Error when trying to enable encryption in transit & start the Yugabyte on the 1st node

General
23

Hi @vineet2k1 , enabling the secure flag forces TLS as well as password authentication.
We don’t recommend using TLS without authentication. Can you tell us a bit about you usecase and the requirement to use TLS without authentication.

If you want to use this method, you’ll need to use the insecure flag while explicitly setting the correct gFlags for master and tserver processes. Here is doc link explaining the security related gFlags for master and tserver: Enable encryption in transit | YugabyteDB Docs

Config file:

    "master_rpc_port": 9092,
    "tserver_rpc_port": 9093,
    "master_webserver_port": 9094,
    "tserver_webserver_port": 9095,
    "ysql_port": 9090,
    "ycql_port": 9091,
    "ysql_metric_port": 9096,
    "ycql_metric_port": 12000,
    "cloud_provider": "aws",
    "cloud_region": "us-west-2",
    "cloud_zone": "us-west-2a",
    "insecure": false,
    "dns_enabled": true,
    "master_flags": "certs_dir=/home/gargsans/server_certs,allow_insecure_connections=false,use_node_to_node_encryption=true",
    "tserver_flags": "certs_dir=/home/gargsans/server_certs,allow_insecure_connections=false,use_node_to_node_encryption=true,use_client_to_server_encryption=true,ysql_hba_conf_csv={hostssl all all all trust clientcert=verify-full}"

ysql_hba_conf_csv is not a flag of yugabyted you’ll need to set the it inside the tserver_flags. Any CSV value flag needs to be enclosed inside curly braces: yugabyted reference | YugabyteDB Docs

Start the node:

./yugabyted start --base_dir ~/yb-cluster/node1 --config ~/ybd.conf --advertise_address dev-server-sgarg.us-west1-b.c.yugabyte.internal

Since the hba_conf was set to clientcert=verify-full, you’ll need to use a set of client certificates with ysqlsh.

./ysqlsh -h dev-server-sgarg.us-west1-b.c.yugabyte.internal -U yugabyte "sslcert=/home/gargsans/client_certs/client_yugabyte.crt sslkey=/home/gargsans/client_certs/client_yugabyte.key sslrootcert=/home/gargsans/client_certs/ca.crt" -p 9090

ysqlsh (15.2-YB-2.25.0.0-b0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

yugabyte=#

The client certs needs to be created using the same root-ca which was used to create the server certs along with the CN as the username of the ysqlsh. In the provided the example, the client certs were created using CN yugabyte