-
Notifications
You must be signed in to change notification settings - Fork 10
Using SSL to connect to Dgraph
Use SSL to encrypt the communication to your server. The Dgraph server assumes that if --tls_on is set, then the server has a cert and key loaded. This would be used to authenticate that the server we are talking to is correct.
Attention: Make sure that the common name is your server name and don't set a password challenge, email or optional company name.
Generate CA key & certificate
$ openssl genrsa -out MyRootCA.key 2048
$ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
Generate server key & certificate signing request
$ openssl genrsa -out MyServer.key 2048
$ openssl req -new -key MyServer.key -out MyServer.csr
Generate server certificate based on our own CA certificate
$ openssl x509 -req -in MyServer.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out MyServer.pem -days 1024 -sha256
We end up with:
MyServer.csr
MyServer.key
MyServer.pem
MyRootCA.key
MyRootCA.pem
MyRootCA.srl
If you want to use only SSL without TLS client authentication you have to set ssl to true and set cacertfile to the correct path
config :ex_dgraph, ExDgraph,
# default port considered to be: 9080
hostname: 'localhost',
pool_size: 5,
max_overflow: 1,
ssl: true,
cacertfile: '/path/to/MyRootCA.pem'You also have to provide the respective server certificates and key to the server and start it with the following options:
command: dgraph server --my=server:7080 --memory_mb=2048 --zero=zero:5080 --tls_on --tls_ca_certs=/path/to/cert/in/container/MyRootCA.pem --tls_cert=/path/to/cert/in/container/MyServer.pem --tls_cert_key=/path/to/cert/in/container/MyServer.key