[jira] [Updated] (MESOS-4665) Reverse DNS for cert validation ?
[
https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
pawan updated MESOS-4665:
-
Description:
I have three mesos master nodes configured to use SSL and with cert validation
enabled. All the machines are failing cert-validation and hence the peering
with the following error:
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: {
log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050,
log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname
name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd
27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname
name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd
28: Transport endpoint is not connected
--
>From my understanding and looking at the source, during cert validation, mesos
>uses getnameinfo call to get the hostname of the connecting peer using the IP
>address on the socket connection. Everything worked when I added host-ip
>mappings of all peers to /etc/hosts on each host.
Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If
so, this is very challenging and unrealistic expectation. Even worse if you are
deploying mesos in a firewalled/NAT-ed environment.
Is my understanding right ? Am I missing anything here ? How would you
recommend me to proceed ?
Also, I use --hostname to set hostname of all mesos nodes and see the right
[ip, hostname] info in zookeeper node. Looks like mesos is not using it during
cert validation.
was:
I have three mesos master nodes configured to use SSL and with cert validation
enabled. All the machines are failing cert-validation and hence the peering
with the following error:
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: {
log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050,
log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname
name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd
27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname
name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd
28: Transport endpoint is not connected
>From my understanding and looking at the source, during cert validation, mesos
>uses getnameinfo call to get the hostname of the connecting peer using the IP
>address on the socket
[jira] [Updated] (MESOS-4665) Reverse DNS for cert validation ?
[
https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
pawan updated MESOS-4665:
-
Description:
I have three mesos master nodes configured to use SSL and with cert validation
enabled. All the machines are failing cert-validation and hence the peering
with the following error:
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: {
log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050,
log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname
name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd
27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname
name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd
28: Transport endpoint is not connected
--
>From my understanding and looking at the source, during cert validation, mesos
>uses getnameinfo call to get the hostname of the connecting peer using the IP
>address on the socket connection. And this call would return the IP as a
>string which is resulting in failures as our cert has a CN of only the peer
>hostname. But, everything worked when I added host-ip mappings of all peers to
>/etc/hosts on each host.
Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If
so, this is very challenging and unrealistic expectation. Even worse if you are
deploying mesos in a firewalled/NAT-ed environment.
Is my understanding right ? Am I missing anything here ? How would you
recommend me to proceed ?
Also, I use --hostname to set hostname of all mesos nodes and see the right
[ip, hostname] info in zookeeper node. Looks like mesos is not using it during
cert validation.
was:
I have three mesos master nodes configured to use SSL and with cert validation
enabled. All the machines are failing cert-validation and hence the peering
with the following error:
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: {
log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050,
log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos01.p.qa.a.com does not
match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname
name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd
27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect,
verification error: Presented Certificate Name: mesos02.p.qa.a.com does not
match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect:
Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname
name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd
28: Transport endpoint is not connected
