Enabling peerVertificationRules with self-signed certificate on ocp/k8s

Hi,
I am trying to enable the peerVerificationrules following the doc in the GitHub on operator. One thing that I am trying is to use self-signed certificate. If I use the self-signed certification to enable TLS only without the peerverifiationRules, the cluster comes up with TLS, everything seems to work ok. But as soon as I enable the rules, I got “Unauthorized Error” and I am not sure what need to be done if I want to use the self-signed certificate. Can anyone help?

It sounds like the system is rejecting the certificate based on the configured rules. Can you share more details about the certificate and verification rules you are using?

Hi John,
Here is the rule I used: peerVerificationRules: “Check.Valid=1”

And here is the openssl x509 output on the meta data on the ca.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a7:e4:ec:81:6f:aa:b9:30:57:38:a1:eb:63:d4:d8:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = cs-ca-certificate
Validity
Not Before: Sep 20 15:33:56 2021 GMT
Not After : Sep 20 15:33:56 2023 GMT
Subject: CN = cs-ca-certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

And the tls.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:75:ca:63:fd:1b:11:e6:0b:aa:33:9a:73:b9:cb:bd
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = cs-ca-certificate
Validity
Not Before: Dec 19 21:38:47 2021 GMT
Not After : Mar 19 21:38:47 2022 GMT
Subject: CN = fdb-internal-tls-certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

That may not be supported by the sidecar process’s TLS verification rules. I think it’s the default in FDB, and the behavior it’s describing is the default in the sidecar, so you shouldn’t need to pass it explicitly.

So, you are saying that, don’t set the rules on the sidecar, just only on the main?

If the only rule you have is Check.Valid=1, then you shouldn’t need to set it anywhere.

Well, that’s not the only rule. That one there is just for testing if I can enable the rule at all.
Here is a more realistic rule:
peerVerificationRules: “S.CN=*.somedomain.xyz.test.com”

In general, you should set peer verification rules on both containers if you need to restrict access to both processes. A rule like the one you listed should be accepted by both FoundationDB and the sidecar. I would consider it a bug that the sidecar doesn’t accept Check.Valid=1 as a rule, and if that’s what’s causing the behavior you’re seeing then it suggests the logging and messaging could be clearer as well.

Hi John,
At least for the 6.2.29 version, I get rid of the peer rule on the sidecar and the DB can comes up with TLS and peer rule on the main. The question I have is, I also have disable_sidecar_tls_check set to 1, would that be the cause of this issue?