Problem with HAproxy

(Stanley Jobson) #1

I Already install 3 node cockroachdb with secure install. Now I cinfigure the HAproxy, but i have a problem with cockroach sql in HAProxy machine. This error:

ddoeth@HA-Proxy0:~/bin/cockroach> cockroach sql --certs-dir=certs --host=HA-proxy0
# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
Error: x509: certificate is valid for cockroachdb-node0, not HA-proxy0
Failed running “sql”

if i connect direct to the node is success:

ddoeth@HA-Proxy0:~/bin/cockroach > cockroach sql --certs-dir=certs --host=cockroachdb-node0
# Welcome to the cockroach SQL interface.
# All statements must be terminated by a semicolon.
# To exit: CTRL + D.
#
# Server version: CockroachDB CCL v2.0.5 (x86_64-unknown-linux-gnu, built 2018/08/13 17:59:42, go1.10) (same version as client)
# Cluster ID: 4e560d29-80ab-4ced-99ed-57b566b368af
#
# Enter ? for a brief introduction.

warning: no current database set. Use SET database = <dbname> to change, CREATE DATABASE to make a new database.
root@cockroachdb-node0:26257/>

Any solution for this problem?

(Raphael 'kena' Poss) #2

Hi Stanley,

thank you for your inquiry. Your answer is to be found in the error message you pasted:

You need to create a client certificate for both the names cockroachdb-node0 and HA-proxy0.

I hope this helps!

(Stanley Jobson) #3

Thanks, My HAProxy and cockroachdb node is Running perfectly.

1 Like
(Joshua Yan) #4

hi, knz

how to create a client certificate for both the names cockroachdb-node0 and HA-proxy0?

I create the client certificates with " cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key --overwrite" , how to add the haproxy address?

(Marc) #5

The certificate in question is a server certificate, not client. You can create it with

cockroach cert create-node <flags> cockroachdb-node0 haproxy0 <other DNS names if needed>
(Joshua Yan) #6

It does not work.

My issue is
“cockroach sql --certs-dir=certs --host=192.168.0.165

Welcome to the cockroach SQL interface.

All statements must be terminated by a semicolon.

To exit: CTRL + D.

Error: x509: certificate is valid for 192.168.0.237, not 192.168.0.165
Failed running “sql””

there are 3 cockroach nodes (192.168.0.237-239), and one haproxy (192.168.0.165);

my steps are:

  1. I Create 3 node cockroach certificates and 1 haproxy certificate with “cockroach cert create-node XXXX” ;
  2. copy the certificate to the according node (ca.crt, node.crt,node,key) and haproxy (ca.crt,client.root.crt,client.root.key)
  3. access the haproxy with “cockroach sql --certs-dir=certs --host=192.168.0.165” and the message is shown as above

i do not know which step is missed or wrong

any help is appriciated.

thanks

(Marc) #7

haproxy is balancing at the TCP level, it does not perform TLS termination so it does not need certificates.

The error message you are seeing is because you did not include the haproxy address in the node certificates. All names and addresses used to reach a node must be contained in the node certificate. This includes the server address and the haproxy address.

(Joshua Yan) #8

It works.

thanks marc