1

I know the rethinkdb guide uses a self signed cert as an example. If I wanted to use a real certificate that I purchased, how can I add the bundle to the server conf? I add the certificate I purchased and key to the config:

driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt

Openssl s_client gives me the following

Verify return code: 21 (unable to verify the first certificate)

With this as the certificate chain:

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co
 i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

How can I use this cert properly?

asked Sep 17, 2018 at 14:46

1 Answer 1

0

Silly me. There was --driver-tls-ca option that I was missing. I found it in the rethinkdb manual (man rethinkdb).

TLS options:
 --http-tls-key key_filename private key to use for web
 administration console TLS
 --http-tls-cert cert_filename certificate to use for web
 administration console TLS
 --driver-tls-key key_filename private key to use for client driver
 connection TLS
 --driver-tls-cert cert_filename certificate to use for client driver
 connection TLS
 --driver-tls-ca ca_filename CA certificate bundle used to verify
 client certificates; TLS client
 authentication disabled if omitted
 --cluster-tls-key key_filename private key to use for intra-cluster
 connection TLS
 --cluster-tls-cert cert_filename certificate to use for intra-cluster
 connection TLS
 --cluster-tls-ca ca_filename CA certificate bundle used to verify
 cluster peer certificates

I set it in my rethinkdb instance conf file:

# TLS stuff
driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt
driver-tls-ca=/etc/ssl/star.cert.ca-bundle

And everything works as expected. openssl s_client returns the proper 0 (ok) code.

Edit note: Although with the rethinkdb dump utility it looks like there is no ca option so I can't use a real cert anyway.

answered Sep 18, 2018 at 0:43

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.