I got back to SSL and made some progress, SSL is enabled now (I think I needed to export the variables in /etc/default/mesos) but I got 2 new problems (described in more detail in https://gist.github.com/carlossg/64c9f8050d637f51c77c )
#1 slaves can't connect to master over SSL, master refuses connection with: Error (26): unsupported certificate purpose but slave cert has what I believe are correct certificate purposes, are they ? openssl x509 -in /etc/mesos/tiger.crt -noout -purpose Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No #2 can't connect to master if cert validation is enabled with SSL_VALIDATE_CERT=true or SSL_REQUIRE_CERT=true Tried enabling all protocols and no luck, also set the hostname correctly to ensure ssl works fine (is name matching actually required for the mesos slaves?) If SSL_VALIDATE_CERT=false and SSL_REQUIRE_CERT=false and I don't provide cert in the curl call it connects fine, so server certificate seems to be correct Master running with /usr/sbin/mesos-master --zk=zk://zk:[email protected]:2181/mesos --port=5050 --log_dir=/var/log/mesos --authenticate=true --authenticate_slaves=true --credentials=/etc/mesos/credentials --hostname=tiger-jdoe-controller-1.tiger.acme.net --quorum=1 --work_dir=/var/lib/mesos Tried with curl curl -v --cacert /etc/mesos/rootCA.pem --key /home/ubuntu/tiger-client.key.pem --cert /home/ubuntu/tiger-client.cert.pem https://tiger-jdoe-controller-1.tiger.acme.net:5050/master/state.json ubuntu 14.04.3 curl 7.35.0 * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port 5050 (#0) * successfully set certificate verify locations: * CAfile: /etc/mesos/rootCA.pem CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES128-SHA * Server certificate: * subject: C=US; O=acme; OU=Tiger; CN=tiger-jdoe-controller-1.tiger.acme.net * start date: 2015-09-16 18:28:30 GMT * expire date: 2025-09-13 18:28:30 GMT * common name: tiger-jdoe-controller-1.tiger.acme.net (matched) * issuer: C=US; ST=CA; O=acme; OU=Tiger * SSL certificate verify ok. > GET /master/state.json HTTP/1.1 > User-Agent: curl/7.35.0 > Host: tiger-jdoe-controller-1.tiger.acme.net:5050 > Accept: */* > * Empty reply from server * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact curl: (52) Empty reply from server Seems there is an issue with curl debug log in older curl versions so I tried with newer ones ubuntu:wily curl 7.43.0 ends in a similar way * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port 5050 (#0) * found 1 certificates in /etc/mesos/rootCA.pem * found 748 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 * server certificate verification OK * server certificate status verification SKIPPED * common name: tiger-jdoe-controller-1.tiger.acme.net (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,O=acme,OU=Tiger,CN=tiger-jdoe-controller-1.tiger.acme.net * start date: Wed, 16 Sep 2015 18:28:30 GMT * expire date: Sat, 13 Sep 2025 18:28:30 GMT * issuer: C=US,ST=CA,O=acme,OU=Tiger * compression: NULL * ALPN, server did not agree to a protocol > GET /master/state.json HTTP/1.1 > Host: tiger-jdoe-controller-1.tiger.acme.net:5050 > User-Agent: curl/7.43.0 > Accept: */* > * GnuTLS recv error (-110): The TLS connection was non-properly terminated. * Closing connection 0 curl: (56) GnuTLS recv error (-110): The TLS connection was non-properly terminated. curl 7.42.1 from appropriate/curl same thing * Empty reply from server * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact curl: (52) Empty reply from server The detailed logs are at https://gist.github.com/carlossg/64c9f8050d637f51c77c Thanks in advance On Wed, Aug 26, 2015 at 3:25 AM, Joris Van Remoortere <[email protected]> wrote: > @Carlos > Mesosphere currently doesn't build packages with ssl enabled. > > On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <[email protected]> wrote: >> >> Hi Joris, >> >> I did build from sources, following instructions in >> http://mesos.apache.org/gettingstarted/ >> >> Is the mesosphere binary compiled with libevent and ssl enabled as >> mentioned previously? would make debugging easier if I don't have to rebuild >> >> >> >> On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere >> <[email protected]> wrote: >>> >>> @carlos >>> Are you building 0.23.0 from source? >>> Just so we don't miss anything: Can you make sure