22.3 server fails to merge config when SSL configuration contains server key with a passphrase

[vzakaznikov]

Describe what's wrong

Server fails to merge config when SSL configuration contains <privateKeyPassphraseHandler> section.

                10ms                  [clickhouse1] >       <privateKeyPassphraseHandler>
                11ms                  [clickhouse1] >         <name>KeyFileHandler</name>
                11ms                  [clickhouse1] >         <options>
                12ms                  [clickhouse1] >           <password>hello</password>
                12ms                  [clickhouse1] >         </options>
                13ms                  [clickhouse1] >       </privateKeyPassphraseHandler>

Does it reproduce on recent release?

Reproduced on: clickhouse/clickhouse-server:22.3.2.2-alpine

How to reproduce

Run tests in #35949.

tests/testflows/ssl_server$ ./regression.py --local --clickhouse-binary-path docker://clickhouse/clickhouse-server:22.3.2.2-alpine -l test.log --only "/ssl server/ssl context/enable ssl with server key passphrase/*"

Expected behavior

It should work.

Error message and/or stacktrace

2022.04.05 03:06:19.117504 [ 4608 ] {} <Error> ConfigReloader: Error updating configuration from '/etc/clickhouse-server/config.xml' config.: Poco::Exception. Code: 1000, e.code() = 0, OpenSSLException: EVPKey::loadKey(string): error:09000068:PEM routines:OPENSSL_internal:BAD_PASSWORD_READ, Stack trace (when copying this message, always include the lines below):

0. Poco::Crypto::OpenSSLException::OpenSSLException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x164b83ec in /usr/bin/clickhouse
1. bool Poco::Crypto::EVPPKey::loadKey<evp_pkey_st, void* (*)(evp_pkey_st*)>(evp_pkey_st**, evp_pkey_st* (*)(_IO_FILE*, evp_pkey_st**, int (*)(char*, int, int, void*), void*), void* (*)(evp_pkey_st*), std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x164b63b9 in /usr/bin/clickhouse
2. Poco::Crypto::EVPPKey::EVPPKey(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x164b6047 in /usr/bin/clickhouse
3. DB::CertificateReloader::Data::Data(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) @ 0x151917a1 in /usr/bin/clickhouse
4. DB::CertificateReloader::tryLoad(Poco::Util::AbstractConfiguration const&) @ 0x15190139 in /usr/bin/clickhouse
5. ? @ 0xa577187 in /usr/bin/clickhouse
6. ? @ 0xa575507 in /usr/bin/clickhouse
7. DB::ConfigReloader::reloadIfNewer(bool, bool, bool, bool) @ 0x1585dc46 in /usr/bin/clickhouse
8. DB::ConfigReloader::run() @ 0x1585fe5f in /usr/bin/clickhouse
9. ThreadFromGlobalPool::ThreadFromGlobalPool<void (DB::ConfigReloader::*)(), DB::ConfigReloader*>(void (DB::ConfigReloader::*&&)(), DB::ConfigReloader*&&)::'lambda'()::operator()() @ 0x15860e37 in /usr/bin/clickhouse
10. ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) @ 0xa584c97 in /usr/bin/clickhouse
11. ? @ 0xa58881d in /usr/bin/clickhouse
12. ? @ 0x7f8e16fde609 in ?
13. __clone @ 0x7f8e16f05293 in ?
 (version 22.3.2.1)

[vzakaznikov]

Test log https://gist.github.com/vzakaznikov/3cdec8fa7f73ddc7a5bb9aeee8979ca4.
Fail at https://gist.github.com/vzakaznikov/3cdec8fa7f73ddc7a5bb9aeee8979ca4#file-nice-log-L651.

[FArthur-cmd]

Maybe because of this: #34887. I'll have a look.

[vzakaznikov]

I still see the same fail on 22.3.5.5

[FArthur-cmd]

#36724

[vzakaznikov]

@FArthur-cmd, the issue is confirmed to be resolved in 22.3.6.5. But is dynamic SSL server configuration (changing configuration without server restart) supported?

Passing

✔ [ OK ] /ssl server/sanity/check non secure connection
✔ [ OK ] /ssl server/sanity
✔ [ OK ] /ssl server/ssl context/enable ssl no server key passphrase
✔ [ OK ] /ssl server/ssl context/enable ssl with server key passphrase
✔ [ OK ] /ssl server/ssl context
✔ [ OK ] /ssl server

Known

✘ [ XFail ] /ssl server/ssl context/enable ssl no server key passphrase dynamically ᐅ https://github.com/ClickHouse/ClickHouse/issues/35950
✘ [ XFail ] /ssl server/ssl context/enable ssl with server key passphrase dynamically ᐅ https://github.com/ClickHouse/ClickHouse/issues/35950

[FArthur-cmd]

If I understand you correctly, it is supported. You can see this test https://github.com/ClickHouse/ClickHouse/blob/master/tests/integration/test_reload_certificate/test.py. Configuration is updated without server restart.

