Cluster WaitUntilReadyAsync Timeout error with servers with Certificate Mismatch

futbolsalas15 · September 28, 2023, 4:59pm

When we upgraded from SDK 3.4.6 to 3.4.7, and started using WaitUntilReadyAsync method, this error started to happen:

UnambiguousTimeoutException: Timed out after 00:01:00 with 0nodes

Enabling Couchbase SDK Debug logs, it’s showing that the real reason is:

Error encountered bootstrapping cluster; if the cluster is 6.5 or earlier, this can be ignored. System.AggregateException: Bootstrapping has failed! (The remote certificate is invalid according to the validation procedure.)

However, we explicitly created a ClusterOptions object, with KvIgnoreRemoteCertificateNameMismatch / HttpIgnoreRemoteCertificateMismatch set to true (since in our case, the remote certificate should not be validated).

ClusterOptions _clusterConfiguration = new ClusterOptions
      {
          NumKvConnections = 12,
          EnableConfigPolling = true,
          ConfigPollInterval = TimeSpan.FromMilliseconds(2500),
          ConfigPollFloorInterval = TimeSpan.FromMilliseconds(50),
          KvTimeout = TimeSpan.FromSeconds(10),
          KvConnectTimeout = TimeSpan.FromSeconds(10),
          IdleKvConnectionTimeout = TimeSpan.FromMinutes(2),
          EnableTcpKeepAlives = true,
          TcpKeepAliveTime = TimeSpan.FromSeconds(55),
          TcpKeepAliveInterval = TimeSpan.FromSeconds(5),
          KvIgnoreRemoteCertificateNameMismatch = true,
          HttpIgnoreRemoteCertificateMismatch = true
      };

Checking changes between 3.4.6 and 3.4.7, it looks like the way that this validation happens changed (differences between 3.4.6 and 3.4.7).

Is this a bug? or should we enable a different ClusterOption for skipping the remote certificate error?

(PS: I compared it to the latest SDK version and the same validation is still there)

Richard_Ponton · September 28, 2023, 8:26pm

Hi @futbolsalas15 , there was indeed a change to the validation procedures.

github.com/couchbase/couchbase-net-client

NCBC-3371: Make certificate utility methods public

committed 04:59PM - 17 May 23 UTC

RiPont

+17 -3

Motivation: TLS support for protostellar needs some internal utility methods to …be public. Modifications: * Make clearing name mismatch from errors a utility method separate from the callback * Make ValidatorWithIgnoreNameMismatch public. Change-Id: Ied10745c61fea20908aa6dfb3edcd670154d82e4 Reviewed-on: https://review.couchbase.org/c/couchbase-net-client/+/191083 Tested-by: Build Bot <build@couchbase.com> Reviewed-by: Emilien Bevierre <emilien.bevierre@couchbase.com>

Previously, setting the IgnoreNameMismatch properties cleared both RemoteCertificateNameMismatch and RemoteCertificateChainErrors flags. After this change, it only clears those flags if they were the only errors.

I actually have a change out to add logging to the existing callback methods to put more information in the logs in case of failures. (Loading...)

In the meantime, the easiest way for you to troubleshoot this yourself is to set your own callback on ClusterOptions.KvCertificateCallbackValidation (and Http) and set a breakpoint or do your own logging to see what validation is failing.

In the meantime, I will also try to reproduce your scenario in case WaitUntilReady is somehow not picking up the IgnoreNameMismatch settings properly.

system · December 27, 2023, 8:27pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.