to run ./bootstrap, and >>> build in a clean directory with your configuration similar to this: >>> >>> ../configure --enable-libevent --enable-ssl >>> >>> Here is the document I am using as a reference >>> >>> When you start up a master, if you just specify SSL_ENABLED=true it >>> should error out and notify you that other required flags such as >>> SSL_KEY_FILE are not provided. Can you verify this? If that is not >>> happening, then the 2 options are: >>> 1. Your environment variables are not making it to the binary: See Jeff >>> Schroeder's comments >>> 2. The binary is not actually the one you expect. Double check the >>> checksum with the binary you built after configuring with SSL. >>> >>> >>> >>> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <[email protected]> >>> wrote: >>>> >>>> looking forward to it, thanks! >>>> running out of ideas here on what am I doing wrong >>>> >>>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <[email protected]> >>>> wrote: >>>> > FYI - Joris is out this week, he'll be probably able to get back to >>>> > you >>>> > early next (modulo MesosCon craziness :) >>>> > >>>> > Marco Massenzio >>>> > Distributed Systems Engineer >>>> > >>>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <[email protected]> >>>> > wrote: >>>> >> >>>> >> no suggestions? >>>> >> >>>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <[email protected]> >>>> >> wrote: >>>> >> > @joris, can you help out here? >>>> >> > >>>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <[email protected]> >>>> >> > wrote: >>>> >> >> >>>> >> >> I have tried to enable SSL with no success, even compiling from >>>> >> >> source >>>> >> >> with the ssl flags --enable-libevent --enable-ssl >>>> >> >> >>>> >> >> export SSL_ENABLED=true >>>> >> >> export SSL_SUPPORT_DOWNGRADE=false >>>> >> >> export SSL_REQUIRE_CERT=true >>>> >> >> export SSL_CERT_FILE=/etc/mesos/... >>>> >> >> export SSL_KEY_FILE=/etc/mesos/... >>>> >> >> export SSL_CA_FILE=/etc/mesos/... >>>> >> >> >>>> >> >> >>>> >> >> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master >>>> >> >> --work_dir="/var/lib/mesos" >>>> >> >> >>>> >> >> Port 5050 is still served as plain http, no SSL >>>> >> >> >>>> >> >> Nothing about ssl shows up in the logs, any ideas? >>>> >> >> >>>> >> >> Thanks >>>> >> >> >>>> >> >> >>>> >> >> > >>>> >> >> > From: Dharmit Shah <[email protected]> >>>> >> >> > To: [email protected] >>>> >> >> > Cc: >>>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530 >>>> >> >> > Subject: Re: SSL in Mesos 0.23 >>>> >> >> > Hi Jeff, >>>> >> >> > >>>> >> >> > Thanks for the suggestion. >>>> >> >> > >>>> >> >> > I modified the systemd service file to use >>>> >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave` >>>> >> >> > as >>>> >> >> > environment files for master and slave services respectively. In >>>> >> >> > these >>>> >> >> > files, I specified the environment variables that I used to >>>> >> >> > specify >>>> >> >> > on >>>> >> >> > the command line. >>>> >> >> > >>>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for pids >>>> >> >> > of >>>> >> >> > master and slave services, I see the environment variables that >>>> >> >> > I set >>>> >> >> > in the /etc/sysconfig/<environment-file>. >>>> >> >> > >>>> >> >> > Now that it looks like I have started the master and slave >>>> >> >> > services >>>> >> >> > with SSL enabled, how do I really confirm that communication >>>> >> >> > between >>>> >> >> > master and slaves is really happening over SSL? >>>> >> >> > >>>> >> >> > Also, how do I enable SSL communication for a framework like >>>> >> >> > Marathon? >>>> >> >> > >>>> >> >> > Regards, >>>> >> >> > Dharmit. >>>> >> >> > >>>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder >>>> >> >> > <[email protected]> wrote: >>>> >> >> > > The sudo command defaults to envreset (look for that in the >>>> >> >> > > man >>>> >> >> > > page) >>>> >> >> > > which >>>> >> >> > > strips all env variables sans a select few. I'd almost bet >>>> >> >> > > that >>>> >> >> > > your >>>> >> >> > > SSL_* >>>> >> >> > > variables are not present and were not passed to the slave. >>>> >> >> > > Just >>>> >> >> > > sudo >>>> >> >> > > -i and >>>> >> >> > > start the slaves *as root* without sudo. There is no benefit >>>> >> >> > > to >>>> >> >> > > starting >>>> >> >> > > them with sudo. You can verify what I'm saying with something >>>> >> >> > > along >>>> >> >> > > the >>>> >> >> > > lines of: >>>> >> >> > > >>>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_ >>>> >> >> > > >>>> >> >> > > >>>> >> >> > > On Friday, August 7, 2015, Dharmit Shah >>>> >> >> > > <[email protected]> >>>> >> >> > > wrote: >>>> >> >> > >> >>>> >> >> > >> Hello again, >>>> >> >> > >> >>>> >> >> > >> Thanks for your responses. I will share what I tried after >>>> >> >> > >> your >>>> >> >> > >> suggestions. >>>> >> >> > >> >>>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd >>>> >> >> > >> /usr/sbin/mesos-slave` >>>> >> >> > >> returned similar output as one suggested by Craig. So, I >>>> >> >> > >> guess, >>>> >> >> > >> the >>>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right? >>>> >> >> > >> >>>> >> >> > >> 2. I created SSL private key and cert on one system in my >>>> >> >> > >> cluster >>>> >> >> > >> by >>>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of >>>> >> >> > >> SSL is >>>> >> >> > >> limited. >>>> >> >> > >> >>>> >> >> > >> 3. Next, I copied the key and cert to all three mesos-master >>>> >> >> > >> nodes >>>> >> >> > >> and >>>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided >>>> >> >> > >> only >>>> >> >> > >> with >>>> >> >> > >> the cert and not the private key? Whereas all master nodes >>>> >> >> > >> may >>>> >> >> > >> have >>>> >> >> > >> the private key and cert both. Or am I understanding SSL >>>> >> >> > >> incorrectly >>>> >> >> > >> here? >>>> >> >> > >> >>>> >> >> > >> 4. After copying the cert and key, I started the mesos-master >>>> >> >> > >> service >>>> >> >> > >> on master nodes with below command: >>>> >> >> > >> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key >>>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181,172.19.10.193:2181/mesos >>>> >> >> > >> --port=5050 --log_dir=/var/log/mesos >>>> >> >> > >> --acls=file:///root/acls.json >>>> >> >> > >> --credentials=/home/isys/mesos --quorum=2 >>>> >> >> > >> --work_dir=/var/lib/mesos >>>> >> >> > >> >>>> >> >> > >> I check web UI and things look good. I am not completely sure >>>> >> >> > >> if >>>> >> >> > >> "https" should have worked for mesos web UI but, it didn't. >>>> >> >> > >> >>>> >> >> > >> 5. Next, I start slave nodes with below command: >>>> >> >> > >> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt >>>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181,172.19.10.193:2181/mesos >>>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos >>>> >> >> > >> --executor_registration_timeout=15mins >>>> >> >> > >> >>>> >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated" >>>> >> >> > >> mode. >>>> >> >> > >> So >>>> >> >> > >> far so good. I am still wondering how I should verify if >>>> >> >> > >> communication >>>> >> >> > >> is happening over SSL. >>>> >> >> > >> >>>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave >>>> >> >> > >> node and >>>> >> >> > >> started it without SSL using `systemctl start mesos-slave`. I >>>> >> >> > >> was >>>> >> >> > >> expecting it to not get into "Activated" state on Mesos web >>>> >> >> > >> UI but >>>> >> >> > >> it >>>> >> >> > >> did. So, I think SSL is not configured properly by me. >>>> >> >> > >> >>>> >> >> > >> I am attaching logs from the master nodes. These logs were >>>> >> >> > >> generated >>>> >> >> > >> after starting masters with command specified in point 4. >>>> >> >> > >> >>>> >> >> > >> Let me know if I am doing something wrong or if you need more >>>> >> >> > >> logs >>>> >> >> > >> or >>>> >> >> > >> need me to execute some specific commands. >>>> >> >> > >> >>>> >> >> > >> [1] >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> >>>> >> >> > >> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs >>>> >> >> > >> >>>> >> >> > >> Regards, >>>> >> >> > >> Dharmit. >>>> >> >> > >> >>>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park >>>> >> >> > >> <[email protected]> >>>> >> >> > >> wrote: >>>> >> >> > >> > Hi Dharmit, >>>> >> >> > >> > >>>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have >>>> >> >> > >> > SSL >>>> >> >> > >> > enabled or >>>> >> >> > >> > not, >>>> >> >> > >> > although based on Craig's observation it looks like it is. >>>> >> >> > >> > >>>> >> >> > >> > I think the correct