[Gluster-devel] gluster SSL support

Zbyszek Żółkiewski zbyszek at onefellow.com
Fri Jan 24 09:47:11 UTC 2014 

Hello Jeffrey!

Thanks for reply. I will explain my environment as it is quite bit different then usual setup. I am using gluster 3.4.
For now i am using gluster to sync 2 servers - both have bricks attached - so i can say that they both are servers and clients (let say master-master config) - i need this setup to ensure that when one node goes offline, files are still intact - i have that setup on other environments with more nodes and it works great (thus on them gluster works via vpn).
To be exact: on both servers there is local “brick” and it is mounted by:

mount -t glusterfs host-X:/gv0 /mnt/gv0 

so even when last replica goes offline, files are still there for last running server.

Answering your question: yes certs are properly installed - i have tried various combinations - but now i am not sure if my config do not make confusion for the glusterfs.

What do you think?

thanks!

__
Zbyszek Żółkiewski

On 24 Jan 2014, at 05:30, Jeffrey Darcy <jdarcy at redhat.com> wrote:

>> I am trying to enable SSL support for gluster (i have read this post:
>> http://nongnu.13855.n7.nabble.com/Glusterfs-SSL-capability-td168156.html
>> too, and get through sources) but i am lost with the settings. I have
>> enabled both options on the volume:
>> 
>> volume set gv0 client.ssl on
>> volume set gv0 server.ssl on
>> 
>> also i have put all the certs in /etc/ssl/ (i have generated my own CA +
>> client certificates for both servers mx1 and mx2) - all seems correct but i
>> still getting:
>> 
>> [2014-01-23 14:23:46.332041] E [socket.c:2258:socket_poller] 0-gv0-client-1:
>> client setup failed
>> [2014-01-23 14:23:46.732281] E [socket.c:304:ssl_setup_connection]
>> 0-gv0-client-0: SSL connect error
>> [2014-01-23 14:23:46.732319] E [socket.c:174:ssl_dump_error_stack]
>> 0-gv0-client-0:   error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> 
>> i really tried all possible cert configurations and i think i am hitting wall
>> here. Any tips?
> 
> Are you sure that you have all three files - cert, key, CA - installed on both
> servers *and clients*?  It's not clear from what you've described whether the
> client that's failing is one of the servers or a separate machine.  In all
> cases, the servers' certs need to be in the clients' CA file, and vice versa.
> You could also try looking at tests/bugs/bug-873367.t in any GlusterFS source
> tree, which might shed some light on how these files are generated in testing.

More information about the Gluster-devel mailing list