Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Client Authentication Not Functional in Go with Clickhouse Docs on Client Cert Generation #1300

Open
abraithwaite opened this issue May 16, 2024 · 1 comment
Open

TLS Client Authentication Not Functional in Go with Clickhouse Docs on Client Cert Generation #1300

abraithwaite opened this issue May 16, 2024 · 1 comment
Labels
enhancement good first issue

Comments

@abraithwaite
Copy link

abraithwaite commented May 16, 2024
edited
Loading

Generate a client certificate according to the docs on clickhouse's docs:

https://clickhouse.com/docs/en/guides/sre/ssl-user-auth

Use the certificate to authenticate directly with the host:

$  cat ./clickhouse-client.yml
user: runreveal
password: 'xxxx'
secure: true
openSSL:
  client:
    caConfig: '/home/ubuntu/ca.pem'
    certificateFile: '/home/ubuntu/client.pem'
    privateKeyFile: '/home/ubuntu/client.key'
    
$  ./clickhouse client -h X.X.X.X --secure --port 9440
ClickHouse client version 24.5.1.1239 (official build).
Connecting to X.X.X.X:9440 as user runreveal.
Connected to ClickHouse server version 24.2.2.

clickhouse.internal :) Bye.

Go program using this client at the latest version (v2):

https://gist.github.com/abraithwaite/f80a83a88ab75cb31c9b0d39c635215d

The error returned:

$ ./chcertauth -clientKeyFile client.key -clientCertFile client.pem -caCertFile ca.pem
[clickhouse-std][opener] [connect] error connecting to x.x.x.x:9440 on connection 1: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
2024/05/16 22:22:44 Failed to ping ClickHouse: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

CFSSL cert info:

$ ./cfssl certinfo -cert ca.pem

{
  "subject": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "issuer": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "serial_number": "xxxx",
  "not_before": "2024-05-15T18:34:43Z",
  "not_after": "2124-04-21T18:34:43Z",
  "sigalg": "SHA256WithRSA"
  }
  
  $ ./cfssl certinfo -cert client.pem
  
  {
  "subject": {
    "common_name": "1.2.3.4",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "1.2.3.4"
    ]
  },
  "issuer": {
    "common_name": "root",
    "country": "CA",
    "organization": "ASDF",
    "province": "BC",
    "names": [
      "CA",
      "BC",
      "ASDF",
      "root"
    ]
  },
  "serial_number": "xxxxxx",
  "not_before": "2024-05-15T18:41:24Z",
  "not_after": "2124-04-21T18:41:24Z",
  "sigalg": "SHA256WithRSA"
  }

I recommend either updating the clickhouse docs with an example that works in Go, or figuring out a good (and secure!) way to ensure that the client certificates generated by clickhouse server documentation works in the Go client as well.
@jkaflik
Copy link
Contributor

jkaflik commented May 27, 2024

thanks @abraithwaite for reporting.

It seems ClickHouse docs should be extend with subject alt name provided for certificate generate command: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkaflik @abraithwaite