<div dir="ltr"><div><div>Enrico,<br></div>You might find this helpful if not already used: <a href="https://kshlm.in/post/network-encryption-in-glusterfs/">https://kshlm.in/post/network-encryption-in-glusterfs/</a><br><br><br>--<br></div>Milind<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Nov 25, 2017 at 12:57 AM, Enrico Valsecchi <span dir="ltr">&lt;<a href="mailto:admin@hostyle.it" target="_blank">admin@hostyle.it</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello subscribers,<br>
<br>
I have a very strange question regarding SSL setup on gluster storage.<br>
<br>
I have create a common CA and sign certificate for my gluster nodes, placed host certificate, key and common CA certificate into /etc/ssl/,<br>
create a file called secure-access into /var/lib/glusterd/<br>
<br>
Then, I start glusterd on all nodes, system work fine, I see with peer status all of my nodes.<br>
<br>
No problem.<br>
<br>
With a let’s encrypt authority, I have build signed ssl certs for all nodes via our web site, download and placed all in respective node with root CA certificate,<br>
with correct file name (glusters.pem, glusters.key and <a href="http://glusters.ca" rel="noreferrer" target="_blank">glusters.ca</a>) into /etc/ssl/, same of previous scenario.<br>
<br>
Now, when I restart glusterd on all nodes, peer status display nodes as disconnected, and, into log I see:<br>
<br>
[2017-11-24 19:16:01.482867] E [socket.c:358:ssl_setup_<wbr>connection] 0-management: SSL connect error (client: )<br>
[2017-11-24 19:16:01.482945] E [socket.c:202:ssl_dump_error_<wbr>stack] 0-management:   error:14090086:SSL routines:SSL3_GET_SERVER_<wbr>CERTIFICATE:certificate verify failed<br>
[2017-11-24 19:16:01.482981] E [socket.c:2465:socket_poller] 0-management: client setup failed<br>
[2017-11-24 19:16:03.458039] E [socket.c:358:ssl_setup_<wbr>connection] 0-socket.management: SSL connect error (client: <a href="http://192.168.100.101:49151" rel="noreferrer" target="_blank">192.168.100.101:49151</a>)<br>
[2017-11-24 19:16:03.458156] E [socket.c:202:ssl_dump_error_<wbr>stack] 0-socket.management:   error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>
[2017-11-24 19:16:03.458202] E [socket.c:2465:socket_poller] 0-socket.management: server setup failed<br>
<br>
My question is: why with my “fake” CA, generated in local system with OpenSSL on debian system work fine and with a reliable CA not work?<br>
<br>
I have delete all nodes, execute entire installation of Operating System and create peer from scratch. Same result.<br>
<br>
How I can solve this problem?<br>
<br>
<br>
Sorry for my english and many thanks!<br>
<br>
Enrico<br>
<br>
<br>
Extracted content of Let’s Encrypt CA is:<br>
<br>
[root@glusterfs1 ssl]# openssl x509 -in <a href="http://glusterfs.ca" rel="noreferrer" target="_blank">glusterfs.ca</a> -text -noout<br>
Certificate:<br>
    Data:<br>
        Version: 3 (0x2)<br>
        Serial Number:<br>
            0a:01:41:42:00:00:01:53:85:73:<wbr>6a:0b:85:ec:a7:08<br>
    Signature Algorithm: sha256WithRSAEncryption<br>
        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3<br>
