[ https://issues.apache.org/jira/browse/ZOOKEEPER-4403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17436368#comment-17436368 ]
Andor Molnar edited comment on ZOOKEEPER-4403 at 10/30/21, 10:04 PM: --------------------------------------------------------------------- Thanks for the detailed report [~m.richter] I don't understand one thing: ZK should verify both the hostname and the host address. In ZKTrustManager.java, first: {noformat} hostAddress = inetAddress.getHostAddress(); hostnameVerifier.verify(hostAddress, certificate);{noformat} If that fails we make a second attempt: {noformat} hostName = inetAddress.getHostName(); hostnameVerifier.verify(hostName, certificate); {noformat} If it fails too, we report two error message detailing both attempts. However I can only see a single errol message in your logs. Would you attach your full ZK logfile? I'd also like to see the entire stack trace of the error message. was (Author: andorm): Thanks for the detailed report [~m.richter] I don't understand one thing: ZK should verify both the hostname and the host address. In ZKTrustManager.java, first: {noformat} hostAddress = inetAddress.getHostAddress(); hostnameVerifier.verify(hostAddress, certificate);{noformat} If that fails we make a second attempt: {noformat} hostName = inetAddress.getHostName(); hostnameVerifier.verify(hostName, certificate); {noformat} If it fails too, we report two error message detailing both attempts. However I can only see a single errol message in your logs. Would you attach your full ZK logfile? I'd also like to see the entire stack trace of the error message. > Quorum TLS certificate validation uses wrong name > ------------------------------------------------- > > Key: ZOOKEEPER-4403 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4403 > Project: ZooKeeper > Issue Type: Bug > Components: quorum, security > Affects Versions: 3.5.9 > Reporter: Marc Richter > Priority: Major > Labels: quorum, ssl, tls > > When using SSL certificates for public IPv6 DNS endpoints as received from > some public Service like "Let's Encrypt" for Quorum Encryption, Zookeeper > validates the SNAs of that certificate for the IP Address instead of the DNS > name, as configured. > As a Result, these certificates can't be used, since no certificates for IPv6 > IPs issued. > This has been observed with Zookeeper Version 3.5.9, which is the one bundled > in the most recent release of Kafka (2.8.1). > In the affected environment, there is a 3-node-Zookeeper-Cluster, which is > configured as this in {{zookeeper.properties}} (mind the DNS name!): > {code} > server.1=zookeeper1.ourdomain.cloud:2888:3888 > server.2=zookeeper2.ourdomain.cloud:2888:3888 > server.3=zookeeper3.ourdomain.cloud:2888:3888 > {code} > All these records do have a public IPv6 entry only. > The SSL certificates from Let's Encrypt are requested and added to the > Quorum-Keystores like this: > # Using https://github.com/acmesh-official/acme.sh > # Requesting the cert from Let's Encrypt using: > {code}./acme.sh --issue --dns dns_nsupdate -d > zookeeper1.ourdomain.cloud{code} > for each system. > # Merge fullchain- and certificate-file to a single PKCS12 file using: > {code}openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out > <pkcs12_file> -name zookeeper1.ourdomain.cloud \ > -CAfile <fullchainfile> -password <JKS_password>{code} > # Adding the resulting PKCS12 file to the Quorum Keystore: > {code}keytool -importkeystore -deststorepass <JKS_password> -destkeypass > <JKS_password> -deststoretype pkcs12 \ > -srckeystore <pkcs12_file> -srcstoretype PKCS12 -srcstorepass > <JKS_password> -destkeystore <quorum_jks> \ > -alias zookeeper1.ourdomain.cloud{code} > When any of the systems tries to initiate the quorum-connect, their logs > state that the remote's Certificates could not be verified, since the > SNA-List does not contain the IPv6 address. > For example: This is the log from {{zookeeper2.ourdomain.cloud}} when > connecting {{zookeeper3.ourdomain.cloud}}: > {code} > [2021-10-13 15:13:49,960] INFO Received connection request from > /2a01:--CUT--:750:47566 (org.apache.zookeeper.server.quorum.QuorumCnxManager) > [2021-10-13 15:13:50,094] ERROR Failed to verify host address: > 2a01:--CUT--:750 (org.apache.zookeeper.common.ZKTrustManager) > javax.net.ssl.SSLPeerUnverifiedException: Certificate for <2a01:--CUT--:750> > doesn't match any of the subject alternative names: > [zookeeper3.ourdomain.cloud] > {code} > I think the log lines cited clearly show: > # Zookeeper is picking up the correct certificate from the quorum Keystore, > since it states that the request does not match any SNA and lists > {{zookeeper3.ourdomain.cloud}} only, which it can only know from the > certificate itself. > # Zookeeper is validating the wrong thing here: Even though the config > clearly states to use a DNS name, the certificates SNAs alre validated > against the IPv6 address that record belongs to instead of the DNS name > configured ({{ERROR Failed to verify host address: 2a01:--CUT--:750}}) -- This message was sent by Atlassian Jira (v8.3.4#803005)