.Net SDK ssl enabled on docker & K8

Dario_Mazza · October 11, 2022, 1:28pm

Hi AlI,
I need a help to correctly set the ssl connection between the client (an asp.net core 5 web api) and the couchbase server ( Couchbase Server Enterprise Edition 7.0.2 build 6703).

The server is equiped with a certificate signed by the internal sub-CA of the client. The sub-ca is signed by the internal root ca.

So, I’m expecting to just install the sub-ca and the root ca public certificates in the docker container and then the sdk communication runs on ssl.

But looking at the documentation Managing Connections using the .NET SDK with Couchbase Server | Couchbase Docs, I notice that it’s the server certificate that should be installed in the docker container: " … Navigate in the admin UI to Settings Cluster and copy the input box of the TLS certificate into a file on your machine (which we will refer to as cluster.cert). It looks similar to this: …
It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH or through a similar secure mechanism."

I’ve tried to save the three certificate as crt and to install them on the docker image like this:

ADD st-couchbase.crt /usr/local/share/ca-certificates/st-couchbase.crt
ADD SAIPEM-SUBCA.crt /usr/local/share/ca-certificates/SAIPEM-SUBCA.crt
ADD SAIPEM-ROOTCA.crt /usr/local/share/ca-certificates/SAIPEM-ROOTCA.crt
RUN chmod 644 /usr/local/share/ca-certificates/st-couchbase.crt
RUN chmod 644 /usr/local/share/ca-certificates/SAIPEM-SUBCA.crt
RUN chmod 644 /usr/local/share/ca-certificates/SAIPEM-ROOTCA.crt
RUN update-ca-certificates

but the cluster doesn’t bootstrap. I confirm that I find the three certificates in the etc/ssl/certs folder.
The error is “Cluster has not yet bootstrapped. Call WaitUntilReadyAsync(…) to wait for it to complete.'”

My questions are:

It’s correct to install on the docker image the server certificate? If yes, obviously is the public certificate, is it correct? My doubt is related to the sentence “It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH or through a similar secure mechanism.”
Is it mandatory to execute the command dpkg-reconfigure ca-certificates? Once executed all the content of etc/ssl/certs disappears and it remains just the three certificates and some few other files
How can I WaitUntilReadyAsync using the dependency injection?
Any other settings must be done to correctly apply the ssl connection?

Thanks,
Regards

Dario

Dario_Mazza · November 3, 2022, 12:42pm

Hi All,
any news about my issue?

I’ll really appreciate any help or suggestion.

Thanks for the kind collaboration,
Best regards

Dario

rajusaforum · February 28, 2023, 2:48am

Were you able to find out what the solution was? I’m in the similar situation. Any info would be greatly helpful and appreciated

Dario_Mazza · February 28, 2023, 4:10pm

Not yet, but I’m interested too.

Thanks
Regards

Dario_Mazza · April 27, 2023, 9:43am

Hi,
we have solved the issue. There were two problems:

We’re running with a VPN that blocks IPv6. So we’ve forced the usage of IPv4 using the dedicated couchbase sdk parameter
Then, applying the ssl certificate validation, we’ve discovered, probably due to networking issue related to docker and host dns, that the end point address is represented as ip and not as host name, so the certificate call back failed, due to mismatch. We’ve managed this exception in the callback translating the ip into the host name and verifying against the certificate subject.

Regards

Dario