Hi! I’m using Zeebe 8.1.8 and trying to setup Standalone Gateway and Broker (without embedded gateway) with TLS enabled in Docker by Compose file.
To achieve it - found two configs: for gateway and broker.
and some test chaincamunda.pem and privatekey with it.
When i’m starting this config is showing in Gateway and as you can see it uses plaintext instead of TLS:
{
"network" : {
"host" : "192.168.16.3",
"portOffset" : 0,
"maxMessageSize" : "4MB",
"advertisedHost" : "192.168.16.3",
"commandApi" : {
"host" : "192.168.16.3",
"port" : 26501,
"advertisedHost" : "192.168.16.3",
"advertisedPort" : 26501,
"address" : "192.168.16.3:26501",
"advertisedAddress" : "192.168.16.3:26501"
},
"internalApi" : {
"host" : "192.168.16.3",
"port" : 26502,
"advertisedHost" : "192.168.16.3",
"advertisedPort" : 26502,
"address" : "192.168.16.3:26502",
"advertisedAddress" : "192.168.16.3:26502"
},
"security" : {
"enabled" : false,
"certificateChainPath" : null,
"privateKeyPath" : null
},
"maxMessageSizeInBytes" : 4194304
},
"cluster" : {
"initialContactPoints" : [ ],
"partitionIds" : [ 1 ],
"nodeId" : 0,
"partitionsCount" : 1,
"replicationFactor" : 1,
"clusterSize" : 1,
"clusterName" : "zeebe-cluster",
"heartbeatInterval" : "PT0.25S",
"electionTimeout" : "PT2.5S",
"membership" : {
"broadcastUpdates" : false,
"broadcastDisputes" : true,
"notifySuspect" : false,
"gossipInterval" : "PT0.25S",
"gossipFanout" : 2,
"probeInterval" : "PT1S",
"probeTimeout" : "PT0.1S",
"suspectProbes" : 3,
"failureTimeout" : "PT10S",
"syncInterval" : "PT10S"
},
"raft" : {
"enablePriorityElection" : true
},
"messageCompression" : "NONE"
},
"threads" : {
"cpuThreadCount" : 2,
"ioThreadCount" : 2
},
"data" : {
"directory" : "/usr/local/zeebe/data",
"logSegmentSize" : "128MB",
"snapshotPeriod" : "PT5M",
"logIndexDensity" : 100,
"diskUsageMonitoringEnabled" : true,
"diskUsageReplicationWatermark" : 0.99,
"diskUsageCommandWatermark" : 0.97,
"diskUsageMonitoringInterval" : "PT1S",
"backup" : {
"store" : "NONE",
"s3" : {
"bucketName" : null,
"endpoint" : null,
"region" : null,
"accessKey" : null,
"secretKey" : null,
"apiCallTimeout" : "PT3M"
}
},
"logSegmentSizeInBytes" : 134217728,
"freeDiskSpaceCommandWatermark" : 8084711793,
"freeDiskSpaceReplicationWatermark" : 2694903931
},
"exporters" : { },
"gateway" : {
"network" : {
"host" : "0.0.0.0",
"port" : 26500,
"minKeepAliveInterval" : "PT30S"
},
"cluster" : {
"initialContactPoints" : [ "192.168.16.3:26502" ],
"requestTimeout" : "PT15S",
"clusterName" : "zeebe-cluster",
"memberId" : "gateway",
"host" : "192.168.16.3",
"advertisedHost" : "192.168.16.3",
"port" : 26502,
"advertisedPort" : 26502,
"membership" : {
"broadcastUpdates" : false,
"broadcastDisputes" : true,
"notifySuspect" : false,
"gossipInterval" : "PT0.25S",
"gossipFanout" : 2,
"probeInterval" : "PT1S",
"probeTimeout" : "PT0.1S",
"suspectProbes" : 3,
"failureTimeout" : "PT10S",
"syncInterval" : "PT10S"
},
"security" : {
"enabled" : false,
"certificateChainPath" : null,
"privateKeyPath" : null
},
"messageCompression" : "NONE"
},
"threads" : {
"managementThreads" : 1
},
"security" : {
"enabled" : false,
"certificateChainPath" : null,
"privateKeyPath" : null
},
"longPolling" : {
"enabled" : true
},
"interceptors" : [ ],
"initialized" : true,
"enable" : true
},
"backpressure" : {
"enabled" : true,
"algorithm" : "VEGAS",
"aimd" : {
"requestTimeout" : "PT1S",
"initialLimit" : 100,
"minLimit" : 1,
"maxLimit" : 1000,
"backoffRatio" : 0.9
},
"fixed" : {
"limit" : 20
},
"vegas" : {
"alpha" : 3,
"beta" : 6,
"initialLimit" : 20
},
"gradient" : {
"minLimit" : 10,
"initialLimit" : 20,
"rttTolerance" : 2.0
},
"gradient2" : {
"minLimit" : 10,
"initialLimit" : 20,
"rttTolerance" : 2.0,
"longWindow" : 600
}
},
"experimental" : {
"maxAppendsPerFollower" : 2,
"maxAppendBatchSize" : "32KB",
"disableExplicitRaftFlush" : false,
"rocksdb" : {
"columnFamilyOptions" : { },
"enableStatistics" : false,
"memoryLimit" : "512MB",
"maxOpenFiles" : -1,
"maxWriteBufferNumber" : 6,
"minWriteBufferNumberToMerge" : 3,
"ioRateBytesPerSecond" : 0,
"disableWal" : false
},
"raft" : {
"requestTimeout" : "PT5S",
"maxQuorumResponseTimeout" : "PT0S",
"minStepDownFailureCount" : 3,
"preferSnapshotReplicationThreshold" : 100,
"preallocateSegmentFiles" : true
},
"partitioning" : {
"scheme" : "ROUND_ROBIN",
"fixed" : [ ]
},
"queryApi" : {
"enabled" : false
},
"consistencyChecks" : {
"enablePreconditions" : false,
"enableForeignKeyChecks" : false,
"settings" : {
"enablePreconditions" : false,
"enableForeignKeyChecks" : false
}
},
"features" : {
"enableYieldingDueDateChecker" : false,
"enableActorMetrics" : false,
"enableBackup" : false
},
"maxAppendBatchSizeInBytes" : 32768
},
"executionMetricsExporterEnabled" : false,
"processing" : {
"maxCommandsInBatch" : 1
}
}
Broker shows that it’s using TLS.
When Operate (also configured to use TLS by ENVs) trying to fetch partition ids it gives me erros with “not an SSL/TLS record” and in the end - “Partition ids can’t be fetched from Zeebe”
In Gateway there’s only one exception about “HTTP/2 client preface string missing or corrupt.”
What am i doing wrong? Why Gateway doesn’t fetch config settings of security? What initialContactPoints i need to copy from broker - commandApi or internalApi?
