search

codenotary / immudb

immudb - immutable database based on zero trust, SQL/Key-Value/Document model, tamperproof, data change history
https://immudb.io
Other
8.52k stars 337 forks source link

Enabling mtls create issue with https web service #1771

Open lorepas opened 10 months ago

lorepas commented 10 months ago

What happened Hello, I tried to enable mtls on immudb but I encountered some issue. In particular, I've executed the script ./generate.sh example.com testpsw present in immudb repo. In immudb.toml I've set:

certificate = '/etc/immudb/certs/example.com.cert.pem'
clientcas = '/etc/immudb/certs/ca-chain.cert.pem'
pkey = '/etc/immudb/certs/example.com.key.pem'
mtls = true

In particular the certificate and the key are the one present in folder /mtls/3_application.

Then, by checking the connection with immuadmin with the complete string as the following:

./immuadmin login immudb --certificate /etc/immudb/client_cert/example.com.cert.pem --clientcas /etc/immudb/certs/ca-chain.cert.pem --mtls --pkey /etc/immudb/client_cert/example.com.key.pem --servername example.com

I'm able to connect correctly. The certificate and key used now, are the one in /mtls/4_clients. I tried also the following curl from my shell:

 curl -v https://example.com:8080 --cert client-cert.pem --key client-key.pem --cacert ca-cert-immudb.pem

And the response has been positive.

At this point, I've to connect against web server in HTTPS. I've imported the certificate in my browser in p12 format by executing the following command in /mtls/4_clients:

openssl pkcs12 -export -out immudb-client-localhost.p12 -in certs/example.com.cert.pem -inkey private/example.com.key.pem

I've also imported the CA chain certificate. However, if I try to login in HTTPS (https://example.com:8080) I encoutered the following error: immagine

And from the logs I've checked the following error:

2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58789: EOF
2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58785: EOF
2023/08/17 16:37:40 http: TLS handshake error from 10.0.110.2:58786: EOF

The IP showed is the one of my client, so it is exactly the https connection.

What you expected to happen I expect that HTTPS works fine after I've imported the client certificate.

How to reproduce it (as minimally and precisely as possible) Some steps to follow are present in the description of the issue. Environment

Additional info (any other context about the problem)

lorepas commented 9 months ago

Hello @jeroiraz ! Any news about this issue?

jeroiraz commented 9 months ago

Hello @jeroiraz ! Any news about this issue?

Hello @lorepas, we didn't have the time to work on it yet.

Because either we need to enable mtls for certain users or provide a way to provision certificates to the webconsole...

lorepas commented 9 months ago

Hello @jeroiraz ! Any news about this issue?

Hello @lorepas, we didn't have the time to work on it yet.

Because either we need to enable mtls for certain users or provide a way to provision certificates to the webconsole...

Thank you for the reply @jeroiraz ! FYI as a workaround I exposed the UI under an NGINX (in this way I'm able to access with HTTPS) and the connection with the postgres protocol under the pgbouncer (in this way I'm able to connect with postgres in TLS).

lorepas commented 4 months ago

Hi @jeroiraz do you think in version 2.x will be the possibility to access in mTLS both the Web UI and the ImmuDB database with the immuadmin and immuclient command line clients?