clickhouse-go icon indicating copy to clipboard operation
clickhouse-go copied to clipboard
verified publisher icon ClickHouse

clickhouse-go trying turn on X-ClickHouse-SSL-Certificate-Auth every time when connect with user without password

Open Slach opened this issue 5 months ago • 3 comments

Observed

try connect into clickhouse/clickhouse-server:25.7 with default user and empty passsword via HTTPS

Expected behaviour

Successful authorization without trying to using SSL Cert as authorization method

Code example

package main

import (
	"context"
	"crypto/tls"
	"fmt"
	"github.com/ClickHouse/clickhouse-go/v2"
	"time"
)

func main() {
	fmt.Println(connect())
}

func connect() error {
	conn, openErr := clickhouse.Open(&clickhouse.Options{
		Addr: []string{"localhost:8443"},
		Auth: clickhouse.Auth{
			Database: "default",
			Username: "default",
			Password: "",
		},
		Debug: true,
		TLS: &tls.Config{
			InsecureSkipVerify: true,
		},
		Protocol:        clickhouse.HTTP,
		DialTimeout:     time.Second * 10,
		MaxOpenConns:    10,
		MaxIdleConns:    5,
		ConnMaxLifetime: time.Hour,
	})

	if openErr != nil {
		return fmt.Errorf("openErr=%w", openErr)
	}

	if pingErr := conn.Ping(context.Background()); pingErr != nil {
		return fmt.Errorf("pingErr=%w", pingErr)
	}

	return nil
}

Error log

[clickhouse-http][localhost:8443][id=1][query hello]
[clickhouse-http][localhost:8443][id=1][http query] "SELECT displayName(), version(), revision(), timezone()"
pingErr=failed to query server hello: failed to query server hello info: sendQuery: [HTTP 403] response body: "Code: 516. DB::Exception: Invalid authentication: SSL certificate authentication requires nonempty certificate's Common Name or Subject Alternative Name. (AUTHENTICATION_FAILED) (version 25.7.1.3997 (official build))
"

2025.08.04 07:26:57.384254 [ 85 ] {} <Error> DynamicQueryHandler: Code: 516. DB::Exception: Invalid authentication: SSL certificate authentication requires nonempty certificate's Common Name or Subject Alternative Name. (AUTHENTICATION_FAILED), Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x00000000127c721b
1. DB::Exception::Exception(PreformattedMessage&&, int) @ 0x000000000bfd62cc
2. DB::Exception::Exception<>(int, FormatStringHelperImpl<>) @ 0x000000000bfe268b
3. DB::authenticateUserByHTTP(DB::HTTPServerRequest const&, DB::HTMLForm const&, DB::HTTPServerResponse&, DB::Session&, std::unique_ptr<DB::Credentials, std::default_delete<DB::Credentials>>&, DB::HTTPHandlerConnectionConfig const&, std::shared_ptr<DB::Context const>, std::shared_ptr<Poco::Logger>) @ 0x00000000185575d4
4. DB::HTTPHandler::authenticateUser(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&) @ 0x0000000018487d50
5. DB::HTTPHandler::processQuery(DB::HTTPServerRequest&, DB::HTMLForm&, DB::HTTPServerResponse&, DB::HTTPHandler::Output&, std::optional<DB::CurrentThread::QueryScope>&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @ 0x0000000018488212
6. DB::HTTPHandler::handleRequest(DB::HTTPServerRequest&, DB::HTTPServerResponse&, StrongTypedef<unsigned long, ProfileEvents::EventTag> const&) @ 0x0000000018490be4
7. DB::HTTPServerConnection::run() @ 0x000000001854c740
8. Poco::Net::TCPServerConnection::start() @ 0x000000001d89cb27
9. Poco::Net::TCPServerDispatcher::run() @ 0x000000001d89cf79
10. Poco::PooledThread::run() @ 0x000000001d868207
11. Poco::ThreadImpl::runnableEntry(void*) @ 0x000000001d8667a1
12. ? @ 0x0000000000094ac3
13. ? @ 0x0000000000125a04
 (version 25.7.1.3997 (official build))

Details

Environment

  • [x] clickhouse-go version: v2.40.1
  • [x] Interface: database/sql compatible driver
  • [x] Go version: 1.24.5
  • [x] Operating system: Ubuntu
  • [x] ClickHouse version:
  • [x] ClickHouse Server non-default settings, if any: /etc/clickhouse-server/config.d/https_port.xml
<clickhouse>
    <https_port>8443</https_port>
    <openSSL>
        <server>
            <certificateFile>/etc/clickhouse-server/server.crt</certificateFile>
            <privateKeyFile>/etc/clickhouse-server/server.key</privateKeyFile>
            <verificationMode>none</verificationMode>
        </server>
    </openSSL>
</clickhouse>

I propose suggestion to add option which explicilty turn on X-ClickHouse-SSL-Certificate-Auth: on header, instead of use it every time when trying connect with user without password

Slach avatar Aug 04 '25 07:08 Slach

Hey! Thanks for the info.

The problem is somewhere in here: https://github.com/ClickHouse/clickhouse-go/blob/7fc2041178dcd0ede809084370735f3e3d98ed0b/conn_http.go#L126-L151

I don't think anything has changed here with the logic of when this header is applied, perhaps we can try disabling it to prevent the error you're seeing

SpencerTorres avatar Aug 23 '25 01:08 SpencerTorres

@SpencerTorres problem in the following code fragment

https://github.com/ClickHouse/clickhouse-go/blob/7fc2041178dcd0ede809084370735f3e3d98ed0b/conn_http.go#L136-L144

Slach avatar Aug 23 '25 02:08 Slach

@SpencerTorres

hey! can it be fixed ?

znjuko avatar Oct 17 '25 12:10 znjuko