search

etcd-io / jetcd

etcd java client
Apache License 2.0
1.11k stars 316 forks source link

Using SSL #55

Closed eho-eho closed 7 years ago

eho-eho commented 8 years ago

Has anyone managed to get a java etcd client to use SSL, and if so, how? I have generated self-signed certificates (ca, server, and client) that work fine with etcdctl (with etcd3) but cannot get it to work with netty-tcnative from java. I always get the following: io.netty.handler.ssl.OpenSslEngine - SSL_read failed: OpenSSL error: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE

eho-eho commented 8 years ago

This was happening with netty-tcnative-boringssl-static 1.1.33.Fork23. Once I switched to netty-tcnative-boringssl-static 1.1.33.Fork19 the problem disappeared.

josselin-c commented 7 years ago

Hello, How did you setup jetcd with SSL? I can't find anything in the javadoc of the project nor on it's online documentation. I need to do client-auth with TLS certificates. I know how to build a properly configured netty channel but I can't find how to pass it to jetcd. If you have some time to recall how you did it, it would be wonderful!

xiang90 commented 7 years ago

@lburgazzoli do you want to help with this issue?

lburgazzoli commented 7 years ago

As far as I know as today jetcd forces plain text in managed channel creation so to properly support ssl the client builder should allow to pass a SslContext.

As alternative you can sue a custom ManagedChannelBuilder.

@eho-eho do you mind sharing the instructions to set up etcd/etcdctl with ssl so I can try to work on it ?

eho-eho commented 7 years ago

It has been a while since I looked at this. Also, I am not working on that project and have no access to the source code, so everything I write here is from memory. Re setting up etcd/etcdctl: For setting up etcd/etcdctl follow instructions on etcd documentation site. Instructions for etcd2 should suffice if there are none for etcd3. Re ssl and jetcd: I have not used jetcd with ssl. I wrote my own client following instructions on grpc's site. The only gotcha was to use the version and the fork of netty-tcnative that the version of grpc I was using is tested with. For that I had to look at the grpc source. That's all I remember. Hope this is helpful.

yangliucheng commented 7 years ago

@eho-eho Hello, have you succed in used jetcd whit ssl?

davidstack commented 7 years ago

@yangliucheng have you succeed in used jetcd with ssl

lurenjia528 commented 6 years ago

etcdctl --cacert /etc/etcd/ssl/etcd-ca.pem --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem get /hello is ok

only pkcs8 in jetcd-0.0.2

openssl pkcs8 -topk8 -nocrypt -in etcd-key.pem -out pkcs8-key.pem

File cert = new File("E:\\softwarelocation\\code\\IdeaProjects\\etcdstudy\\src\\main\\java\\v3api\\etcd.pem");
 File pkcs8Key = new File("E:\\softwarelocation\\code\\IdeaProjects\\etcdstudy\\src\\main\\java\\v3api\\pkcs8-key.pem");
Client client = Client.builder()
                .endpoints("https://192.168.200.222:2379")
                .sslContext(GrpcSslContexts.forClient()
                        .trustManager(cert)
                        .keyManager(cert, pkcs8Key)
                        .build())
                .build();

CompletableFuture<GetResponse> getResponseCompletableFuture = kvClient.get(ByteSequence.fromString(key));
        GetResponse getResponse = getResponseCompletableFuture.get();
        List<KeyValue> kvs = getResponse.getKvs();
        for (KeyValue kv : kvs) {
            System.out.println("key=" + kv.getKey().toStringUtf8());
            System.out.println("value=" + kv.getValue().toStringUtf8());
        }
 //etcd V3 api
    compile group: 'io.netty', name: 'netty-handler', version: '4.1.27.Final'
    compile group: 'io.grpc', name: 'grpc-all', version: '1.15.1'
    compile group: 'io.netty', name: 'netty-tcnative-boringssl-static', version: '2.0.12.Final'
    compile group: 'com.coreos', name: 'jetcd-core', version: '0.0.2'
ae6rt commented 4 years ago 
public class AppTest {
    @Test
    public void testThis() throws ExecutionException, InterruptedException, SSLException {
        Client client = Client.builder().endpoints("https://hostn:2379")
                              .user(ByteSequence.from("bob".getBytes()))
                              .password(ByteSequence.from("sekrit".getBytes()))
                              .authority("sp-etcd01") // Must be a SAN in server cert if hostn is not in cert
                              .sslContext(GrpcSslContexts.forClient().trustManager(new File("certs.pem")).build())
                              .build();
        KV kvClient = client.getKVClient();

        ByteSequence key = ByteSequence.from("/com/acme/static/foo".getBytes());
        CompletableFuture<GetResponse> getFuture = kvClient.get(key);
        GetResponse response = getFuture.get();

        System.out.printf("foo=%s\n", new String(response.getKvs().get(0).getValue().getBytes()));
    }
}

The POM

    <dependencies>
        <dependency>
            <groupId>io.etcd</groupId>
            <artifactId>jetcd-core</artifactId>
            <version>0.5.3</version>
        </dependency>
        <dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-tcnative-boringssl-static</artifactId>
            <version>2.0.28.Final</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
    </dependencies>