Reputation: 4137
Cockroach DB failing to create client certificate
I have installed Cockroach DB on my Linux (WSL2 Ubuntu 20.04) using the tutorial here.
However, when I try to create the client certificate and key pair for the root user in Step 1.4, I am getting the following error:
W210412 14:47:47.996624 1 security/certificate_loader.go:356 error finding key for certs/node.crt: key file certs/node.key has permissions -rwxrwxrwx, exceeds -rwx------
ERROR: failed to generate client certificate and key: key file certs/node.key has permissions -rwxrwxrwx, exceeds -rwx------ Failed running "cert create-client" Consequently, I am unable to start the cluster in the next step.
Upvotes: 1
Views: 2081
Answers (1)
Reputation: 21145
CockroachDB requires key files to have sane permissions (owner only). However, the windows subsystem for linux has an odd handling of file permissions (see this WSL doc for more details).
You have two options:
- figure out how to change file permissions on WSL2, if possible
- tell CockroachDB to skip key file permissions
The latter is described in the certificates documentation:
Keys (files ending in .key) must not have group or world permissions (maximum permissions are 0700, or rwx------). This check can be disabled by setting the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK=true.
Using this information, we can change step 1.4 of the tutorial.
The default behavior gives the error you encountered:
$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
W210412 15:05:44.419689 1 security/certificate_loader.go:356 error finding key for certs/node.crt: key file certs/node.key has permissions -rwxrwxrwx, exceeds -rwx------
ERROR: failed to generate client certificate and key: key file certs/node.key has permissions -rwxrwxrwx, exceeds -rwx------
Failed running "cert create-client"
Using the COCKROACH_SKIP_KEY_PERMISSION_CHECK=true environment variable, we can get it to ignore the file permissions and proceed:
$ COCKROACH_SKIP_KEY_PERMISSION_CHECK=true cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
If you do use this work-around, you will need to use it to start the cockroach server as well.
Upvotes: 2
Related Questions
- why Python can access CockRoachDB without CA certificate
- How do I connect DBeaver to CockroachDB Serverless?
- Unknown Error Creating a certificate
- SEC_ERROR_ADDING_CERT: Error adding certificate to database
- Amazon DocumentDB fails to connect with error "SSL peer certificate validation failed"
- Connecting to CockroachDB from DataGrip
- Failed Connect CockroachDB using password include "#"
- how to get a client key and client root cert for connecting to CockroachDB from Java client
- Final step in creating cockroachdb user certificates on Kubernetes (GKE)
- How to create a Kubernetes client certificate signing request for Cockroachdb