(Solved) Correct setup of TLS for FoundationDB

I’m not super familiar with our TLS configuration options, but I tried playing around with this myself to see what I could find. For my first attempt, I tried the following:

  1. Update the cluster file to add the :tls suffix to each coordinator
  2. Create a certificate and key file (I ran the commands listed in this section)
  3. Add tls_certificate_file, tls_key_file, and tls_verify_peers to the fdbserver section of foundationdb.conf.
tls_certificate_file=/path/to/tls/fdb.pem
tls_key_file=/path/to/tls/private.key
tls_verify_peers=Check.Valid=0
  1. I connected to the cluster using fdbcli, which required me to pass --tls_certificate_file and --tls_key_file. From a client, I think you would either use the corresponding client options or the environment variables.

Notice that I’m turning off peer verification, which allows me to get past the “VerifyError self signed certificate”.

Once I confirmed that worked, I tried turning back on peer verification by removing the tls_verify_peers parameter. I then got it to work by modifying foundationdb.conf to add tls_ca_file=/path/to/tls/cert.crt, which is one of the files generated in step #2 above.

One thing I noticed, though, is that it doesn’t appear that backup agents can accept these TLS parameters, so my backup agent is not able to connect. I suppose it could be made to work using the environment variables, but I’ll raise an issue to support the command line options as well.