Cassandra require_client_auth: true problem

Question

Cassandra is on version 3.11 and runs in docker

i have a problem with the following entry in cassandra.yml require_client_auth: true in the client_encryption_options block.

If I set to true I get the following error message in the log when I run cqlsh --ssl:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: null cert chain
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:343) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:336) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1294) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:343) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:911) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:934) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:397) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:302) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_232]

Certificate were generated using this page: https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/configuration/secureSSLCertWithCA.html

In the cqlshrc the following is written:

[authentication]
username = xxx
password = xxx

[connection]
hostname = 127.0.0.1
port = 9042

[ssl]
certfile = /etc/cassandra/xxx.crt
validate = false

I have regenerated and integrated the certificates several times. Without success.

Edit:

okay now the error disappears with the zero cert chain. When executing cqlsh --ssl the following will happen:

Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(0, u "Tried connecting to [('127.0.0.1', 9042)]. Last error: unknown error (_ssl.c:2947)")}) I am not sure which file to convert to a PKCS12 file. I have generated the following certificates:

node1.keystore, server-truststore, node1.csr, node1.crt_signed, rootCa.srl, rootCa.key and rootCa.crt

From which of the files should I generate the PKCS12 file?

Sorry I am new to the crypto world.

My .pem file looked like this now:

Bag Attributes
    friendlyName: node1
    localKeyID: 54 69 6D 65 20 31 35 38 35 30 36 39 35 35 35 37 33 36
subject=/C=US/O=YourCompany/OU=TestCluster/CN=node1
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDFTCCAf0CCQDSyTTMgIHuHDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1NzMwWhcNMjEwMzI0MTY1NzMwWjBP
MQswCQYDVQQGEwJVUzEUMBIGA1UEChMLWW91ckNvbXBhbnkxFDASBgNVBAsTC1Rl
c3RDbHVzdGVyMRQwEgYDVQQDEwsxMC4yMC4wLjEwMTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMVTnpvTvMEFswzhTUeJYoTHB04MBx6hEh1pirqhlfVA
Nd8DJ6hR4KZFZ8nMxsw5etkR9iyPVaN4/Hdem6r/t8tHrPWPIADPULR9Kh7Y1s7f
dvAnro0ZpyMtLmabhbxEk4Z0B7ku8NkYdsCuQsIsCZEM0pGDYv3VOmyV/LryQA2x
qGYc0DNYXAVuaqlXrnFc/w4l9UQFxDwWDx05VB0wxXTXf/NnF2UZAB3FZIBIJQhf
pEqbdNiTK4nzK//RF+SBN+2o5YP12CIaDr+163t/2PAcm0W+attmDox5+41IQSF2
CTMW7XXjuIvJ6lLe6HfqouURWPtkyu86ik+p29kaEpMCAwEAATANBgkqhkiG9w0B
AQUFAAOCAQEAJgMDzdcE1CyjERjuxOuTxJYk9QSefLAJI4lFPOO0vNlbkteippE+
vWEc/AvYAEWVHUVPZbOvL45XkaIsUGV9pXpC4/XGv0eMp+sPyEcHdaALxc5n1qsj
ag2FhqVHCoyfwYIIefiS7nXKENKtBTMDSuNNmNMb/cksACP7rouz6ID74u7lDMBH
VcZpzu6ttpO+aLNBe3iSbDA1Ne8Nh33tm94L4FhE7oorA7o+urT1PlWARAopDtzk
