How to run revad with TLS enabled

[michielbdejong]

Can I run revad with a TLS certificate for grpc and https? If so, how?
I searched for this in the docs and in the code but couldn't find how to do it.

[michielbdejong]

While it seems to be impossible to run revad with https directly, it does refer to itself with https for instance here:
https://github.com/cs3org/reva/blob/v1.11.0/internal/http/services/ocmd/config.go#L64

So should revad always be run behind a TLS-offloading proxy, then? Or am I missing something?

[michielbdejong]

Answered in https://gitter.im/cs3org/REVA?at=61112c45933ee46b754a5fe4

[michielbdejong]

I think it's probably easier to include https support in reva than to tell people (including myself with the ocm-test-suite) to run a separate proxy. I'll see if I can make it work.
These two lines are key:

• rhttp.New -> &http.Server{}
• rgrpc.NewServer -> *grpc.Server

[michielbdejong]

In starting the grpc server and starting the http server we would then probably just use s.ServeTLS instead of
s.Serve.

[michielbdejong]

Making good progress with this in the pass-ocm-test-suite branch and the 'revad' docker image in the dev branch of ocm-test-suite. Now seeing:

authentication handshake failed: x509: certificate relies on legacy Common Name field, use SANs instead

[michielbdejong]

Next error:

C2021-10-20 13:08:04.967 DBG ../../reva/internal/grpc/interceptors/auth/auth.go:92 > skipping auth method=/cs3.gateway.v1beta1.GatewayAPI/ListAuthProviders pid=8 pkg=rgrpc
2021-10-20 13:08:04.973 ERR ../../reva/internal/grpc/services/gateway/authregistry.go:45 > gateway error="gateway: error calling ListAuthProviders: rpc error: code = Unavailable desc = connection closed" pid=8 pkg=rgrpc
2021-10-20 13:08:04.974 DBG ../../reva/internal/grpc/interceptors/log/log.go:69 > unary code=OK end="20/Oct/2021:13:08:04 +0000" from=tcp://127.0.0.1:33026 pid=8 pkg=rgrpc start="20/Oct/2021:13:08:04 +0000" time_ns=6453354 uri=/cs3.gateway.v1beta1.GatewayAPI/ListAuthProviders user-agent=grpc-go/1.26.0
2021-10-20 13:08:08.483 DBG ../../reva/internal/grpc/interceptors/auth/auth.go:92 > skipping auth method=/cs3.gateway.v1beta1.GatewayAPI/Authenticate pid=8 pkg=rgrpc
2021-10-20 13:08:08.483 ERR ../../reva/internal/grpc/services/gateway/authprovider.go:55 > error getting auth provider client error="error: not found: gateway: error finding auth provider for type: basic" pid=8 pkg=rgrpc
2021-10-20 13:08:08.484 DBG ../../reva/internal/grpc/interceptors/log/log.go:69 > unary code=OK end="20/Oct/2021:13:08:08 +0000" from=tcp://127.0.0.1:33034 pid=8 pkg=rgrpc start="20/Oct/2021:13:08:08 +0000" time_ns=613229 uri=/cs3.gateway.v1beta1.GatewayAPI/Authenticate user-agent=grpc-go/1.26.0

[michielbdejong]

Also seeing

{"level":"error","pid":8,"error":"rpc error: code = Unavailable desc = connection closed","time":"2021-10-20T13:07:37.963792946Z","caller":"/reva/internal/grpc/services/appprovider/appprovider.go:123","message":"error registering app provider: error calling add app provider"}

before that

[michielbdejong]

Ah, this is because of https://github.com/cs3org/reva/blob/v1.14.0/pkg/rgrpc/todo/pool/pool.go#L90
Will fix tomorrow.

[michielbdejong]

It's leading to quite a big diff because all grpc clients need to know the filename of the grpc server's public certificate, but I seem to have a working version now.

[michielbdejong]

aah wait, I could just have done

	tlsconf := &tls.Config{InsecureSkipVerify: skipverify}
	creds := credentials.NewTLS(tlsconf)
	return grpc.Dial(conf.Host, grpc.WithTransportCredentials(creds))

like reva-cli does... hm that is probably preferable over such a big refactor

[michielbdejong]

Ah but that wouldn't have avoided the refactor, you would still need to know whether to connect securely or insecurely, so you would still need to pass at least a boolean around.

[michielbdejong]

There is some problem where revad closes its connection to itself, not sure why. For the ocm-test-suite t's important to have tls on http but maybe not so important to have it on grpc. I therefore parked the grpc-with-tls work in a https://github.com/michielbdejong/reva/tree/grpc-with-tls.

In the context of the ocm-test-suite, I'll continue in the https://github.com/michielbdejong/reva/tree/pass-ocm-test-suite with tls for http but not for grpc.

[wkloucek]

Settings for GRPC have been added in Reva edge in this PR: #3332