ignite icon indicating copy to clipboard operation
ignite copied to clipboard
verified publisher icon apache

Automatic Node Discovery fails in .NET Client with HTTPS enabled

Open martinsuchan opened this issue 9 months ago • 8 comments

We've discovered a bug in Ignite 2.15-2.17 if EnableClusterDiscovery property is set in .NET Client when connecting to a cluster with HTTPS enabled on each host. If we try to connect form .NET Thin client in this configuration, it works without any certificate issues, but then if the Automatic Server Node Discovery is enabled (IgniteClientConfiguration.EnableClusterDiscovery), it fails on RemoteCertificateMismatch. Interestingly this error is only logged in the background, we can stilll connect to the cluster.

We've tried to debug it and we discovered, that requests in the server discovery background process are done by targeting IP addresses of our nodes, rather than using host names or DNS aliases of nodes. Because of that these requests fail via HTTPS, because the IP address is not inlcluded in our host certificates in the SAN list. Including IP addresses in node certificates is not an option in our case.

Expected behavior: Automatic Server Node Discovery over HTTPS should not fail if each host has a trusted certificate with proper host name in the SAN list. Node Discovery requests should use hostnames instead of IP addresses for connections.

See this line in ClientFailoverSocket.cs where this behavior starts: https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133

martinsuchan avatar Mar 23 '25 21:03 martinsuchan

Thank you for the detailed report, ticket created: https://issues.apache.org/jira/browse/IGNITE-24906

ptupitsyn avatar Mar 24 '25 05:03 ptupitsyn

Update, the same error is also logged when using this property in .NET Thin client and using HTTPS on server: IgniteClientConfiguration.EnableHeartbeats = true even when automatic node discovery and partition awareness is set to false.

martinsuchan avatar Apr 03 '25 15:04 martinsuchan

@martinsuchan do you have IgniteConfiguration.localhost configured on the server side, set to the correct host name?

ptupitsyn avatar Nov 24 '25 11:11 ptupitsyn

@ptupitsyn we don't use this property anywhere. Also I don't see how this property is related to Node Discovery making HTTPS requests to IP addresses instead of to hostnames?

martinsuchan avatar Nov 26 '25 13:11 martinsuchan

@martinsuchan I'm trying to understand the expectations - where should those host names come from?

  • Node discovery asks the cluster for the list of active nodes
  • Every node has a list of addresses. Normally this is just an IP address, unless IgniteConfiguration.localhost is configured with a host name

ptupitsyn avatar Nov 27 '25 09:11 ptupitsyn