        Validity<br>
            Not Before: Mar 17 16:40:46 2016 GMT<br>
            Not After : Mar 17 16:40:46 2021 GMT<br>
        Subject: C=US, O=Let&#39;s Encrypt, CN=Let&#39;s Encrypt Authority X3<br>
        Subject Public Key Info:<br>
            Public Key Algorithm: rsaEncryption<br>
                Public-Key: (2048 bit)<br>
                Modulus:<br>
                    00:9c:d3:0c:f0:5a:e5:2e:47:b7:<wbr>72:5d:37:83:b3:<br>
                    68:63:30:ea:d7:35:26:19:25:e1:<wbr>bd:be:35:f1:70:<br>
                    92:2f:b7:b8:4b:41:05:ab:a9:9e:<wbr>35:08:58:ec:b1:<br>
                    2a:c4:68:87:0b:a3:e3:75:e4:e6:<wbr>f3:a7:62:71:ba:<br>
                    79:81:60:1f:d7:91:9a:9f:f3:d0:<wbr>78:67:71:c8:69:<br>
                    0e:95:91:cf:fe:e6:99:e9:60:3c:<wbr>48:cc:7e:ca:4d:<br>
                    77:12:24:9d:47:1b:5a:eb:b9:ec:<wbr>1e:37:00:1c:9c:<br>
                    ac:7b:a7:05:ea:ce:4a:eb:bd:41:<wbr>e5:36:98:b9:cb:<br>
                    fd:6d:3c:96:68:df:23:2a:42:90:<wbr>0c:86:74:67:c8:<br>
                    7f:a5:9a:b8:52:61:14:13:3f:65:<wbr>e9:82:87:cb:db:<br>
                    fa:0e:56:f6:86:89:f3:85:3f:97:<wbr>86:af:b0:dc:1a:<br>
                    ef:6b:0d:95:16:7d:c4:2b:a0:65:<wbr>b2:99:04:36:75:<br>
                    80:6b:ac:4a:f3:1b:90:49:78:2f:<wbr>a2:96:4f:2a:20:<br>
                    25:29:04:c6:74:c0:d0:31:cd:8f:<wbr>31:38:95:16:ba:<br>
                    a8:33:b8:43:f1:b1:1f:c3:30:7f:<wbr>a2:79:31:13:3d:<br>
                    2d:36:f8:e3:fc:f2:33:6a:b9:39:<wbr>31:c5:af:c4:8d:<br>
                    0d:1d:64:16:33:aa:fa:84:29:b6:<wbr>d4:0b:c0:d8:7d:<br>
                    c3:93<br>
                Exponent: 65537 (0x10001)<br>
        X509v3 extensions:<br>
            X509v3 Basic Constraints: critical<br>
                CA:TRUE, pathlen:0<br>
            X509v3 Key Usage: critical<br>
                Digital Signature, Certificate Sign, CRL Sign<br>
            Authority Information Access:<br>
                OCSP - URI:<a href="http://isrg.trustid.ocsp.identrust.com" rel="noreferrer" target="_blank">http://isrg.trustid.ocsp.<wbr>identrust.com</a><br>
                CA Issuers - URI:<a href="http://apps.identrust.com/roots/dstrootcax3.p7c" rel="noreferrer" target="_blank">http://apps.identrust.com/<wbr>roots/dstrootcax3.p7c</a><br>
<br>
            X509v3 Authority Key Identifier:<br>
                keyid:C4:A7:B1:A4:7B:2C:71:FA:<wbr>DB:E1:4B:90:75:FF:C4:15:60:85:<wbr>89:10<br>
<br>
            X509v3 Certificate Policies:<br>
                Policy: 2.23.140.1.2.1<br>
                Policy: 1.3.6.1.4.1.44947.1.1.1<br>
                  CPS: <a href="http://cps.root-x1.letsencrypt.org" rel="noreferrer" target="_blank">http://cps.root-x1.<wbr>letsencrypt.org</a><br>
<br>
            X509v3 CRL Distribution Points:<br>
<br>
                Full Name:<br>
                  URI:<a href="http://crl.identrust.com/DSTROOTCAX3CRL.crl" rel="noreferrer" target="_blank">http://crl.identrust.com/<wbr>DSTROOTCAX3CRL.crl</a><br>
<br>
            X509v3 Subject Key Identifier:<br>
