Writable Cluster - what am I doing wrong?

Help IPFS Cluster
1

I am trying to make one of my cluster nodes writable from outside.

I created a username and password for basic authentication and put them in the service.json file:

  "basic_auth_credentials": {
    "Wy6ZDD4VeFkXa2H": "7wuUoGZZpNJD39Q"
  }

The following commands worked ON the machine with ipfs-cluster-service running:
ipfs-cluster-ctl -basic-auth "Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q" -force-http peers ls
ipfs-cluster-ctl -basic-auth "Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q" -force-http id

However, these did NOT work remotely:
curl --basic --user Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q http://xxx.xxx.xxx.xxx:9094/id
curl --basic --user Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q https://xxx.xxx.xxx.xxx:9094/id

Error:
curl: (7) Failed to connect to xxx.xxx.xxx.xxx port 9094: Connection refused

So, I followed some info I got here:

and I generated an ssl_cert_file and ssl_key_file on the server with this command:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

Then I put the files in a directory of their own, and put the absolute paths in the service.json file:

  "ssl_cert_file": "/root/certificates/server.pem",
  "ssl_key_file": "/root/certificates/server.key",

However, now local commands and remote commands BOTH fail:

Local:
ipfs-cluster-ctl -basic-auth "Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q" id

Gets me this:
An error occurred:
Code: 0
Message: Get https://127.0.0.1:9094/id: dial tcp 127.0.0.1:9094: connect: connection refused

I also get the same error locally if I try to run this command:
ipfs-cluster-ctl id

Remote:
curl --basic --user Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q http://xxx.xxx.xxx.xxx:9094/id
Gets me this:
curl: (7) Failed to connect to 142.93.113.86 port 9094: Connection refused

I guess I am not working with these certificates correctly, or I have skipped some important configuration step.

Any ideas on what I am doing wrong?

2

Hi, if your local commands stopped working, maybe cluster did not start at all after your changes and it’s not running. connection refused is an error from the system meaning there is no listener on that ip:port, your request doesn’t reach cluster. Check the logs to see if there are any problems in them.

Remember you need to change http_listen_multiaddress to /ip4/0.0.0.0/tcp/9094 as well.

Finally, we have a bug in ipfs-cluster-ctl when using https, which will cause an error, but it’s a client issue and shouldn’t affect curl.

3

Thanks, it seems that indeed, the cluster is not starting:

root@Node-0:~# ipfs-cluster-service daemon
10:47:49.948  INFO    service: Initializing. For verbose output run with "-l debug". Please wait... daemon.go:43
10:47:49.949 ERROR     config: Error loading TLS certficate/key: open /root/certificates/server.pem: no such file or directory config.go:293
error loading configuration: restapi failed to validate: missing TLS configuration

I’ll have to figure out why it cannot find that file.

4

OK, there was a misnamed file - it should have been

"ssl_cert_file": "/root/certificates/server.crt",

not

"ssl_cert_file": "/root/certificates/server.pem",

I also changed

  "http_listen_multiaddress": "/ip4/127.0.0.1/tcp/9094",

to

  "http_listen_multiaddress": "/ip4/0.0.0.0/tcp/9094",

The node still won’t start though, so I’ll try to get that running again.

5

With the node running, I can use curl (finally). I have to turn off curl’s certificate verification (with the -k flag), so I still have some learning to do with certificates and how to use them, but I can now issue commands from another server:

curl --basic --user Wy6ZDD4VeFkXa2H:7wuUoGZZpNJD39Q -k https://x.x.x.x:9094/id

Thanks!

1 Like
6

I have to turn off curl’s certificate verification (with the -k flag), so I still have some learning to do with certificates

Yes, because you’re using self-signed certificates.

Good to hear anyway!