We have implemented TLS in our fdb cluster using self signed certificates. Even the clients can able to connect with the cluster using tls certs and can able to write the data. By using below command, we can able to connect to fdbcli using the certs.
It’s trying to tell you that the accepting process doesn’t recognize the certificate that the client is presenting. You’ll need to match that up on the client and server side to understand why that’s the case.
If you add --debug-tls to your fdbcli invocation, it’ll print out the certificates passed in with the rest of the arguments, which can make the process a bit simpler.
Thanks for your prompt reply. we faced couple of issues with our certs then finally fixed it.
Issue 1:
While doing the cert validation with below command, we got the error as verification failed. So we recreated the certs and copied in the required path.
openssl verify -CAfile /etc/foundationdb/pki/ca.crt /etc/foundationdb/pki/client-server.crt
Issue 2:
Even after changing the certs in foundationdb VM, still we noticed few TLS failure lines in the fdb logs.
In the fdb configuration file, we have multiple sections for the fdb daemons like [fdbserver], [backup-agent] etc…
2)In the configuration file, fdbserver section as below TLS parameters but backup-agent section doesn’t have that parameters.
[fdbserver]
tls_certificate_file = /etc/foundationdb/pki/client-server.crt
tls_key_file = /etc/foundationdb/pki/client-server.key
tls_ca_file = /etc/foundationdb/pki/ca.crt
tls_verify_peers = Check.Valid=0
Since the TLS parameters are missing in the backup-agent section, the backup daemon is throwing the failure logs in the trace files.
After adding the above TLS parameters, i don’t see any failures