way to enable SSL is to set the >>>> >> >> > >> > SSL_ENABLED >>>> >> >> > >> > environment >>>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of >>>> >> >> > >> > course, >>>> >> >> > >> > along >>>> >> >> > >> > with >>>> >> >> > >> > the rest of the SSL_ environment variables. >>>> >> >> > >> > >>>> >> >> > >> > e.g. SSL_ENABLED=true >>>> >> >> > >> > SSL_KEY_FILE=<path-to-your-private-key> >>>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master >>>> >> >> > >> > <master-flags> >>>> >> >> > >> > >>>> >> >> > >> > MPark. >>>> >> >> > >> > >>>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w >>>> >> >> > >> > <[email protected]> >>>> >> >> > >> > wrote: >>>> >> >> > >> >> >>>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 using >>>> >> >> > >> >> mesos >>>> >> >> > >> >> 0.23 >>>> >> >> > >> >> from >>>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and >>>> >> >> > >> >> "libssl.so.10" >>>> >> >> > >> >> >>>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder >>>> >> >> > >> >> <[email protected]> wrote: >>>> >> >> > >> >>> >>>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave >>>> >> >> > >> >>> binaries? I >>>> >> >> > >> >>> believe >>>> >> >> > >> >>> you *should* see openssl libraries in the output if those >>>> >> >> > >> >>> packages are >>>> >> >> > >> >>> configured using --enable-ssl. >>>> >> >> > >> >>> >>>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah >>>> >> >> > >> >>> <[email protected]> >>>> >> >> > >> >>> wrote: >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> Hello, >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere >>>> >> >> > >> >>>> website >>>> >> >> > >> >>>> [1]. I >>>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of >>>> >> >> > >> >>>> packages, >>>> >> >> > >> >>>> I >>>> >> >> > >> >>>> went >>>> >> >> > >> >>>> with Mesosphere provided repositories. >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL >>>> >> >> > >> >>>> capabilities, >>>> >> >> > >> >>>> I >>>> >> >> > >> >>>> believe >>>> >> >> > >> >>>> it is possible to have communication between the master, >>>> >> >> > >> >>>> slaves >>>> >> >> > >> >>>> and >>>> >> >> > >> >>>> frameworks be secured by SSL. Am I right? >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> I would like to set it up in my environment. I am using >>>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`. >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> The official Mesos documentation on the topic [2] >>>> >> >> > >> >>>> illustrates >>>> >> >> > >> >>>> how >>>> >> >> > >> >>>> things can be setup when building Mesos from source. >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> I would like to know if Mesos package shipped by >>>> >> >> > >> >>>> Mesosphere >>>> >> >> > >> >>>> repo >>>> >> >> > >> >>>> has >>>> >> >> > >> >>>> this feature or not yet? I tried setting >>>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master >>>> >> >> > >> >>>> nodes. >>>> >> >> > >> >>>> But >>>> >> >> > >> >>>> restarting `mesos-master` service failed stating that >>>> >> >> > >> >>>> option >>>> >> >> > >> >>>> `ssl_enabled` is unknown. >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> Thanks for your help! >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> [1] >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> http://open.mesosphere.com/getting-started/datacenter/install/ >>>> >> >> > >> >>>> [2] >>>> >> >> > >> >>>> http://mesos.apache.org/documentation/latest/mesos-ssl/ >>>> >> >> > >> >>>> >>>> >> >> > >> >>>> Regards, >>>> >> >> > >> >>>> Dharmit. >>>> >> >> > >> >>> >>>> >> >> > >> >>> >>>> >> >> > >> >>> >>>> >> >> > >> >>> >>>> >> >> > >> >>> -- >>>> >> >> > >> >>> Jeff Schroeder >>>> >> >> > >> >>> >>>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix. >>>> >> >> > >> >>> http://www.digitalprognosis.com >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> -- >>>> >> >> > >> >> >>>> >> >> > >> >> https://github.com/mindscratch >>>> >> >> > >> >> https://www.google.com/+CraigWickesser >>>> >> >> > >> >> https://twitter.com/mind_scratch >>>> >> >> > >> >> https://twitter.com/craig_links >>>> >> >> > > >>>> >> >> > > >>>> >> >> > > >>>> >> >> > > -- >>>> >> >> > > Text by Jeff, typos by iPhone >>>> >> >> > >>>> >> >> > >>>> >> > >>>> >> > >>>> > >>>> > >>> >>> >> >