Bj0DGK0mco4w1dJazAhDkii39XkAWfs3LvpXC1DijMC8O51iTJJho5bGGcPVe4dy
+9JId48wrN1sTcLhPyI60uEZGDGr8awKwQ==
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=rootCa,OU=TestCluster,O=YourCompany,C=US
subject=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQC64l3iiXV4SDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1MzU2WhcNMjEwMzI0MTY1MzU2WjBK
MQswCQYDVQQGEwJVUzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rl
c3RDbHVzdGVyMQ8wDQYDVQQDDAZyb290Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDCC7NIswTCqQVoECBRuH8Z3HimZhLeLG+VWXJ6Um4TMB80MVgB
ToLfqSnGwS0yCB2G6tZWoN8joiz/3bbfYXLnVggj48z4ZMxykHmKwWcsRgScKPU9
BeZW2/trlplbIkOEy8J544Q9212d9r1jnMXCITPKVmi/GVCD+VBxqYbD9nLGdNwM
D4q+s2BrRIq+13U52ntA86rvI+Jgu4SNBp5yD089kmgnrbRJwUvtCLZYc87u0rp9
5KI+5iag0A7v0Xu2/Dh3fQMO+YQrsajOo9OZ/dxhZBxdArWdgMqmC5R9kvPx3ypv
yM0rGaIrobj5y9QSm77ptraO02wJR4I/USsFAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAE+Bm7q05PdW3UZJ6ozl72/zuMDUQxDIiGQO+caNNyyqPy/d6A0+cwJ5J0JS
eQeS2Cg8knk5cjIsB5Ah3TuMnWPaOS7Eb8PrKjN7+up9ZxMMuIrLIUllYDFzfUMf
rMJ/mxR+8whKq9Umec3pAtGfzRwFdNJn9gqis71/02gK10cmq9MN0tyi7hD+9kTE
iC/mqJX5iCyiFluwRxlVP1tAPaD4RRtafpFHX9X9FYksUf/8mwr+3pNwfdBfIXW7
8A+k198jx326SbtQZBA5yWPTKpI9Mamm0704NjA2OH/0OceBq2rYv7GKfRYQxC4/
DUAlJYlfxCyqxjGqBp/RFMJ1Epg=
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: rootca
    2.16.840.1.113894.746875.1.1: 
subject=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQC64l3iiXV4SDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1MzU2WhcNMjEwMzI0MTY1MzU2WjBK
MQswCQYDVQQGEwJVUzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rl
c3RDbHVzdGVyMQ8wDQYDVQQDDAZyb290Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDCC7NIswTCqQVoECBRuH8Z3HimZhLeLG+VWXJ6Um4TMB80MVgB
ToLfqSnGwS0yCB2G6tZWoN8joiz/3bbfYXLnVggj48z4ZMxykHmKwWcsRgScKPU9
BeZW2/trlplbIkOEy8J544Q9212d9r1jnMXCITPKVmi/GVCD+VBxqYbD9nLGdNwM
D4q+s2BrRIq+13U52ntA86rvI+Jgu4SNBp5yD089kmgnrbRJwUvtCLZYc87u0rp9
5KI+5iag0A7v0Xu2/Dh3fQMO+YQrsajOo9OZ/dxhZBxdArWdgMqmC5R9kvPx3ypv
yM0rGaIrobj5y9QSm77ptraO02wJR4I/USsFAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAE+Bm7q05PdW3UZJ6ozl72/zuMDUQxDIiGQO+caNNyyqPy/d6A0+cwJ5J0JS
eQeS2Cg8knk5cjIsB5Ah3TuMnWPaOS7Eb8PrKjN7+up9ZxMMuIrLIUllYDFzfUMf
rMJ/mxR+8whKq9Umec3pAtGfzRwFdNJn9gqis71/02gK10cmq9MN0tyi7hD+9kTE
iC/mqJX5iCyiFluwRxlVP1tAPaD4RRtafpFHX9X9FYksUf/8mwr+3pNwfdBfIXW7
8A+k198jx326SbtQZBA5yWPTKpI9Mamm0704NjA2OH/0OceBq2rYv7GKfRYQxC4/
DUAlJYlfxCyqxjGqBp/RFMJ1Epg=
-----END CERTIFICATE-----

with this .pem file i get this null cert chain error

jdeng1 · Accepted Answer

If you use CA signed certificate, and generate the cert files by following the https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/configuration/secureSSLCertWithCA.html, the cert file used in cqlshrc is the rootCa.crt.

Here is an example:

[connection]
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = /var/tmp/rootCa.crt
validate = true
userkey = /var/tmp/rootCa.key  ;<<<<< optional for 2 way SSL only
usercert = /var/tmp/rootCa.crt  ;<<<< optional for 2 way SSL only

Cassandra require_client_auth: true problem

Answers (2)

Related Questions