"tls: failed to parse private key" on gateway server startup

[BramVan-Oosterhout]

Hi, The festivals-gateway-server starts with:

{"level":"info","time":"2024-07-27T06:47:37Z","message":"Server startup."} {"level":"info","time":"2024-07-27T06:47:37Z","message":"Server configuration was initialized."} {"level":"fatal","error":"tls: failed to parse private key","time":"2024-07-27T06:47:37Z","message":"Unable to create validation client."}

I think this message is generated at: festivals-identity-server/jwt/validate.go line 84: 84: cert, err := tls.LoadX509KeyPair(clientCert, clientKey)

I generated the certificate and key with easyrsa:

#bram@FortKnox:~/programs/Festivals-App$ /usr/share/easy-rsa/easyrsa build-ca
#Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
#
#Enter New CA Key Passphrase: bramvanoosterhout
#Re-Enter New CA Key Passphrase: 
#You are about to be asked to enter information that will be incorporated
#into your certificate request.
#What you are about to enter is what is called a Distinguished Name or a DN.
#There are quite a few fields but you can leave some blank
#For some fields there will be a default value,
#If you enter '.', the field will be left blank.
#-----
#Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Festivals-App
#
#CA creation complete and you may now import and sign cert requests.
#Your new CA certificate file for publishing is at:
#/home/bram/programs/Festivals-App/pki/ca.crt

This reference: golang-tls-loadx509keypair-failed-to-parse-private-key states ominously:

It is absolutely normal to get failed to parse private key error when using tls.LoadX509KeyPair function. The reason is that the go standard library x509 doesn't support post-quantum algorithms.

And then suggests to implement the algorithm yourself.

I assume that I have done something wrong in the key generation or config, rather than assume this is a bug, but I have no experience with generating and using certificates. Any idea where to look to resolve this issue?

For completeness - the gateway config:

:/home/build# cat /etc/festivals-gateway.conf 
# festivals-gateway configuration file v1.0
# TOML 1.0.0-rc.2+

[service]
bind-address = "localhost"
bind-host = "localhost"
port = 8080
key = "TEST_API_KEY_001"

[tls]
festivaslapp-root-ca = "/usr/local/festivals-gateway/ca.crt"
cert = "//usr/local/festivals-gateway/server.crt"
key = "/usr/local/festivals-gateway/ca.key"

[heartbeat]
endpoint = "localhost"
interval = 6

[authentication]
endpoint = "localhost"

And identity server config:

/home/build# cat /etc/festivals-identity-server.conf 
# festivals-identity-server configuration file v1.0
# TOML 1.0.0-rc.2+

[service]
bind-address = "localhost"
bind-host = "localhost"
port = 22580
key = "TEST_API_KEY_001"

[tls]
festivaslapp-root-ca = "/usr/local/festivals-identity-server/ca.crt"
cert = "/usr/local/festivals-identity-server/server.crt"
key = "/usr/local/festivals-identity-server/server.key"

[database]
password = "insecure"

[heartbeat]
endpoint = "localhost"
interval = 6

[jwt]
expiration = 180
accessprivatekeypath = "/usr/local/festivals-identity-server/private_key.pem"
accesspublickeypath = "/usr/local/festivals-identity-server/public_key.pem"
refreshprivatekeypath = "/usr/local/festivals-identity-server/private_key.pem"
refreshpublickeypath = "/usr/local/festivals-identity-server/private_key.pem"

And the files:

:/home/build# ls -Rl /etc/festivals*.conf
-rw-r--r-- 1 www-data www-data 542 Jun 26 19:43 /etc/festivals-fileserver.conf
-rw-r--r-- 1 www-data www-data 413 Jun 27 12:03 /etc/festivals-gateway.conf
-rw-r--r-- 1 www-data www-data 777 Jul 27 06:13 /etc/festivals-identity-server.conf
-rw-r--r-- 1 www-data www-data 703 Jul 27 06:13 /etc/festivals-server.conf

[Phisto]

Hey Bram, i'm on vacation so my answers will be slow at the moment, but i will check github from time to time :)

cert = "//usr/local/festivals-gateway/server.crt"
key = "/usr/local/festivals-gateway/ca.key"

should be

cert = "**/**usr/local/festivals-gateway/server.crt"
key = "/usr/local/festivals-gateway/**server.key**"

the CA private key should be somewhere very secure and not on the server.

Other than that i recommend you to create virtual hosts via the hosts file for each service, as described in the festivals-pki under Local Development or Development on a test server , as i don't know if this kind of overloading of the localhost works.

[heartbeat]
endpoint = "localhost"

should be the host of your gateway discovery service

[heartbeat]
endpoint = "https://discovery.festivalsapp.dev/loversear"

i will try to clarify this as it is truely somewhat confusing :)

Kind regards Simon

[BramVan-Oosterhout]

Hi Simon, What slow response? Thanks for your input! The server starts now like all other servers. Yay!

I am slowly learning about the use of certificates and hope to understand them by the end of the week. It would be nice to have a script that:

1. generated the the required certificates
2. put then in the appropriate directories on the various servers
3. updated the various config files to point to the required certificates.

It may be too much to ask for the automation, but it would be helpful to illustrate the concept as applied to Fesivals-App,

I'll raise one more issue and will take your warning about slow response seriously. Enjoy your holiday. Work will wait. Holidays don't get another chance. Take care.

Bram