" Amazon Linux release 2 (Karoo)
EventStore client library and version (if applicable):