Error connecting to db with arango shell using SSL/TLS

Question

I'm working with debian stretch (both client and server side). When I try to securely connect to my arangodb server using the command-line tool arangosh by typing:

arangosh --server.endpoint ssl://192.168.2.11:8530

I get the error:

Could not connect to endpoint 'http+ssl://192.168.2.11:8530', database: '_system', username: 'root' Error message: 'Could not connect to 'http+ssl://192.168.2.11:8530' 'SSL: during SSL_connect: 0 - Success''

The self-signed TLSv1.2 certificate I'm using seems to be working fine since the connection to the same server through the web interface does work fine. Also the insecure (non-TLS) connection both through shell and web interfaces works fine. A simple curl test like:

curl -v https://192.168.2.11:8530

returns, among others:

SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification OK * server certificate status verification SKIPPED

I have the root CA certificate (plain, without concatenated private key) installed under /etc/ssl/certs Any idea?

When you connect to the web interface via SSL and it works, what address do you use? And what is your ssl binding in arangod.conf? — David Thomas, Dec 02 '16 at 13:41
The reason I ask is because sometimes the ssl end point can be ssl://127.0.0.1:8530 and it works when you test from localhost, but won't work when from 192.168.2.11 because it doesn't match your arangod.conf binding. — David Thomas, Dec 02 '16 at 14:54
I'm ashamed I forgot to check on this question of mine for a looong time: really sorry about that! — salai, Jul 07 '17 at 15:05
The thing is I quickly gave up on using the arangoshell for my database interaction. Back to your comment: I tried all combinatins of using both numeric IPv4 and alphanumeric domain name both as binding options in arangod.conf and as arangoshell --server.endpoint, but to no avail. In the end I always get: Error message: 'Could not connect to 'http+ssl://xxx.xxx.xxx:8530' 'SSL: during SSL_connect: 0 - Success'' and a red-colored shell — salai, Jul 07 '17 at 15:29
Can you connect to the 8530 port using a web browser? Like firefox? Also test connecting from a web browser on the machine to the localhost address, and on another machine to the network address (e.g. 192.x.x.x) — David Thomas, Jul 11 '17 at 11:48

score 0 · Answer 1 · answered Feb 27 '19 at 15:33

Meanwhile ArangoDB is delivered with a new OpenSSL Library, and will accept TLS 1.2.

I've created a new dummy ssl certificate with -nodes.

I've catted both into one file like this:

cat cert.pem key.pem > server.pem

I'm starting an ArangoDB daemon to use this server.pem like that:

arangod \
  --http.trusted-origin http://was-erlauben-strunz.it \ # my fake ssl CA
  --server.endpoint ssl://127.0.0.1:4529 \
  --database.directory /tmp/dummydatabase \
   --ssl.keyfile server.pem

And run an arangosh against it like this:

arangosh --server.endpoint ssl://127.0.0.1:4529

and it works out. If the problem persists for you please create a github issue, and share the way you created your ssl certificate.

Error connecting to db with arango shell using SSL/TLS

1 Answers1