[vzakaznikov]

I checked that test and I see it using SYSTEM RELOAD CONFIG but dynamic ssl server configuration does not work for me and I get the following error. Looks like that test is just changing certificates on the server that is already configured for ssl connection. What I am trying to do is to configure server that is initially not configured to use ssl to use ssl.

                 4ms                    [clickhouse1] bash# echo -e "SYSTEM RELOAD CONFIG" | clickhouse client -n
                45ms                    [clickhouse1] Received exception from server (version 22.3.6):
                45ms                    [clickhouse1] Code: 210. DB::Exception: Received from localhost:9000. DB::Exception: Listen [0.0.0.0]:8443 failed: Poco::Exception. Code: 1000, e.code() = 0, SSL Exception: Configuration error: no certificate file has been specified (version 22.3.6.5 (official build)). (NETWORK_ERROR)
                45ms                    [clickhouse1] (query: SYSTEM RELOAD CONFIG
                45ms                    [clickhouse1] )
                54ms                    [clickhouse1] bash# echo $?

Here is what I see in the error log

2022.05.11 00:22:22.940897 [ 262 ] {f0ea897e-a3a7-4661-82f5-efd787691382} <Error> TCPHandler: Code: 210. DB::Exception: Listen [0.0.0.0]:8443 failed: Poco::Exception. Code: 1000, e.code() = 0, SSL Exception: Configuration error: no certificate file has been specified (version 22.3.6.5 (official build)). (NETWORK_ERROR), Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int, bool) @ 0xb37173a in /usr/bin/clickhouse
1. DB::Server::createServer(Poco::Util::AbstractConfiguration&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, bool, bool, std::__1::vector<DB::ProtocolServerAdapter, std::__1::allocator<DB::ProtocolServerAdapter> >&, std::__1::function<DB::ProtocolServerAdapter (unsigned short)>&&) const @ 0xb3e9f76 in /usr/bin/clickhouse
2. DB::Server::createServers(Poco::Util::AbstractConfiguration&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&, bool, Poco::ThreadPool&, DB::AsynchronousMetrics&, std::__1::vector<DB::ProtocolServerAdapter, std::__1::allocator<DB::ProtocolServerAdapter> >&, bool) @ 0xb4019dd in /usr/bin/clickhouse
3. DB::Server::updateServers(Poco::Util::AbstractConfiguration&, Poco::ThreadPool&, DB::AsynchronousMetrics&, std::__1::vector<DB::ProtocolServerAdapter, std::__1::allocator<DB::ProtocolServerAdapter> >&) @ 0xb406f82 in /usr/bin/clickhouse
4. ? @ 0xb40af3f in /usr/bin/clickhouse
5. ? @ 0xb4093a7 in /usr/bin/clickhouse
6. DB::ConfigReloader::reloadIfNewer(bool, bool, bool, bool) @ 0x16ccd206 in /usr/bin/clickhouse
7. ? @ 0xb40df7e in /usr/bin/clickhouse
8. DB::InterpreterSystemQuery::execute() @ 0x15aef0ee in /usr/bin/clickhouse
9. ? @ 0x15d27b4f in /usr/bin/clickhouse
10. DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::shared_ptr<DB::Context>, bool, DB::QueryProcessingStage::Enum) @ 0x15d255f5 in /usr/bin/clickhouse
11. DB::TCPHandler::runImpl() @ 0x168b0a3a in /usr/bin/clickhouse
12. DB::TCPHandler::run() @ 0x168c0399 in /usr/bin/clickhouse
13. Poco::Net::TCPServerConnection::start() @ 0x19b801ef in /usr/bin/clickhouse
14. Poco::Net::TCPServerDispatcher::run() @ 0x19b82641 in /usr/bin/clickhouse
15. Poco::PooledThread::run() @ 0x19d3f609 in /usr/bin/clickhouse
16. Poco::ThreadImpl::runnableEntry(void*) @ 0x19d3c960 in /usr/bin/clickhouse
17. ? @ 0x7f4f802aa609 in ?
18. __clone @ 0x7f4f801d1293 in ?

[vzakaznikov]

@FArthur-cmd, can you try configuring SSL dynamically on the server that has been started without any SSL configuration?

[FArthur-cmd]

I thought about other scenario. Dynamic changes are supported for SSL configuration only if server was started with it.

[alexey-milovidov]

@vzakaznikov This scenario is not meant to be supported.
And you don't need SYSTEM RELOAD CONFIG, everything is handled on the fly.