Skip to content
This repository has been archived by the owner on Apr 8, 2024. It is now read-only.

Cannot connect with wildcard certificate #288

Closed
barmac opened this issue Jan 24, 2023 · 4 comments
Closed

Cannot connect with wildcard certificate #288

barmac opened this issue Jan 24, 2023 · 4 comments

Comments

@barmac
Copy link
Contributor

barmac commented Jan 24, 2023

Issue tracker is ONLY used for reporting bugs. New features and questions should be discussed on our slack channel.

Expected Behavior

I should be able to use a wildcard certificate to connect to Zeebe just like I can with zbctl.

Current Behavior

The client does not connect as reported in camunda/camunda-modeler#3326

Possible Solution

Steps to Reproduce

Check out the linked issue from Camunda Modeler.

Context (Environment)

Detailed Description

grpc log 
D 2023-01-24T14:47:48.927Z | channel | (1) dns:test.test.localhost:26500 Channel constructed with options {
  "grpc.enable_retries": 1,
  "grpc.initial_reconnect_backoff_ms": 1000,
  "grpc.max_reconnect_backoff_ms": 10000,
  "grpc.min_reconnect_backoff_ms": 5000,
  "grpc.keepalive_time_ms": 180000,
  "grpc.keepalive_timeout_ms": 120000,
  "grpc.http2.min_time_between_pings_ms": 90000,
  "grpc.http2.min_ping_interval_without_data_ms": 90000,
  "grpc.keepalive_permit_without_calls": 1,
  "grpc.http2.max_pings_without_data": 0
}
D 2023-01-24T14:47:48.928Z | channel | (1) dns:test.test.localhost:26500 createCall [0] method="/gateway_protocol.Gateway/Topology", deadline=Infinity
D 2023-01-24T14:47:48.929Z | call_stream | [0] Sending metadata
D 2023-01-24T14:47:48.931Z | channel | (1) dns:test.test.localhost:26500 callRefTimer.ref | configSelectionQueue.length=1 pickQueue.length=0
D 2023-01-24T14:47:48.932Z | call_stream | [0] write() called with message of length 0
D 2023-01-24T14:47:48.932Z | call_stream | [0] end() called
D 2023-01-24T14:47:48.932Z | call_stream | [0] deferring writing data chunk of length 5
D 2023-01-24T14:47:48.940Z | subchannel | (2) 127.0.0.1:26500 Subchannel constructed with options {
  "grpc.enable_retries": 1,
  "grpc.initial_reconnect_backoff_ms": 1000,
  "grpc.max_reconnect_backoff_ms": 10000,
  "grpc.min_reconnect_backoff_ms": 5000,
  "grpc.keepalive_time_ms": 180000,
  "grpc.keepalive_timeout_ms": 120000,
  "grpc.http2.min_time_between_pings_ms": 90000,
  "grpc.http2.min_ping_interval_without_data_ms": 90000,
  "grpc.keepalive_permit_without_calls": 1,
  "grpc.http2.max_pings_without_data": 0
}
D 2023-01-24T14:47:48.941Z | channel | (1) dns:test.test.localhost:26500 callRefTimer.unref | configSelectionQueue.length=1 pickQueue.length=0
D 2023-01-24T14:47:48.941Z | subchannel | (2) 127.0.0.1:26500 IDLE -> CONNECTING
D 2023-01-24T14:47:48.942Z | channel | (1) dns:test.test.localhost:26500 Pick result for call [0]: QUEUE subchannel: null status: undefined undefined
D 2023-01-24T14:47:48.942Z | channel | (1) dns:test.test.localhost:26500 callRefTimer.ref | configSelectionQueue.length=0 pickQueue.length=1
D 2023-01-24T14:47:48.942Z | subchannel | (2) 127.0.0.1:26500 creating HTTP/2 session
D 2023-01-24T14:47:48.959Z | subchannel | (2) 127.0.0.1:26500 connection closed with error unable to verify the first certificate
D 2023-01-24T14:47:48.960Z | subchannel | (2) 127.0.0.1:26500 connection closed
D 2023-01-24T14:47:48.960Z | subchannel | (2) 127.0.0.1:26500 CONNECTING -> TRANSIENT_FAILURE
D 2023-01-24T14:47:48.960Z | channel | (1) dns:test.test.localhost:26500 callRefTimer.unref | configSelectionQueue.length=0 pickQueue.length=0
D 2023-01-24T14:47:48.960Z | channel | (1) dns:test.test.localhost:26500 Pick result for call [0]: TRANSIENT_FAILURE subchannel: null status: 14 No connection established
D 2023-01-24T14:47:48.960Z | call_stream | [0] cancelWithStatus code: 14 details: "No connection established"
D 2023-01-24T14:47:48.960Z | call_stream | [0] ended with status: code=14 details="No connection established"
ERROR app:zeebe-api Failed to connect with config (secrets omitted): {
  endpoint: { type: 'selfHosted', url: 'https://test.test.localhost' }
} Error: 14 UNAVAILABLE: No connection established
    at Object.callErrorFromStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/call.js:31:19)
    at Object.onReceiveStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/client.js:195:52)
    at /Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/call-stream.js:111:35
    at Object.onReceiveStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/zeebe-node/dist/lib/GrpcClient.js:135:36)
    at InterceptingListenerImpl.onReceiveStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/call-stream.js:106:23)
    at Object.onReceiveStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:365:141)
    at Object.onReceiveStatus (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:328:181)
    at /Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/call-stream.js:188:78
    at process.processTicksAndRejections (node:internal/process/task_queues:78:11)
for call at
    at ServiceClientImpl.makeUnaryRequest (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/client.js:163:34)
    at ServiceClientImpl.<anonymous> (/Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/@grpc/grpc-js/build/src/make-client.js:105:19)
    at /Users/maciej/workspace/bpmn-io/camunda-modeler/app/node_modules/zeebe-node/dist/lib/GrpcClient.js:305:47
    at process.processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: 14,
  details: 'No connection established',
  metadata: Metadata { internalRepr: Map(0) {}, options: {} }
}
D 2023-01-24T14:47:49.942Z | subchannel | (2) 127.0.0.1:26500 TRANSIENT_FAILURE -> IDLE

Possible Implementation
@barmac barmac mentioned this issue Jan 24, 2023
Closed
@nikku
Copy link
Contributor

nikku commented Jan 25, 2023

Potentially related: #290

@nikku nikku mentioned this issue Jan 25, 2023
Closed
@jwulf
Copy link
Member

jwulf commented Jan 29, 2023
edited
Loading

Is this an issue with wildcard certificates specifically, or with self-signed certificates in general? Or with self-signed wildcard certificates very specifically?

@barmac
Copy link
Contributor Author

barmac commented Jan 30, 2023

We closed the linked issue in Camunda Modeler as wontfix because we found out that it's not a problem with zeebe-node but rather too lenient behavior of zbctl. Therefore, this issue can be closed too.

@barmac barmac closed this as not planned Won't fix, can't repro, duplicate, stale Jan 30, 2023
@nikku
Copy link
Contributor

nikku commented Jan 30, 2023
edited
Loading

To add to #288 (comment): Node / zeebe-node validates the full chain of trust for certificates, zbctl does not. Could be worth adding that to the documentation. We're doing that for the Camunda Modeler here.

See downstream camunda/camunda-modeler#3366 (comment) for our wontfix rationale.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nikku @jwulf @barmac