customized certificate not work

Question

customized certificate not work

Ha0124 opened this issue 2 months ago · comments

Introduction

When using plaintext certificates for verification, communication between services can occur. If the certificate is encrypted, communication cannot be completed. Can an interface be provided for this type of scenario?

Contents
If I use customized certificates and paired password keys, can it be compatible with such scenarios?

Related work

Steam · Answer 1 · Wed Apr 17 2024 10:30:43 GMT+0800 (China Standard Time)

@Ha0124 hi, thank you for your feedback. When you mentioned 'customized certificates,' are you referring to self-signed certificates? Or are you saying that these certificates have passwords?

If possible, could you provide any feasible solutions or implementations you have encountered or seen in other products?

Ha0124 · Answer 2 · Wed Apr 17 2024 19:33:16 GMT+0800 (China Standard Time)

When i try to use ssl encryption function following by https://docs.nebula-graph.io/3.6.0/7.data-security/4.ssl/ .
I try to use provided case from /tests, download it to local.
and then add
--password_path=/xx/xx/xx/test.ca.password
--key_path=/xx/xx/xx//nebula/test.ca.key
--cert_path=/xx/xx/xx/test.ca.pem
--enable_ssl=true
to nebula-graphd.conf nebula-metad.conf nebula-storaged.conf
but it doesn't work.

when i set --enable_ssl=false, the services can be linked.
Did the ssl encryption function has limits ?

Steam · Answer 3 · Thu Apr 18 2024 12:07:28 GMT+0800 (China Standard Time)

After you configured the SSL information, did you restart the three services?

Harris.Chu · Answer 4 · Thu Apr 18 2024 13:37:57 GMT+0800 (China Standard Time)

you should re-generate the certs, you could refer https://github.com/vesoft-inc/nebula-go/tree/master/nebula-docker-compose/secrets for generation and https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/docker-compose-ssl.yaml, https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/.env for usage in nebula

vealfan · Answer 5 · Thu Apr 18 2024 17:27:01 GMT+0800 (China Standard Time)

After the RSA key pair is generated using openssl genrsa command, we encrypted the RSA key pair using openssl rsa command with AES-256-CBC. The key file encrypted using AES-256-CBC is used to meet security requirements. However, nebula may not be able to parse such a key file.

Harris.Chu · Answer 6 · Mon Apr 22 2024 11:05:10 GMT+0800 (China Standard Time)

the password in nebula just encrypt like passout in openssl genrsa. e.g.

echo "123456" > passphrase.txt
openssl genrsa  -passout file:passphrase.txt -out privkey.pem 2048

# and then password_path should be passphrase.txt

Ha0124 · Answer 7 · Tue May 07 2024 10:54:28 GMT+0800 (China Standard Time)

if i doencrypt woth the cert ,will it be accepted in nebula?