Summary
This article discusses how to import an internal CA and public/private key pair generated using OpenSSL
Applies to
- DataStax Enterprise (DSE) 5.0
- DSE 6.0
Symptoms
After configuring node to node (internodes) encryption, the following error occur:
ERROR [ACCEPT-/<IP>]:19:59,143 MessagingService.java:1077 - SSL handshake error for inbound connection from 4419b69a[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<IP>,port=<port>,localport=7001]]
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
...
ERROR [MessagingService-Outgoing-/<IP>-Gossip]:19:59,655 OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to 3b522b8f[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<IP>,port=7001,localport=<port>]]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Cause
The certificates are not recognised due to a misconfiguration of the keystore
Solution
Prerequisites:
- Provided an internal CA root certificate, a private and a public key
rootCA.cer, privatekey.pem, publickey.cer (Optional: IntermediateCA.cer)
- Run the following command to confirm the certificates are PEM files (ASCII) and not DER files (binary certificates format):
head privatekey.pem publickey.cer rootCA.cer intermediateCA.cer
What to do in that scenario:
- Backup/rename the existing keystore
- Create new keystore and remove the key that’s generated with it:
keytool -genkey -keyalg RSA -alias dse -keystore keystore.jks
keytool -delete -alias dse -keystore keystore.jks
-
import the rootCA in the keystore created above:
keytool -import -keystore keystore.jks -trustcacerts -alias rootca -file rootCA.cer
- Repeat the operation above with intermediate CA certificates if necessary:
keytool -import -keystore keystore.jks -trustcacerts -alias intermediateca -file intermediateCA.cer
-
Merge the certificate and private key - Warning: this implies they are PEM files as per the prerequisites, not DER files (binary format):
cat publickey.cer privatekey.pem > keypair.pem
-
Import the set into your keystore:
keytool -importcert -alias dse -file keypair.pem -keystore keystore.jks
-
Check the keystore content:
keytool -list -v -keystore keystore.jks > ~/CertsList.txt
-
From here, follow the standard documentation to leverage the certificates:
https://docs.datastax.com/en/dse/5.1/dse-admin/datastax_enterprise/security/secInternodeSsl.html