Ray + mkcert works well?

Krout0n · December 28, 2022, 7:39am

How severe does this issue affect your experience of using Ray?

Low: It annoys or frustrates me for a moment.

I am trying to combine Ray and mkcert for testing TLS-enabled.

First, I initialized my keys that are used Ray with the command mkcert -key-file key.pem -cert-file cert.pem 10.146.0.2. And then, I ran the following command but it fails to start.

The command which fails to start

RAY_USE_TLS=1 \
RAY_TLS_SERVER_CERT=<path-to-cert.pem> \
RAY_TLS_SERVER_KEY=<path-to-key.pem> \
RAY_TLS_CA_CERT=<path-to-rootCA-key.pem> \
ray start --head --node-ip-address="10.146.0.2" --port="8000" --include-dashboard=False --disable-usage-stats

The log

Usage stats collection is disabled.

Local node IP: 10.146.0.2
E1228 07:16:08.590259080    5728 ssl_transport_security.cc:807] Could not load any root certificate.
E1228 07:16:08.590286436    5728 ssl_transport_security.cc:2109] Cannot load server root certificates.
E1228 07:16:08.590295145    5728 ssl_security_connector.cc:127] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1228 07:16:08.590313504    5728 chttp2_connector.cc:267]    Failed to create channel args during subchannel creation: INTERNAL: Failed to create secure subchannel for secure name '10.146.0.2:8000'; Got args: {grpc.client_channel_factory=0x17b1bc0, grpc.default_authority=10.146.0.2:8000, grpc.enable_http_proxy=0, grpc.internal.channel_credentials=0x1c05880, grpc.internal.subchannel_pool=0x1addea0, grpc.keepalive_time_ms=60000, grpc.keepalive_timeout_ms=60000, grpc.max_receive_message_length=536870912, grpc.max_send_message_length=536870912, grpc.primary_user_agent=grpc-python/1.50.0, grpc.resource_quota=0x1bfc270, grpc.server_uri=dns:///10.146.0.2:8000}
E1228 07:16:09.592480470    5728 ssl_transport_security.cc:807] Could not load any root certificate.
E1228 07:16:09.592511364    5728 ssl_transport_security.cc:2109] Cannot load server root certificates.
E1228 07:16:09.592519936    5728 ssl_security_connector.cc:127] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1228 07:16:09.592531371    5728 chttp2_connector.cc:267]    Failed to create channel args during subchannel creation: INTERNAL: Failed to create secure subchannel for secure name '10.146.0.2:8000'; Got args: {grpc.client_channel_factory=0x17b1bc0, grpc.default_authority=10.146.0.2:8000, grpc.enable_http_proxy=0, grpc.internal.channel_credentials=0x1a77480, grpc.internal.subchannel_pool=0x1addea0, grpc.keepalive_time_ms=60000, grpc.keepalive_timeout_ms=60000, grpc.max_receive_message_length=536870912, grpc.max_send_message_length=536870912, grpc.primary_user_agent=grpc-python/1.50.0, grpc.resource_quota=0x1bfc270, grpc.server_uri=dns:///10.146.0.2:8000}
E1228 07:16:10.594761618    5728 ssl_transport_security.cc:807] Could not load any root certificate.
E1228 07:16:10.594790055    5728 ssl_transport_security.cc:2109] Cannot load server root certificates.
E1228 07:16:10.594798296    5728 ssl_security_connector.cc:127] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1228 07:16:10.594810552    5728 chttp2_connector.cc:267]    Failed to create channel args during subchannel creation: INTERNAL: Failed to create secure subchannel for secure name '10.146.0.2:8000'; Got args: {grpc.client_channel_factory=0x17b1bc0, grpc.default_authority=10.146.0.2:8000, grpc.enable_http_proxy=0, grpc.internal.channel_credentials=0x18faf70, grpc.internal.subchannel_pool=0x1addea0, grpc.keepalive_time_ms=60000, grpc.keepalive_timeout_ms=60000, grpc.max_receive_message_length=536870912, grpc.max_send_message_length=536870912, grpc.primary_user_agent=grpc-python/1.50.0, grpc.resource_quota=0x1bfc270, grpc.server_uri=dns:///10.146.0.2:8000}
E1228 07:16:11.597031701    5728 ssl_transport_security.cc:807] Could not load any root certificate.
E1228 07:16:11.597059607    5728 ssl_transport_security.cc:2109] Cannot load server root certificates.
E1228 07:16:11.597068607    5728 ssl_security_connector.cc:127] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1228 07:16:11.597080721    5728 chttp2_connector.cc:267]    Failed to create channel args during subchannel creation: INTERNAL: Failed to create secure subchannel for secure name '10.146.0.2:8000'; Got args: {grpc.client_channel_factory=0x17b1bc0, grpc.default_authority=10.146.0.2:8000, grpc.enable_http_proxy=0, grpc.internal.channel_credentials=0x1c08e70, grpc.internal.subchannel_pool=0x1addea0, grpc.keepalive_time_ms=60000, grpc.keepalive_timeout_ms=60000, grpc.max_receive_message_length=536870912, grpc.max_send_message_length=536870912, grpc.primary_user_agent=grpc-python/1.50.0, grpc.resource_quota=0x1bfc270, grpc.server_uri=dns:///10.146.0.2:8000}
^C
Aborted!

However, if I specify <path-to-cert.pem> instead of <path-to-rootCA-key.pem> as RAY_TLS_CA_CERT, this command will work.

I’m not familiar with TLS, Ray, or mkcert, but this probably sounds wrong, what should I do? I felt like I needed to know it properly now because I want to connect with TLS from other physical machines in the future.

Topic		Replies	Views
SSL peer certificate or SSH remote key was not OK Ray Libraries (Data, Train, Tune, Serve)	5	940	July 12, 2023
Ray init tries to detect TPUs even when they aren't present Ray Core	8	364	September 29, 2023
Use SSL for deployment Ray Serve	1	837	September 29, 2022
Ray init failed, but ray status success Ray Core	4	575	March 16, 2024
Running ray tests on M1 macs Ray Core	3	330	March 28, 2023

Ray + mkcert works well?

The command which fails to start

The log

Related Topics