SSL doesn't work on linux.

KurrentDB
19

We’ve added a new page to the docs for setting up SSL on Ubuntu 16.04, you can find it here

Thank you.

If you have any feedback or improvements for that page, please open an issue in the docs repo or open a PR.

For everybody who will read this thread.

  1. Confirm - it works.
  2. If you use Centos. Instead of /usr/local/share/ca-certificates/ copy to /etc/pki/tls/certs. Insead of ``update-ca-certificates use update-ca-trust 3.For UseInternalSsl: True you also need to add following:

CertificateFile:
ExtSecureTcpPort: xxxx
IntSecureTcpPort: xxxx
UseInternalSsl: True
SslTargetHost: "bla-bla.com"
``
`
How to check that internal SSL works.

  1. netstat -alnp | grep eventstore
    `

tcp 0 0 0.0.0.0:2113 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 0.0.0.0:2114 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:35247 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1115 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1116 0.0.0.0:* LISTEN 30507/eventstored
tcp 0 0 192.168.3.194:1116 192.168.3.130:46312 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:2114 192.168.3.130:52828 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:52228 192.168.3.130:2114 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:2114 192.168.3.130:52782 ESTABLISHED 30507/eventstored
tcp 0 0 192.168.3.194:52230 192.168.3.130:2114 ESTABLISHED 30507/eventstored

port 1116 is for internal SSL.
2. Log

PID:31425:006 2017.06.01 09:09:24.524 INFO TcpConnectionSsl ] [S192.168.5.194:1116, L192.168.5.130:46312]
[PID:31425:006 2017.06.01 09:09:24.525 INFO TcpConnectionSsl ] Cipher: Aes256 strength 256
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Hash: Sha1 strength 160
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Key exchange: RsaKeyX strength 2048
[PID:31425:006 2017.06.01 09:09:24.527 INFO TcpConnectionSsl ] Protocol: Tls
[PID:31425:006 2017.06.01 09:09:24.529 INFO TcpConnectionSsl ] Is authenticated: True as server? False
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] IsSigned: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] Is Encrypted: True
[PID:31425:006 2017.06.01 09:09:24.534 INFO TcpConnectionSsl ] Can read: True, write True
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Can timeout: True
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Certificate revocation list checked: False
[PID:31425:006 2017.06.01 09:09:24.535 INFO TcpConnectionSsl ] Local certificate is null.
[PID:31425:006 2017.06.01 09:09:24.541 INFO TcpConnectionSsl ] Remote certificate was issued to CN=bla-bla.com and is valid from 5/31/2017 12:49:22 PM until 5/31/2018 12:49:22 PM.

Hope I don’t missed anything.
And now. Last question. How to configure HTTP encryption without reverse proxy?
httpcfg -list
Port: 5114 Thumbprint: E4A68B65AE4A5788C056E18438199B31BD21B560
port 5114 is configured, but https doesn’t work. :frowning: