HostCertificateNotFound exception on ES Cloud hosted instance

[robin-dojo]

I am trying to connect to an ES cloud-based instance but I am getting the HostCertificateNotFound exception, however, I don't think this should happen as there would be nowhere for us to add the certificate to the host.

There are some differences in how we create our settings with C# compared to dart:

var settings = EventStoreClientSettings.Create(eventStoreConfiguration.Endpoint);
settings.DefaultCredentials = new UserCredentials(eventStoreConfiguration.Username, eventStoreConfiguration.Password);
var esClient = new EventStoreClient(settings);

I'm not sure if there is another bit of config I need with dart?!

[robin-dojo]

I have tried adding a ca.crt file to the assets but when giving a path to the publicKeyPath parameter - it's looking in another place. How do I get it to access the assets?

HostCertificateNotFound (HostCertificateNotFound{message: Host certificate file
'/Users/<username>/Library/Containers/com.example.myAppName/Data/certs/ca.crt' not found})

In my pubspec.yaml I have:

flutter:
  assets:
    - lib/images/
    - certs/

[robin-dojo]

Found an issue with running macOS apps in sandbox - solved one issue - run into another!

[kengu]

Hi @robin-dojo, the error indicates that TLS is not configured properly in the client, which ES Cloud demands. This involves supplying a public key to the client in the configuration (the client does not support public key exchange automatically), just as yo have tried to do. Unfortunately, the documentation about secure connections are still lacking , and examples does not include this use case. I'll update the examples list soon. The current version of the client does not support the flag tlsVerifyCert that would disable validation of certificates. I'll add this support asap. In the meantime, the only way to work around this issue is to supply a valid crt-file with the ES cluster public key. I don't think the flag tls=false will work with ES Cloud unfortunately. Note that using tlsVerifyCert=false when supported, raise security concerns, since the client will connect to any tls connection on the other side. So you need to find a way to supply the public key as a file if you want the full security of a tls connection to the cluster.

I will also at an option to pass the public key as bytes if files are not an option for you.

[kengu]

@robin-dojo, see issues #2 and #3

[robin-dojo]

Thanks @kengu!

I tried to create and use a public key created with the online configurator tool but was then getting an unknown grpc error what I was unable to diagnose. I'll look to see if the certificate was incorrect somehow!

[robin-dojo]

According to this (if I understand it correctly) you shouldn't need to set up any certs to connect to the ES Cloud clusters.

[kengu]

Yes, I believe that ES cloud have a public CA with a wildcard certificate that is available (installed) on most client machines (OS-level) already, and is used by Dart to validate TLS connections between the client and ES cloud. I do not have a ES cloud available for testing myself, so I can not confirm it. I will however, do a review of the code again to see if there is something that prevents the use of already installed CAs on the client machine for validation (default trust store).

[kengu]

It would help if you post any stack traces here for me to analyse

I tried to create and use a public key created with the online configurator tool but was then getting an unknown grpc error what I was unable to diagnose. I'll look to see if the certificate was incorrect somehow!

[kengu]

@robin-dojo A new version has been released, 0.3.0 supports now tlsVerifyCert=false and uses default trust store on client machine when publicKeyPath is not given.

If this resolves it, please feel free to close this issue as confirmation.

[robin-dojo]

I'll try this out later today. Thank you for the update!

[robin-dojo]

This is working a charm with my default trust store 👍