gRPC-external-private
port used by
Dgraph’s Live Loader and Bulk Loader clients. To learn more about the HTTP and
gRPC ports used by Dgraph Alpha and Dgraph Zero, see
Ports Usage. Password-protected private keys are not
supported.
To further improve TLS security, only TLS v1.2 cypher suites that use 128-bit or
greater RSA or AES encryption are supported.
openssl
, be sure to specify
the encryption algorithm explicitly (like -aes256
). This forces openssl
to
include DEK-Info
header in private key, which is required to decrypt the key
by Dgraph. When default encryption is used, openssl
doesn’t write that
header and key can’t be decrypted.dgraph cert
command which was introduced in
v1.0.9. For previous releases, see the previous TLS configuration
documentation.dgraph cert
program creates and manages CA-signed certificates and private
keys using a generated Dgraph Root CA. There are three types of certificate/key
pairs:
tls
under the Dgraph working directory. The default directory path can be
overridden using the --dir
option. For example:
File name | Description | Use |
---|---|---|
ca.crt | Dgraph Root CA certificate | Verify all certificates |
ca.key | Dgraph CA private key | Validate CA certificate |
node.crt | Dgraph node certificate | Shared by all nodes for accepting TLS connections |
node.key | Dgraph node private key | Validate node certificate |
client.name.crt | Dgraph client certificate | Authenticate a client name |
client.name.key | Dgraph client private key | Validate name client certificate |
node.crt
can support multiple node names using multiple
host names and/or IP address. Just separate the names with commas when
generating the certificate.
localhost
, your
clients must connect to the matching host name — such as localhost
not
127.0.0.1
. If you need to use IP addresses, then add them to the node
certificate.dgraph cert ls
lists all certificates and keys in the --dir
directory (default dgraph-tls
), along with details to inspect and validate
cert/key pairs.
Example of command output:
--force
can help.ca.key
, but be readable.--force
.--tls
superflag and its
options. The following --tls
configuration options are available for Dgraph
Alpha and Dgraph Zero nodes:
ca-cert <path>
- Path and filename of the Dgraph Root CA (for example,
ca.crt
)server-cert <path>
- Path and filename of the node certificate (for example,
node.crt
)server-key <path>
- Path and filename of the node certificate private key
(for example, node.key
)use-system-ca
- Include System CA with Dgraph Root CA.client-auth-type <string>
- TLS client authentication used to validate
client connections from external ports. To learn more, see
Client Authentication Options.--tls_dir
flag.--tls
options:
ca-cert <path>
- Dgraph root CA, such as ./tls/ca.crt
use-system-ca
- Include System CA with Dgraph Root CA.client-cert
- User cert file provided by the client to Alphaclient-key
- User private key file provided by the client to Alphaserver-name <string>
- Server name, used for validating the server’s TLS
host name.client-auth-type
option that change the security policy of the
client certificate.
Value | Client Cert/Key | Client Certificate Verified |
---|---|---|
REQUEST | optional | Client certificate isn’t VERIFIED if provided. (least secure) |
REQUIREANY | required | Client certificate is never VERIFIED |
VERIFYIFGIVEN | optional | Client certificate is VERIFIED if provided (default) |
REQUIREANDVERIFY | required | Client certificate is always VERIFIED (most secure) |
REQUIREANDVERIFY
is the most secure but also the most difficult to configure
for clients. When using this value, the value of server-name
is matched
against the certificate SANs values and the connection host.
internal-port=true
, internal ports (by default 5080
and 7080) use the REQUIREANDVERIFY
setting. Unless otherwise configured,
external ports (by default 9080, 8080, and 6080) use the VERIFYIFGIVEN
setting. Changing the client-auth-type
option to another setting only
affects client authentication on external ports.dgraph-js-http
)
connect to Dgraph servers via HTTP, when TLS is enabled servers begin to expect
HTTPS requests only.
If you haven’t already created the CA certificate and the node certificate for
Alpha servers from the earlier instructions (see
Dgraph Certificate Management Tool), the
first step would be to generate these certificates, it can be done by the
following command:
client-auth-type
option is set to REQUEST
or
VERIFYIFGIVEN
(default), then client certificate isn’t mandatory. The steps
after generating CA/node certificate are as follows:
ca.crt
ca.crt
https://
endpoint of Alpha serverhttps://
instead of http://
, for
example https://localhost:8080
.REQUIREANY
and REQUIREANDVERIFY
as client-auth-type
option, you need
to follow the preceding steps and install client certificate on your browser:
dgraph cert -c laptopuser
.
.p12
file:
laptopuser.p12
.curl
requests to Dgraph need some specific options to
work. For instance (for changing draining mode):
curl
with
Client Authentication set to REQUIREANY
or
REQUIREANDVERIFY
, you need to provide the client certificate and private key.
For instance (for an export request):
curl
documentation for further information on its TLS options.
https://localhost:8080/
in the browser should produce a message
Dgraph browser is available for running separately using the dgraph-ratel binary
.
In case you are getting a connection error, try not passing the
client-auth-type
flag when starting an Alpha. If you are still getting an
error, check that your host name is correct and the port is open. Then, make
sure that “Dgraph Root CA” certificate is installed and trusted correctly.
After that, if things work without passing client-auth-type
but stop working
when REQUIREANY
and REQUIREANDVERIFY
are set, make sure the .p12
file is
installed correctly.