You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "pawan (JIRA)" <ji...@apache.org> on 2016/02/12 15:50:18 UTC
[jira] [Updated] (MESOS-4665) Reverse DNS for cert validation ?
[ https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
pawan updated MESOS-4665:
-------------------------
Description:
I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error:
----------------------------
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected
----------------------------------
>From my understanding and looking at the source, during cert validation, mesos uses getnameinfo call to get the hostname of the connecting peer using the IP address on the socket connection. Everything worked when I added host-ip mappings of all peers to /etc/hosts on each host.
Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If so, this is very challenging and unrealistic expectation. Even worse if you are deploying mesos in a firewalled/NAT-ed environment.
Is my understanding right ? Am I missing anything here ? How would you recommend me to proceed ?
Also, I use --hostname to set hostname of all mesos nodes and see the right [ip, hostname] info in zookeeper node. Looks like mesos is not using it during cert validation.
was:
I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error:
I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 }
I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected
I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected
>From my understanding and looking at the source, during cert validation, mesos uses getnameinfo call to get the hostname of the connecting peer using the IP address on the socket connection. Everything worked when I added host-ip mappings of all peers to /etc/hosts on each host.
Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If so, this is very challenging and unrealistic expectation. Even worse if you are deploying mesos in a firewalled/NAT-ed environment.
Is my understanding right ? Am I missing anything here ? How would you recommend me to proceed ?
Also, I use --hostname to set hostname of all mesos nodes and see the right [ip, hostname] info in zookeeper node. Looks like mesos is not using it during cert validation.
> Reverse DNS for cert validation ?
> ---------------------------------
>
> Key: MESOS-4665
> URL: https://issues.apache.org/jira/browse/MESOS-4665
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.26.0
> Reporter: pawan
>
> I have three mesos master nodes configured to use SSL and with cert validation enabled. All the machines are failing cert-validation and hence the peering with the following error:
> ----------------------------
> I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, log-replica(1)@192.168.1.30:5050 }
> I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
> I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
> I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
> I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
> I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname name: 192.168.1.16
> E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with fd 27: Transport endpoint is not connected
> I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, verification error: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
> I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname name: 192.168.1.27
> E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with fd 28: Transport endpoint is not connected
> ----------------------------------
> From my understanding and looking at the source, during cert validation, mesos uses getnameinfo call to get the hostname of the connecting peer using the IP address on the socket connection. Everything worked when I added host-ip mappings of all peers to /etc/hosts on each host.
> Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If so, this is very challenging and unrealistic expectation. Even worse if you are deploying mesos in a firewalled/NAT-ed environment.
> Is my understanding right ? Am I missing anything here ? How would you recommend me to proceed ?
> Also, I use --hostname to set hostname of all mesos nodes and see the right [ip, hostname] info in zookeeper node. Looks like mesos is not using it during cert validation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)