[
https://issues.apache.org/jira/browse/IGNITE-25931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Artem Egorov updated IGNITE-25931:
----------------------------------
Description:
Prerequisites: Enable SSL for Rest
You may encounter the following issues:
* Specifying a http URL instead of https (with {{{}"httpToHttpsRedirection" :
false{}}}) may lead to "{{{}unexpected end of stream on..{}}} error:
{code:java}
# cluster topology physical --url http://example.cluster.local:10400 unexpected
end of stream on http://example.cluster.local:10400/... {code}
* The common SSL error message is too broad:
{code:java}
# cluster topology physical --url https://example.cluster.local:10400 SSL error
Could not connect to node with URL example.cluster.local:10400. Check SSL
configuration {code}
This message applies to the following situations:
## Сluster URL and certificate SAN mismatch
*** e.g. when trying to access the node via
[https://localhost:10400|https://localhost:10400/] (kinda expected)
*** the certificate is issued for a different domain name (the SAN property in
the certificate does not include the requested DNS name)
## Broken chain of trust (untrusted root/intermediate CA)
*** e.g. using self-signed certs
## Inconsistent SSL node configuration in a multi-node cluster
*** e.g. if the first node in the cluster has the correct configuration, the
second does not (e.g. missing cert). In this case, you need to remove the
second node from the topology to make sure there are no SSL errors for the
first one anymore
## Certificate expiration
I don't want to say that all cases should be covered, but improvements in
messaging could improve the experience of SSL configuration and debugging
was:
Prerequisites: Enable SSL for Rest
You may encounter the following issues:
#
## Specifying a http URL instead of https (with {{{}"httpToHttpsRedirection" :
false{}}}) may lead to "{{{}unexpected end of stream on..{}}} error:
{code:java}
# cluster topology physical --url http://example.cluster.local:10400 unexpected
end of stream on http://example.cluster.local:10400/... {code}
## The common SSL error message is too broad:
{code:java}
# cluster topology physical --url https://example.cluster.local:10400 SSL error
Could not connect to node with URL example.cluster.local:10400. Check SSL
configuration {code}
This message applies to the following situations:
### Сluster URL and certificate SAN mismatch
**** e.g. when trying to access the node via
[https://localhost:10400|https://localhost:10400/] (kinda expected)
**** the certificate is issued for a different domain name (the SAN property
in the certificate does not include the requested DNS name)
### Broken chain of trust (untrusted root/intermediate CA)
**** e.g. using self-signed certs
### Inconsistent SSL node configuration in a multi-node cluster
**** e.g. if the first node in the cluster has the correct configuration, the
second does not (e.g. missing cert). In this case, you need to remove the
second node from the topology to make sure there are no SSL errors for the
first one anymore
### Certificate expiration
I don't want to say that all cases should be covered, but improvements in
messaging could improve the experience of SSL configuration and debugging
> Improve SSL errors messaging
> ----------------------------
>
> Key: IGNITE-25931
> URL: https://issues.apache.org/jira/browse/IGNITE-25931
> Project: Ignite
> Issue Type: Improvement
> Components: cli ai3
> Reporter: Artem Egorov
> Priority: Major
> Labels: ignite-3
>
> Prerequisites: Enable SSL for Rest
> You may encounter the following issues:
> * Specifying a http URL instead of https (with {{{}"httpToHttpsRedirection"
> : false{}}}) may lead to "{{{}unexpected end of stream on..{}}} error:
> {code:java}
> # cluster topology physical --url http://example.cluster.local:10400
> unexpected end of stream on http://example.cluster.local:10400/... {code}
> * The common SSL error message is too broad:
> {code:java}
> # cluster topology physical --url https://example.cluster.local:10400 SSL
> error
> Could not connect to node with URL example.cluster.local:10400. Check SSL
> configuration {code}
> This message applies to the following situations:
> ## Сluster URL and certificate SAN mismatch
> *** e.g. when trying to access the node via
> [https://localhost:10400|https://localhost:10400/] (kinda expected)
> *** the certificate is issued for a different domain name (the SAN property
> in the certificate does not include the requested DNS name)
> ## Broken chain of trust (untrusted root/intermediate CA)
> *** e.g. using self-signed certs
> ## Inconsistent SSL node configuration in a multi-node cluster
> *** e.g. if the first node in the cluster has the correct configuration, the
> second does not (e.g. missing cert). In this case, you need to remove the
> second node from the topology to make sure there are no SSL errors for the
> first one anymore
> ## Certificate expiration
> I don't want to say that all cases should be covered, but improvements in
> messaging could improve the experience of SSL configuration and debugging
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
