search

Festivals-App / festivals-identity-server

Exposing the FestivalsIdentityAPI providing authorization and authentication functions to the the FestivalsApp project.
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Gateway server fails to start with: "... certificate signed by unknown authority ..." #3

Closed BramVan-Oosterhout closed 3 weeks ago

BramVan-Oosterhout commented 1 month ago

OK. I admit. I am stuck.

The MySQL and festivals-identity-server are running.

/home/build# ps ax
    PID TTY      STAT   TIME COMMAND
      1 ?        Ss     0:00 /bin/sh /entrypoint.sh
      8 pts/0    Ss     0:00 /bin/bash
    141 ?        Ssl    0:00 /usr/sbin/mysqld
    211 ?        Ssl    0:00 /usr/local/bin/festivals-identity-server
    220 ?        S      0:00 sleep 1s
    221 pts/0    R+     0:00 ps ax

The log says:

/home/build# cat /var/log/festivals-identity-server/info.log 
{"level":"info","time":"2024-07-31T11:45:10Z","message":"Server startup."}
{"level":"info","time":"2024-07-31T11:45:10Z","message":"Server configuration was initialized."}
{"level":"info","time":"2024-07-31T11:45:11Z","message":"Server did start."}
{"level":"info","time":"2024-07-31T11:45:11Z","message":"Heartbeat routine was started."}

The gateway fails to start. The log says:

/home/build# cat /var/log/festivals-gateway/info.log         {"level":"info","time":"2024-07-31T12:52:51Z","message":"Server startup."}
{"level":"info","time":"2024-07-31T12:52:51Z","message":"Server configuration was initialized."}
{"level":"fatal","error":"Get \"https://festivals-identity-server:22580/api-keys\": tls: failed to verify certificate: x509: certificate signed by unknown authority","time":"2024-07-31T12:52:51Z","message":"Failed to load API keys from identity service."}

I cannot locate where this message originates

So I try:

/home/build# curl -k -v https://festivals-identity-server:22580/api-keys
*   Trying 127.0.0.1:22580...
* Connected to festivals-identity-server (127.0.0.1) port 22580 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=festivals-identity-server
*  start date: Jul 30 04:36:25 2024 GMT
*  expire date: Nov  2 04:36:25 2026 GMT
*  issuer: CN=Festivals-App
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x558b5470ceb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /api-keys HTTP/2
> Host: festivals-identity-server:22580
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, unknown (628):
* OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host festivals-identity-server left intact
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0

It appears as if another certificate is required.

My config file is:

/home/build# cat /etc/festivals-identity-server.conf 
# festivals-identity-server configuration file v1.0
# TOML 1.0.0-rc.2+

[service]
bind-address = "localhost"
bind-host = "localhost"
port = 22580
key = "TEST_API_KEY_001"

[tls]
festivaslapp-root-ca = "/usr/local/festivals-identity-server/ca.crt"
cert = "/usr/local/festivals-identity-server/server.crt"
key = "/usr/local/festivals-identity-server/server.key"

[database]
password = "insecure"

[heartbeat]
endpoint = "localhost"
interval = 3600

[jwt]
expiration = 180
accessprivatekeypath = "/usr/local/festivals-identity-server/private_key.pem"
accesspublickeypath = "/usr/local/festivals-identity-server/public_key.pem"
refreshprivatekeypath = "/usr/local/festivals-identity-server/private_key.pem"
refreshpublickeypath = "/usr/local/festivals-identity-server/private_key.pem"

The certificates are created with:

    ./easyrsa init-pki
    ./easyrsa --passout=file:pwd --passin=file:pwd build-ca
   ./easyrsa --passin=file:pwd --passout=file:pwd build-server-full festivals-identity-server nopass
    openssl x509 -in pki/issued/festivals-identity-server.crt -out pem/festivals-identity-server-crt.pem -outform PEM
    openssl rsa -in pki/private/festivals-identity-server.key -text > pem/festivals-identity-server-key.pem

And placed at:

ca.crt => /usr/local/festivals-identity-server/ca.crt
festivals-identity-server.crt => /usr/local/festivals-identity-server/server.crt
festivals-identity-server.key => /usr/local/festivals-identity-server/server.key
festivals-identity-server-crt.pem => /usr/local/festivals-identity-server/public_key.pem
festivals-identity-server-key.pem => /usr/local/festivals-identity-server/private_key.pem

So all seems OK to me. But it clearly is not. Any advice? No rush.

BramVan-Oosterhout commented 3 weeks ago

I found the issue that was blocking the gateway server from starting. In the gateway server configuration (config_template.toml line 10-13) it says:

[tls]
festivaslapp-root-ca = "/usr/local/festivals-gateway/ca.crt"
cert = "/usr/local/festivals-gateway/server.crt"
key = "/usr/local/festivals-gateway/server.key"

The cert and key must be CLIENT certificates. I thought certificates were certificates. But NO! There are client and server certificates. Providing the correct kind solved most of the problem.

The database must contain a service_key for the server to start. I provided that with:

mysql -e "INSERT INTO festivals_identity_database.service_keys  (service_key,service_key_comment) VALUES ('TEST_API_KEY_001',' just another guess as entry for test');"

I now have a docker container that starts mysql, festivals-identity-server and festivals-gateway. You can see the details here.

And i learned a bit of go along the way. :-)