Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hot reload ssl cert with different issuer #47734

Closed
spff opened this issue Mar 20, 2023 · 2 comments · Fixed by #61671
Closed

Hot reload ssl cert with different issuer #47734

spff opened this issue Mar 20, 2023 · 2 comments · Fixed by #61671
Labels
usability

Comments

@spff
Copy link

spff commented Mar 20, 2023

Hi! I'm using Ubuntu 20.04.4 LTS, Clickhouse 23.1.3 revision 54461.
I encountered

2023.03.15 08:54:43.412456 [ 67614 ] {} <Error> ServerErrorHandler: Code: 210. DB::NetException: SSL Exception: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE, while reading from socket ([::ffff:xxx.xxx.xxx.xxx]:58520). (NETWORK_ERROR), Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0xddb0df5 in /usr/bin/clickhouse
1. ? @ 0x132aff9e in /usr/bin/clickhouse
2. DB::ReadBufferFromPocoSocket::nextImpl() @ 0x132afbbc in /usr/bin/clickhouse
3. DB::HTTPServerRequest::readRequest(DB::ReadBuffer&) @ 0x14696890 in /usr/bin/clickhouse
4. DB::HTTPServerRequest::HTTPServerRequest(std::__1::shared_ptr<DB::IHTTPContext>, DB::HTTPServerResponse&, Poco::Net::HTTPServerSession&) @ 0x14695f9e in /usr/bin/clickhouse
5. DB::HTTPServerConnection::run() @ 0x1469486f in /usr/bin/clickhouse
6. Poco::Net::TCPServerConnection::start() @ 0x1753e2f4 in /usr/bin/clickhouse
7. Poco::Net::TCPServerDispatcher::run() @ 0x1753fc9b in /usr/bin/clickhouse
8. Poco::PooledThread::run() @ 0x176cf0a7 in /usr/bin/clickhouse
9. Poco::ThreadImpl::runnableEntry(void*) @ 0x176ccadd in /usr/bin/clickhouse
10. ? @ 0x7f858ba4c609 in ?
11. __clone @ 0x7f858b971133 in ?
--
2023.03.15 09:14:41.449816 [ 153386 ] {} <Error> ServerErrorHandler: Code: 210. DB::NetException: SSL Exception: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA, while reading from socket ([::ffff:xxx.xxx.xxx.xxx]:50898). (NETWORK_ERROR), Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0xddb0df5 in /usr/bin/clickhouse
1. ? @ 0x132aff9e in /usr/bin/clickhouse
2. DB::ReadBufferFromPocoSocket::nextImpl() @ 0x132afbbc in /usr/bin/clickhouse
3. DB::TCPHandler::runImpl() @ 0x14676238 in /usr/bin/clickhouse
4. DB::TCPHandler::run() @ 0x1468b8d9 in /usr/bin/clickhouse
5. Poco::Net::TCPServerConnection::start() @ 0x1753e2f4 in /usr/bin/clickhouse
6. Poco::Net::TCPServerDispatcher::run() @ 0x1753fc9b in /usr/bin/clickhouse
7. Poco::PooledThread::run() @ 0x176cf0a7 in /usr/bin/clickhouse
8. Poco::ThreadImpl::runnableEntry(void*) @ 0x176ccadd in /usr/bin/clickhouse
9. ? @ 0x7f858ba4c609 in ?
10. __clone @ 0x7f858b971133 in ?
 (version 23.1.3.5 (official build))

when all 3 blocks

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

inside the file <certificateFile> changed (instead of signing a cert that'd expire later, we changed the issuer).
I'd need to restart clickhouse to make ports using SSL work again.

relates to #15764
@spff spff added the usability label Mar 20, 2023
@Nyantechnolog
Copy link
Contributor

I faced with the same problem. It's very inconvenient if you are using let'sencrypt certs

@GrigoryPervakov GrigoryPervakov mentioned this issue Mar 20, 2024
Merged
@joshbartley
Copy link

@nickitat I just tried this and the certificate chain failed until a server restart.

ClickHouse server version 24.5.1.1763 (official build).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
usability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Reload certificate chain during certificate reload GrigoryPervakov/ClickHouse
3 participants
@joshbartley @spff @Nyantechnolog