Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using third party issued certificates #4212

Open
knowitall12 opened this issue Mar 21, 2024 · 1 comment
Open

Using third party issued certificates #4212

knowitall12 opened this issue Mar 21, 2024 · 1 comment

Comments

@knowitall12
Copy link

Hi, We are able to deploy event store DB using the certificates generated through the certificate generation tool. But we use our organization's issued certificates then we are getting error.

Error Logs:

1, 1,13:16:04.346,INF] Loading trusted root certificates.

[ 1, 1,13:16:04.352,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/orgainization-sha2-level3-ca1.crt"
[ 1, 1,13:16:04.354,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/orgainization-sha2-level3-ca2.crt"
[ 1, 1,13:16:04.355,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/orgainization-sha2-level3-ca3.crt"
[ 1, 1,13:16:04.356,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/orgainization-sha2-level3-ca4.crt"
[ 1, 1,13:16:04.357,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/ca.crt"
[ 1, 1,13:16:04.358,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/cacert.crt"
[ 1, 1,13:16:04.360,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/cacert.pem"
[ 1, 1,13:16:04.361,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/bundle.pem"
[ 1, 1,13:16:04.362,INF] Loading trusted root certificate file: "/etc/pki/ca-trust/source/anchors/orgainization-bundle.crt"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=orgainization SHA2 Level 3 CA 1, DC=atrame, DC=orgainization, DC=com", Thumbprint: "FF704E00E6DD7B438228BE9D4180A0EE5372F417"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=orgainization SHA2 Level 3 CA 2, DC=atrame, DC=orgainization, DC=com", Thumbprint: "A06F59D83A6FA92AF4B94DD5A9F050D1E0CB2997"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=orgainization SHA2 Level 3 CA 3, DC=atrame, DC=orgainization, DC=com", Thumbprint: "9D892F6C7F6971587AC833194FAA2EE52F7D6867"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=orgainization SHA2 Level 3 CA 4, DC=atrame, DC=orgainization, DC=com", Thumbprint: "D79ECB4DFE2F363B4C9958266AC1A93DC119A75E"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=EventStoreDB CA c80ee39e997fbe9e978dfb4b2845df78, O=Event Store Ltd, C=UK", Thumbprint: "9960167ECDCE6F9A8B901AAA69ECA27680C937D5"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US", Thumbprint: "1C58A3A8518E8759BF075B76B750D4F2DF264FCD"
[ 1, 1,13:16:04.363,INF] Loading trusted root certificate. Subject: "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US", Thumbprint: "1C58A3A8518E8759BF075B76B750D4F2DF264FCD"
[ 1, 1,13:16:04.364,INF] Loading trusted root certificate. Subject: "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US", Thumbprint: "1C58A3A8518E8759BF075B76B750D4F2DF264FCD"
[ 1, 1,13:16:04.364,INF] Loading trusted root certificate. Subject: "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US", Thumbprint: "1C58A3A8518E8759BF075B76B750D4F2DF264FCD"
[ 1, 1,13:16:04.377,ERR] Certificate with thumbprint 'FF704E00E6DD7B438228BE9D4180A0EE5372F417' does not appear to be a valid root certificate since it is not self-signed (subject = CN=orgainization SHA2 Level 3 CA 1, DC=atrame, DC=orgainization, DC=com, issuer = CN=orgainization SHA2 Level 2 CA 1, DC=orgainization, DC=com). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.377,ERR] Certificate with thumbprint 'A06F59D83A6FA92AF4B94DD5A9F050D1E0CB2997' does not appear to be a valid root certificate since it is not self-signed (subject = CN=orgainization SHA2 Level 3 CA 2, DC=atrame, DC=orgainization, DC=com, issuer = CN=orgainization SHA2 Level 2 CA 2, DC=orgainization, DC=com). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint '9D892F6C7F6971587AC833194FAA2EE52F7D6867' does not appear to be a valid root certificate since it is not self-signed (subject = CN=orgainization SHA2 Level 3 CA 3, DC=atrame, DC=orgainization, DC=com, issuer = CN=orgainization SHA2 Level 2 CA 1, DC=orgainization, DC=com). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint 'D79ECB4DFE2F363B4C9958266AC1A93DC119A75E' does not appear to be a valid root certificate since it is not self-signed (subject = CN=orgainization SHA2 Level 3 CA 4, DC=atrame, DC=orgainization, DC=com, issuer = CN=orgainization SHA2 Level 2 CA 2, DC=orgainization, DC=com). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint '1C58A3A8518E8759BF075B76B750D4F2DF264FCD' does not appear to be a valid root certificate since it is not self-signed (subject = CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US, issuer = CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint '1C58A3A8518E8759BF075B76B750D4F2DF264FCD' does not appear to be a valid root certificate since it is not self-signed (subject = CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US, issuer = CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint '1C58A3A8518E8759BF075B76B750D4F2DF264FCD' does not appear to be a valid root certificate since it is not self-signed (subject = CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US, issuer = CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.378,ERR] Certificate with thumbprint '1C58A3A8518E8759BF075B76B750D4F2DF264FCD' does not appear to be a valid root certificate since it is not self-signed (subject = CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US, issuer = CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US). If you have intermediate certificates, please bundle them with the node's certificate (in PEM or PKCS #12 format).
[ 1, 1,13:16:04.379,FTL] Invalid Configuration: Aborting certificate loading due to verification errors.

Any guidance here would be of great help.
@ylorph
Copy link
Contributor

ylorph commented Apr 22, 2024

Is the (public part of ) the root cert of your organisation in the standard location ?
If not you'll need place it somwhere accessible & configure --trusted-root-certificates-paths to point to that directory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ylorph @knowitall12