Hi Marc,
I need to take a closer look. Would you please share how have you requested the certificates from Let's Encrypt? Is this an IPv6-only environment? Do those hostnames resolve only to IPv6 addresses? Regards, Andor On Wed, 2021-10-13 at 15:47 +0200, Marc Richter wrote: > Hi everyone, > > for some days now, I am trying to wrap my head around TLS encryption > for the quorum-traffic. The hosts running Zookeeper do have a > publicly available DNS name and I am using those to issue SSL > certificates from Let's Encrypt. > This seems to work - but it seems like Zookeeper decides to validate > the SSL certificates against the IP(v6) of the connecting nodes > instead of their hostnames. > > In the `zookeeper.properties` of all my 3 nodes, I have set the > servers by their DNS names like this: > > ``` > server.1=zookeeper1.ourdomain.cloud:2888:3888 > server.2=zookeeper2.ourdomain.cloud:2888:3888 > server.3=zookeeper3.ourdomain.cloud:2888:3888 > ``` > > I requested SSL certificates from Let's Encrypt for these DNS names > and added the certificate/key pairs to the Keystores of the nodes. > > In the logs of the `zookeeper2` node, I now see something like this > when the `zookeeper3` node tries to connect: > > ``` > [2021-10-13 15:13:49,960] INFO Received connection request from > /2a01:--CUT--:750:47566 > (org.apache.zookeeper.server.quorum.QuorumCnxManager) > [2021-10-13 15:13:50,094] ERROR Failed to verify host address: 2a01:- > -CUT--:750 (org.apache.zookeeper.common.ZKTrustManager) > javax.net.ssl.SSLPeerUnverifiedException: Certificate for <2a01:-- > CUT--:750> doesn't match any of the subject alternative names: > [zookeeper3.ourdomain.cloud] > ``` > > Zookeeper seems to ignore the hostnames and complains about that the > IPv6 is not listed in the SNA of the presented certificate. Since > most open CAs do not sign IP addresses (Let's Encrypt does not do > that at all, ZeroSSL only for http auth, etc.), this behaviour > enforces me to have an internal CA and work with self signed > certificates; including all the negative things that come with it and > a lot of extra effort. > > How can I make Zookeeper to resolve this correctly? > > Best regards, > Marc
