Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DocDB] FATAL when setting webserver_certificate_file gflag #13349

Closed
es1024 opened this issue Jul 19, 2022 · 1 comment
Closed

[DocDB] FATAL when setting webserver_certificate_file gflag #13349

es1024 opened this issue Jul 19, 2022 · 1 comment
Assignees
@es1024
Labels
area/docdb YugabyteDB core features kind/bug This issue is a bug priority/medium Medium priority issue

Comments

@es1024
Copy link
Contributor

es1024 commented Jul 19, 2022
edited
Loading

Jira Link: DB-2981

Description

Reported by @charleswang234

When the webserver_certificate_file gflag is set, we get FATALs such as:

I0715 23:10:01.882122  8523 webserver.cc:183] Webserver: Enabling HTTPS support
I0715 23:10:01.882144  8523 webserver.cc:163] Webserver listen spec is 10.9.77.69:9000s
I0715 23:10:01.882987  8523 webserver.cc:343] Webserver: load_dll: cannot load libssl.so.10
F0715 23:10:01.888303  8523 tablet_server_main.cc:208] Network error (yb/server/webserver.cc:244): Webserver: Could not start on address 10.9.77.69:9000

or

I0718 08:19:42.216615 472376 webserver.cc:186] Webserver: Enabling HTTPS support
I0718 08:19:42.216748 472376 webserver.cc:166] Webserver listen spec is 127.0.0.1:7000s
I0718 08:19:42.216991 472376 webserver.cc:346] Webserver: load_dll: libssl.so: cannot find SSLv23_server_method
W0718 08:19:42.217025 472376 net_util.cc:523] Failed to bind to 0.0.0.0:7000. Trying to use lsof to find any processes listening on the same port:
I0718 08:19:42.217041 472376 net_util.cc:526] $ export PATH=$PATH:/usr/sbin ; lsof -n -i 'TCP:7000' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:7000' -sTCP:LISTEN | cut -f 2 -dp) ; do  while [ $pid -gt 1 ] ; do    ps h -fp $pid ;    pid=$(sed 's/.* (.*) [^ ] \([0-9]*\).*/\1/g' /proc/$pid/stat);  done ; done
W0718 08:19:42.558524 472376 net_util.cc:533]
F0718 08:19:42.558645 472376 master_main.cc:132] Network error (yb/server/webserver.cc:247): Webserver: Could not start on address 127.0.0.1:7000

This is due to how the version of Squeasel we use handles HTTPS:

  1. Squeasel searches for OpenSSL itself with a hardcoded list, rather than using the one we bundle with thirdparty https://github.com/yugabyte/squeasel/blob/8ac777a122fccf0358cb8562e900f8e9edd9ed11-yb/squeasel.c#L158,L174
  2. It tries to load SSL functions by itself from OpenSSL, including SSLv23_... methods, which as of OpenSSL 1.1.0 are no longer symbols in the library, but macros to TLS_... methods

These both stem from using an old version of Squeasel, and appear to be resolved on master. We should use a more recent version of Squeasel.
@es1024 es1024 added kind/bug This issue is a bug area/docdb YugabyteDB core features status/awaiting-triage Issue awaiting triage labels Jul 19, 2022
@es1024 es1024 self-assigned this Jul 19, 2022
@yugabyte-ci yugabyte-ci added the priority/medium Medium priority issue label Jul 19, 2022
@es1024 es1024 mentioned this issue Jul 19, 2022
Merged
@yugabyte-ci yugabyte-ci removed the status/awaiting-triage Issue awaiting triage label Jul 19, 2022
@es1024
Copy link
Contributor Author

es1024 commented Aug 16, 2022

Resolved with f2702bb

@es1024 es1024 closed this as completed Aug 16, 2022
samiahmedsiddiqui pushed a commit to samiahmedsiddiqui/yugabyte-db that referenced this issue Aug 16, 2022
@es1024
[yugabyte#7683, yugabyte#13349, yugabyte#13064] docdb: Fix webserver …
f2702bb 
…crash when enabling SSL

Summary:
This diff fixes a crash when enable SSL for the webserver, due to an old version
of Squeasel:

1. searching for and loading OpenSSL from the system rather than using the one bundled with
   thirdparty.

2. depending on the dynamic library exposing symbols that have been removed with OpenSSL 1.1.0
   (SSLv23_... methods, which have been replaced with a macro).

This is fixed by rebasing to a newer upstream commit, which does not require those symbols, and
which further presents the ssl_global_init flag to stop Squeasel from loading OpenSSL on its own.

This diff also adds the `webserver_private_key_file` and `webserver_private_key_password` gflags,
corresponding to the `ssl_private_key` and `ssl_private_key_password` options present in newer
versions of Squeasel.

This diff also fixes a crash when pthread_setspecific fails in libcds, by catching the exception
and forcing the worker thread to exit instead of letting it bubble up and kill the whole process.

Also pulling yugabyte/yugabyte-db-thirdparty@fc8dae1 to fix C++ exception handling in Clang-based LTO builds (yugabyte#13064).

Test Plan: `ybd --cxx_test server_webserver-test --gtest_filter WebserverSecureTest.TestIndexPage`

Reviewers: mbautin

Reviewed By: mbautin

Subscribers: cwang, sanketh, ybase, bogdan

Differential Revision: https://phabricator.dev.yugabyte.com/D18419
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@es1024 es1024

Labels
area/docdb YugabyteDB core features kind/bug This issue is a bug priority/medium Medium priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@es1024 @yugabyte-ci