-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to launch v3.1.0-alpha.1 with full client cert on mac el capitan #6565
Comments
|
I tried the certs that you attached, and am getting same errors in linux + etcd master branch. There was no significant change in grpc and etcd client between alpha.0 and alpha.1, as far as I know. @heyitsanthony Any idea? |
@gyuho w/ golang 1.7? |
@timothysc I tried with Go 1.7.1 |
So I was trying to compare godep versions on deps, but in v3.1.0-alpha.1 and master the Godeps.json has been dropped. What are you using for version tracking your dependencies now? |
We use glide now. |
@smarterclayton does this problem exist on go-1.6? All major grpc deps are the same across 3.0.X & 3.1. |
I was able to reproduce it against Go 1.6.2 |
So just to clarify both in Go 1.6.x and 1.7.x, same certs that work in Can you share how you generate your certs? Thanks. |
https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L474 and https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L493 and https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L544 are the heart of it. I think I only checked on v3.1.0-alpha.0/1 for Go 1.7, and alpha.1 for Go 1.6. No GRPC bump, right? I know that there was logic in both Go and GRPC that changed how client certificates were checked (more flexibility), but as you note the only major change was 7a48ca4. I'll try bisecting between that commit and v3.1.0-alpha.0, since I know alpha.0 with that commit worked. |
@smarterclayton Yes, gRPC bump only happened after Thanks! |
@smarterclayton That's strange... c9e06fa doesn't seem to affect any cert-related code-path. And grpc bump is now related? Thought |
I see the comment about the host name passed to dial in gRPC must match the On Wed, Oct 19, 2016 at 11:24 PM, Gyu-Ho Lee notifications@github.com
|
I will give another try with the certs tomorrow. Thanks for investigating on this! |
@smarterclayton So this is a grpc related issue? |
@smarterclayton Works for me in linux (CoreOS)?
Think it's OSX issue? Have you tried the same certs in linux? I tried with |
Good news, it looks like it is fixed with v3.1.0-rc.0 and OSX. Doing some more testing to be absolutely sure. |
This was fixed in later v3.1.0-rc.0 - thanks! |
Using the latest etcd-v3.1.0-alpha.1 binaries on OS X El Capitan, I am unable to launch a full etcd client cert cluster using the same cert setup that worked throughout 2.x -> 3.0.x (full client and server certs).
When I applied the patch for X onto v3.1.0-alpha.0, I was able to launch with the following config. The certs I am using have both DNS and IP sections for local IPs, so my initial suspicion was that something around SNI name selection or gRPC host -> tls config was changed, or that something around how etcd expects to receive client certs changed.
If I remove
--peer-client-cert-auth --client-cert-auth
then the server starts (so I suspect the wrong cert is being presented). Is this a change to how etcd expects client certs + server certs to be presented?Attached are the certs. The
master.etcd-client.{key,cert}
files are the ones we use for clients to access with.certs.zip
The text was updated successfully, but these errors were encountered: