Reputation: 71
configure TLS certificate authroity in arangojs
I created my own certificate authority to generate TLSv1.2 certificates for my development environment. My CA has a root cert, an intermediate cert signed by the root and a number of "leaf" certificates signed by the intermediate cert. I use one of this leaf certificates for securely connectin to the arangodb server. The arangod process seems to be running fine because I can successfully access the web interface to interact with the database, after installing the root/intermediate certs in the browser.
Troubles start when I try to connect my nodejs API server to the database using the arangojs javascript driver as explained in https://github.com/arangodb/arangojs#new-database where I found:
If you need to support self-signed HTTPS certificates, you may have to add your certificates to the agentOptions, e.g.:
agentOptions: {
ca: [
fs.readFileSync('.ssl/sub.class1.server.ca.pem'),
fs.readFileSync('.ssl/ca.pem')
]
}
The agentOption configuration works when using self-signed certificates and:
agentOptions: {
ca: [
fs.readFileSync('db.crt.pem')
]
}
but fails when using my own CA-signed certificate and:
agentOptions: {
ca: [
fs.readFileSync('interm.crt.pem')
]
}
I also tried several other ca settings like: 1. passing [root, interm] certs buffers 2. passing [interm, root] certs buffers (exchanged order) 3. passing [root+interm] cert buffer (single concatenated file) 4. passing [interm+root] cert buffer (as above, exchanged order) but none of this seems to work. I always get a very long error message from arangojs in which, quite at the beginning, I see UNABLE_TO_VERIFY_LEAF_SIGNATURE
By looking it up I found references to node-ssl-root-cas npm module but since I'm using my own CA I don't see why I would want to use that (I also tried and didn't work either).
My issue seems to be similar to https://github.com/arangodb/arangojs/issues/39 but the solution seems to be 1:1 in sync with the documentation above and it still didn't work.
In the end I think this is just a subtle configuration problem of the agantOptions in arangojs. Can someone point me to the right config?
Upvotes: 1
Views: 292
Answers (1)
Reputation: 71
I finally managed to establish a secured TLS connection by using:
agentOptions: {
ca: [
fs.readFileSync('interm_root.crt.pem')
]
}
where interm_root.crt.pem is the concatenation of intermediate and root certificates, that is obtained as:
cat interm.crt.pem root.crt.pem > interm_root.crt.pem
For some reason I didn't get the concatenation right in the rush of my first round of tests.
Hope this can help other arangojs users anyway
Upvotes: 0
Related Questions
- Specify https host as arangodb host in properties
- ArangoDB REST API: Unable to set user password
- Arangod.conf for SSL
- How to configure axios to use SSL certificate?
- How we can set SSL cert password in https.agent?
- ArangoDB working together with letsenrcypt certificates
- arangoDb + nodejs: db.useBasicAuth(...) is not a function
- ArangoSH cannot connect arangodb
- implement tls.Config.GetCertificate with self signed certificates
- Cannot bind arango 2.8.5 to to endpoint ssl://0.0.0.0:443