I know the rethinkdb guide uses a self signed cert as an example. If I wanted to use a real certificate that I purchased, how can I add the bundle to the server conf? I add the certificate I purchased and key to the config:
driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt
Openssl s_client gives me the following
Verify return code: 21 (unable to verify the first certificate)
With this as the certificate chain:
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
How can I use this cert properly?
Best Answer
Silly me. There was --driver-tls-ca option that I was missing. I found it in the rethinkdb manual (man rethinkdb).
I set it in my rethinkdb instance conf file:
And everything works as expected. openssl s_client returns the proper 0 (ok) code.
Edit note: Although with the rethinkdb dump utility it looks like there is no ca option so I can't use a real cert anyway.