                A8:4A:6A:63:04:7D:DD:BA:E6:D1:<wbr>39:B7:A6:45:65:EF:F3:A8:EC:A1<br>
    Signature Algorithm: sha256WithRSAEncryption<br>
         dd:33:d7:11:f3:63:58:38:dd:18:<wbr>15:fb:09:55:be:76:56:b9:<br>
         70:48:a5:69:47:27:7b:c2:24:08:<wbr>92:f1:5a:1f:4a:12:29:37:<br>
         24:74:51:1c:62:68:b8:cd:95:70:<wbr>67:e5:f7:a4:bc:4e:28:51:<br>
         cd:9b:e8:ae:87:9d:ea:d8:ba:5a:<wbr>a1:01:9a:dc:f0:dd:6a:1d:<br>
         6a:d8:3e:57:23:9e:a6:1e:04:62:<wbr>9a:ff:d7:05:ca:b7:1f:3f:<br>
         c0:0a:48:bc:94:b0:b6:65:62:e0:<wbr>c1:54:e5:a3:2a:ad:20:c4:<br>
         e9:e6:bb:dc:c8:f6:b5:c3:32:a3:<wbr>98:cc:77:a8:e6:79:65:07:<br>
         2b:cb:28:fe:3a:16:52:81:ce:52:<wbr>0c:2e:5f:83:e8:d5:06:33:<br>
         fb:77:6c:ce:40:ea:32:9e:1f:92:<wbr>5c:41:c1:74:6c:5b:5d:0a:<br>
         5f:33:cc:4d:9f:ac:38:f0:2f:7b:<wbr>2c:62:9d:d9:a3:91:6f:25:<br>
         1b:2f:90:b1:19:46:3d:f6:7e:1b:<wbr>a6:7a:87:b9:a3:7a:6d:18:<br>
         fa:25:a5:91:87:15:e0:f2:16:2f:<wbr>58:b0:06:2f:2c:68:26:c6:<br>
         4b:98:cd:da:9f:0c:f9:7f:90:ed:<wbr>43:4a:12:44:4e:6f:73:7a:<br>
         28:ea:a4:aa:6e:7b:4c:7d:87:dd:<wbr>e0:c9:02:44:a7:87:af:c3:<br>
         34:5b:b4:42<br>
[root@glusterfs1 ssl]# openssl x509 -in <a href="http://glusterfs.ca" rel="noreferrer" target="_blank">glusterfs.ca</a> -text -noout<br>
Certificate:<br>
    Data:<br>
        Version: 3 (0x2)<br>
        Serial Number:<br>
            0a:01:41:42:00:00:01:53:85:73:<wbr>6a:0b:85:ec:a7:08<br>
    Signature Algorithm: sha256WithRSAEncryption<br>
        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3<br>
        Validity<br>
            Not Before: Mar 17 16:40:46 2016 GMT<br>
            Not After : Mar 17 16:40:46 2021 GMT<br>
        Subject: C=US, O=Let&#39;s Encrypt, CN=Let&#39;s Encrypt Authority X3<br>
        Subject Public Key Info:<br>
            Public Key Algorithm: rsaEncryption<br>
                Public-Key: (2048 bit)<br>
                Modulus:<br>
                    00:9c:d3:0c:f0:5a:e5:2e:47:b7:<wbr>72:5d:37:83:b3:<br>
                    68:63:30:ea:d7:35:26:19:25:e1:<wbr>bd:be:35:f1:70:<br>
                    92:2f:b7:b8:4b:41:05:ab:a9:9e:<wbr>35:08:58:ec:b1:<br>
                    2a:c4:68:87:0b:a3:e3:75:e4:e6:<wbr>f3:a7:62:71:ba:<br>
                    79:81:60:1f:d7:91:9a:9f:f3:d0:<wbr>78:67:71:c8:69:<br>
                    0e:95:91:cf:fe:e6:99:e9:60:3c:<wbr>48:cc:7e:ca:4d:<br>
                    77:12:24:9d:47:1b:5a:eb:b9:ec:<wbr>1e:37:00:1c:9c:<br>
                    ac:7b:a7:05:ea:ce:4a:eb:bd:41:<wbr>e5:36:98:b9:cb:<br>
                    fd:6d:3c:96:68:df:23:2a:42:90:<wbr>0c:86:74:67:c8:<br>
                    7f:a5:9a:b8:52:61:14:13:3f:65:<wbr>e9:82:87:cb:db:<br>
                    fa:0e:56:f6:86:89:f3:85:3f:97:<wbr>86:af:b0:dc:1a:<br>
                    ef:6b:0d:95:16:7d:c4:2b:a0:65:<wbr>b2:99:04:36:75:<br>
                    80:6b:ac:4a:f3:1b:90:49:78:2f:<wbr>a2:96:4f:2a:20:<br>
                    25:29:04:c6:74:c0:d0:31:cd:8f:<wbr>31:38:95:16:ba:<br>
                    a8:33:b8:43:f1:b1:1f:c3:30:7f:<wbr>a2:79:31:13:3d:<br>
                    2d:36:f8:e3:fc:f2:33:6a:b9:39:<wbr>31:c5:af:c4:8d:<br>
