[jira] [Updated] (MESOS-4665) Reverse DNS for cert validation ?
[ https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] pawan updated MESOS-4665: - Description: I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error: I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 } I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected -- >From my understanding and looking at the source, during cert validation, mesos >uses getnameinfo call to get the hostname of the connecting peer using the IP >address on the socket connection. Everything worked when I added host-ip >mappings of all peers to /etc/hosts on each host. Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If so, this is very challenging and unrealistic expectation. Even worse if you are deploying mesos in a firewalled/NAT-ed environment. Is my understanding right ? Am I missing anything here ? How would you recommend me to proceed ? Also, I use --hostname to set hostname of all mesos nodes and see the right [ip, hostname] info in zookeeper node. Looks like mesos is not using it during cert validation. was: I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error: I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 } I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected >From my understanding and looking at the source, during cert validation, mesos >uses getnameinfo call to get the hostname of the connecting peer using the IP >address on the socket
[jira] [Updated] (MESOS-4665) Reverse DNS for cert validation ?
[ https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] pawan updated MESOS-4665: - Description: I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error: I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 } I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected -- >From my understanding and looking at the source, during cert validation, mesos >uses getnameinfo call to get the hostname of the connecting peer using the IP >address on the socket connection. And this call would return the IP as a >string which is resulting in failures as our cert has a CN of only the peer >hostname. But, everything worked when I added host-ip mappings of all peers to >/etc/hosts on each host. Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If so, this is very challenging and unrealistic expectation. Even worse if you are deploying mesos in a firewalled/NAT-ed environment. Is my understanding right ? Am I missing anything here ? How would you recommend me to proceed ? Also, I use --hostname to set hostname of all mesos nodes and see the right [ip, hostname] info in zookeeper node. Looks like mesos is not using it during cert validation. was: I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error: I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 } I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16 E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27 E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected