Closed jfernandezsqs closed 2 years ago
This is the same error you already described in https://github.com/Fraunhofer-AISEC/ids-clearing-house-service/issues/6#issuecomment-1024343899.
The underlying problem also still the same. The certificate of your DAPS needs to be added to the truststore of the docker container and it needs to be available for the code as described here
Yes, I open this issue for clarity and in order to separate it from the other one to focus on this problem.
I have modified the docker-compose.yml file in order to change the daps-cachain.crt located at /usr/local/share/ca-certificates with our testidsa15.crt (this is the certificate used to sign the DAPS). Once I have done this it is giving me the same error. I assume that with the changes I have performed the certificate of my DAPS is added to the truststore of the docker container. Let me know if it is right?
Adding a certificate to the truststore of the container requires you to run the command update-ca-certificates
inside the container. If you only added the certificate to the folder it's not yet added to the truststore.
You can see both steps e.g. in the clearing-house-api.Dockerfile. Line 13 adds the certificate to the folder and line 14 runs the command to update the truststore.
I have inserted the certificate and tried with updat-ca-certificates command inside the container but it is still giving the same error.
Did you also include the certificate in DER format to the /certs
folder and mounted it in the docker-compose.yml
?
Yes I have used the testidsa15 certificate in DER format and included it in the data/certs folder I have also included testidsa15.crt in the folder /usr/local/share/ca-certificates This is my docker-compose.yml
version: '3'
services:
clearing-house-api:
image: sqs-service-api
container_name: "clearing-house-api"
depends_on:
- document-api
- keyring-api
- clearing-house-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Debug
ports:
- "8000:8000"
#restart: unless-stopped
# Configuration of APIs is handled by config.yml and Rocket.toml
volumes:
- ./data/Rocket.toml:/server/Rocket.toml
- ./data/keys:/server/keys
- ./data/certs:/server/certs
- ./data/insert_truststore:/usr/local/share/ca-certificates
clearing-house-mongo:
container_name: "clearing-house-mongo"
image: mongo:4.4.8
restart: always
environment:
MONGO_INITDB_DATABASE: process
ports:
# This is solely for debugging purposes. Remove for deployment
- "27019:27017"
document-api:
image: sqs-document-api
container_name: "document-api"
depends_on:
- keyring-api
- document-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Info
ports:
- "8001:8001"
#restart: unless-stopped
# Configuration of APIs is handled by config.yml and Rocket.toml
volumes:
- ./data/document-api/Rocket.toml:/server/Rocket.toml
- ./data/certs:/server/certs
- ./data/insert_truststore:/usr/local/share/ca-certificates
document-mongo:
container_name: "document-mongo"
image: mongo:4.4.8
restart: always
environment:
MONGO_INITDB_DATABASE: document
ports:
# This is solely for debugging purposes. Remove for deployment
- "27017:27017"
keyring-api:
image: sqs-keyring-api
container_name: "keyring-api"
depends_on:
- keyring-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Info
ports:
- "8002:8002"
#restart: unless-stopped
# Configuration of APIs is handled by config.yml and Rocket.toml
volumes:
- ./data/keyring-api/init_db:/server/init_db
- ./data/keyring-api/Rocket.toml:/server/Rocket.toml
- ./data/certs:/server/certs
- ./data/insert_truststore:/usr/local/share/ca-certificates
keyring-mongo:
container_name: "keyring-mongo"
image: mongo:4.4.8
restart: always
environment:
MONGO_INITDB_DATABASE: keyring
ports:
# This is solely for debugging purposes. Remove for deployment
- "27018:27017"
# The core platform, mounts docker control socket and route definition into the image
tc-core:
container_name: "testidsa12"
image: fraunhoferaisec/trusted-connector-core:ch
tty: true
stdin_open: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/trusted-connector/allow-all-flows.pl:/root/deploy/allow-all-flows.pl
- ./data/trusted-connector/testidsa12.p12:/root/etc/keystore.p12
- ./data/trusted-connector/truststore.p12:/root/etc/truststore.p12
- ./data/trusted-connector/clearing-house-processors-0.7.4.jar:/root/jars/clearing-house-processors.jar
- ./data/trusted-connector/routes/clearing-house-routes.xml:/root/deploy/clearing-house-routes.xml
environment:
TC_DAPS_URL: https://omejdn
#LOGGING_LEVEL_ORG_APACHE_CAMEL: TRACE
expose:
- "9999"
- "8443"
- "8080"
ports:
- "8443:8443"
- "9999:9999"
- "8080:8080"
networks:
default:
external:
name: broker-localhost_default
And this is my container clearing-house-api
Solved issue. It was an error with the used daps-cachain.crt of my configuration. Thank you Mark for the support
When performing a contract negotiation between dataspace connectors I am receiving the following error at the clearing house logs.
It seems that the CH API is not able to connect to the DAPS via HTTPS/TLS.
The trusted connector is receiving a valid DAT from the DAPS
There is an issue with the ClearingHouseOutputProcessor that is giving a ids:RejectionMessage.
These are the logs obtained at the dataspace connector acting as provider.
I do not now the reason why this is happening and I have followed all the configuration steps detailed in the documentation provided.