Production postmortemThe self signed certificate that couldn’t

time to read 3 min | 434 words

RavenDB makes extensive use of certificates for authentication and encryption. They allow us to safely communicate between distributed instances without worrying about a man in the middle or eavesdroppers. Given the choices we had to implement authentication, I’m really happy with the results of choosing certificates as the foundation of our authentication infrastructure.

It would be too good, however, to expect to have no issues with certificates. The topic of this point is a puzzler. A user has chosen to use a self signed certificate for the nodes in the cluster, but was unable to authenticate between the servers unless they registered the certificate in the OS’ store.

That sounds reasonable, right? If this is a self signed certificate, we obviously don’t trust it, so we need this extra step to ensure that we do trust it. However, we designed RavenDB specifically to avoid this step. If you are using a self signed certificate, the server will trust its own certificate, and thus will trust anyone that is using the same certificate.

In this case, however, that wasn’t happening. For some reason, the code path that we use to ensure that we trust our own certificate was not being activated, and that was a puzzler indeed.

One of the things that RavenDB does on first startup is to try to connect to itself as a client. It checks whatever it is successful or not. If not, we’ll try again, ignoring the registered root CAs. If we are successful at that point, we know what the issue here and ensure that we ignore the untrusted signer on the certificate. We only enable this code path if by default we don’t trust our own certificate.

Looking at the logs, we could see that we got a failure when talking to ourselves, some sort of a device not ready issue. That was strange. We hooked strace to look into what was going on, but there was nothing that was wrong at the sys call level. Then we looked into what was going on and realized that the issue was that the server’s was configured to use: but was actually hosted on

Do you see the difference?

The server was try to contact itself using the configured hostname. It failed, because of a DNS issue, so it couldn’t contact itself to figure out that the certificate was invalid. At that point, it didn’t install the hook and wouldn’t trust the self signed certificate.

So the issue started with investigating why we nodes in the cluster don’t trust each other with self signed certificate and got resolved by a simple configuration error.

More posts in "Production postmortem" series:

  1. (24 Jul 2023) The dog ate my request
  2. (03 Jul 2023) ENOMEM when trying to free memory
  3. (27 Jan 2023) The server ate all my memory
  4. (23 Jan 2023) The big server that couldn’t handle the load
  5. (16 Jan 2023) The heisenbug server
  6. (03 Oct 2022) Do you trust this server?
  7. (15 Sep 2022) The missed indexing reference
  8. (05 Aug 2022) The allocating query
  9. (22 Jul 2022) Efficiency all the way to Out of Memory error
  10. (18 Jul 2022) Broken networks and compressed streams
  11. (13 Jul 2022) Your math is wrong, recursion doesn’t work this way
  12. (12 Jul 2022) The data corruption in the node.js stack
  13. (11 Jul 2022) Out of memory on a clear sky
  14. (29 Apr 2022) Deduplicating replication speed
  15. (25 Apr 2022) The network latency and the I/O spikes
  16. (22 Apr 2022) The encrypted database that was too big to replicate
  17. (20 Apr 2022) Misleading security and other production snafus
  18. (03 Jan 2022) An error on the first act will lead to data corruption on the second act…
  19. (13 Dec 2021) The memory leak that only happened on Linux
  20. (17 Sep 2021) The Guinness record for page faults & high CPU
  21. (07 Jan 2021) The file system limitation
  22. (23 Mar 2020) high CPU when there is little work to be done
  23. (21 Feb 2020) The self signed certificate that couldn’t
  24. (31 Jan 2020) The slow slowdown of large systems
  25. (07 Jun 2019) Printer out of paper and the RavenDB hang
  26. (18 Feb 2019) This data corruption bug requires 3 simultaneous race conditions
  27. (25 Dec 2018) Handled errors and the curse of recursive error handling
  28. (23 Nov 2018) The ARM is killing me
  29. (22 Feb 2018) The unavailable Linux server
  30. (06 Dec 2017) data corruption, a view from INSIDE the sausage
  31. (01 Dec 2017) The random high CPU
  32. (07 Aug 2017) 30% boost with a single line change
  33. (04 Aug 2017) The case of 99.99% percentile
  34. (02 Aug 2017) The lightly loaded trashing server
  35. (23 Aug 2016) The insidious cost of managed memory
  36. (05 Feb 2016) A null reference in our abstraction
  37. (27 Jan 2016) The Razor Suicide
  38. (13 Nov 2015) The case of the “it is slow on that machine (only)”
  39. (21 Oct 2015) The case of the slow index rebuild
  40. (22 Sep 2015) The case of the Unicode Poo
  41. (03 Sep 2015) The industry at large
  42. (01 Sep 2015) The case of the lying configuration file
  43. (31 Aug 2015) The case of the memory eater and high load
  44. (14 Aug 2015) The case of the man in the middle
  45. (05 Aug 2015) Reading the errors
  46. (29 Jul 2015) The evil licensing code
  47. (23 Jul 2015) The case of the native memory leak
  48. (16 Jul 2015) The case of the intransigent new database
  49. (13 Jul 2015) The case of the hung over server
  50. (09 Jul 2015) The case of the infected cluster