                    0d:1d:64:16:33:aa:fa:84:29:b6:<wbr>d4:0b:c0:d8:7d:<br>
                    c3:93<br>
                Exponent: 65537 (0x10001)<br>
        X509v3 extensions:<br>
            X509v3 Basic Constraints: critical<br>
                CA:TRUE, pathlen:0<br>
            X509v3 Key Usage: critical<br>
                Digital Signature, Certificate Sign, CRL Sign<br>
            Authority Information Access:<br>
                OCSP - URI:<a href="http://isrg.trustid.ocsp.identrust.com" rel="noreferrer" target="_blank">http://isrg.trustid.ocsp.<wbr>identrust.com</a><br>
                CA Issuers - URI:<a href="http://apps.identrust.com/roots/dstrootcax3.p7c" rel="noreferrer" target="_blank">http://apps.identrust.com/<wbr>roots/dstrootcax3.p7c</a><br>
<br>
            X509v3 Authority Key Identifier:<br>
                keyid:C4:A7:B1:A4:7B:2C:71:FA:<wbr>DB:E1:4B:90:75:FF:C4:15:60:85:<wbr>89:10<br>
<br>
            X509v3 Certificate Policies:<br>
                Policy: 2.23.140.1.2.1<br>
                Policy: 1.3.6.1.4.1.44947.1.1.1<br>
                  CPS: <a href="http://cps.root-x1.letsencrypt.org" rel="noreferrer" target="_blank">http://cps.root-x1.<wbr>letsencrypt.org</a><br>
<br>
            X509v3 CRL Distribution Points:<br>
<br>
                Full Name:<br>
                  URI:<a href="http://crl.identrust.com/DSTROOTCAX3CRL.crl" rel="noreferrer" target="_blank">http://crl.identrust.com/<wbr>DSTROOTCAX3CRL.crl</a><br>
<br>
            X509v3 Subject Key Identifier:<br>
                A8:4A:6A:63:04:7D:DD:BA:E6:D1:<wbr>39:B7:A6:45:65:EF:F3:A8:EC:A1<br>
    Signature Algorithm: sha256WithRSAEncryption<br>
         dd:33:d7:11:f3:63:58:38:dd:18:<wbr>15:fb:09:55:be:76:56:b9:<br>
         70:48:a5:69:47:27:7b:c2:24:08:<wbr>92:f1:5a:1f:4a:12:29:37:<br>
         24:74:51:1c:62:68:b8:cd:95:70:<wbr>67:e5:f7:a4:bc:4e:28:51:<br>
         cd:9b:e8:ae:87:9d:ea:d8:ba:5a:<wbr>a1:01:9a:dc:f0:dd:6a:1d:<br>
         6a:d8:3e:57:23:9e:a6:1e:04:62:<wbr>9a:ff:d7:05:ca:b7:1f:3f:<br>
         c0:0a:48:bc:94:b0:b6:65:62:e0:<wbr>c1:54:e5:a3:2a:ad:20:c4:<br>
         e9:e6:bb:dc:c8:f6:b5:c3:32:a3:<wbr>98:cc:77:a8:e6:79:65:07:<br>
         2b:cb:28:fe:3a:16:52:81:ce:52:<wbr>0c:2e:5f:83:e8:d5:06:33:<br>
         fb:77:6c:ce:40:ea:32:9e:1f:92:<wbr>5c:41:c1:74:6c:5b:5d:0a:<br>
         5f:33:cc:4d:9f:ac:38:f0:2f:7b:<wbr>2c:62:9d:d9:a3:91:6f:25:<br>
         1b:2f:90:b1:19:46:3d:f6:7e:1b:<wbr>a6:7a:87:b9:a3:7a:6d:18:<br>
         fa:25:a5:91:87:15:e0:f2:16:2f:<wbr>58:b0:06:2f:2c:68:26:c6:<br>
         4b:98:cd:da:9f:0c:f9:7f:90:ed:<wbr>43:4a:12:44:4e:6f:73:7a:<br>
         28:ea:a4:aa:6e:7b:4c:7d:87:dd:<wbr>e0:c9:02:44:a7:87:af:c3:<br>
         34:5b:b4:42<br>
<br>
<br>
______________________________<wbr>_________________<br>
Gluster-users mailing list<br>
<a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>
<a href="http://lists.gluster.org/mailman/listinfo/gluster-users" rel="noreferrer" target="_blank">http://lists.gluster.org/<wbr>mailman/listinfo/gluster-users</a></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Milind<br><br></div></div></div></div>
</div>