Onboarding failed with Trustpoint client

[FHatCSW]

I tried to onboard a new device to Trustpoint using the client:

After executing the onboarding command I get the following error:

(.venv) admin@trustpoint-client:~/trustpoint-client $ python -m trustpoint_client provision --tsotp c360037b26acd46f --tssalt 024fcaa02e19e729 --otp e86bdc3473729f0a --salt 5afb917f2e97fe27 --url c1nrSQ --host 10.100.13.122:8000
Provisioning client...
Current system time is 2024-04-15T10:04:01Z
Retrieving Trustpoint Trust Store
trust-store.pem missing, downloading from Trustpoint...
/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py:1099: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.100.13.122'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
  warnings.warn(
Traceback (most recent call last):
  File "/home/admin/trustpoint-client/trustpoint_client/cli.py", line 97, in provision
    _provision(otp, salt, url, host, tsotp, tssalt, sn, cb.test_callback)
  File "/home/admin/trustpoint-client/trustpoint_client/trustpoint_client.py", line 171, in provision
    get_trust_store(host, url, hexpass, hexsalt)
  File "/home/admin/trustpoint-client/trustpoint_client/trustpoint_client.py", line 78, in get_trust_store
    raise ProvisioningError(exc_msg)
trustpoint_client.trustpoint_client.ProvisioningError: Server returned HTTP code 404

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/admin/trustpoint-client/trustpoint_client/__main__.py", line 6, in <module>
    cli.cli()
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/trustpoint_client/cli.py", line 100, in provision
    raise ProvisioningCLIError(exc_msg) from e
trustpoint_client.cli.ProvisioningCLIError: Failed to provision the Trustpoint-Client.

[Aircoookie]

The onboarding API endpoint URLs were updated when switching to Django-ninja, but this change was not yet reflected in the client. Please try again with latest github main! :)

[FHatCSW]

Retried with the updated client and got the following error:

Trustpoint is operated as a HTTPS-server. Is this the problem?

(.venv) admin@trustpoint-client:~/trustpoint-client $ python -m trustpoint_client provision --tsotp 0dfa185cd39fa8da --tssalt b247f823bac376c1 --otp 70816ed5f7e6965f --salt 89e98b0356d3a965 --url sl0yNQ --host 10.100.13.122:8000
Provisioning client...
Current system time is 2024-04-15T11:11:03Z
Retrieving Trustpoint Trust Store
trust-store.pem missing, downloading from Trustpoint...
Using PBKDF2-HMAC verification
Computed PBKDF2-key: 557bef4754b0f67c5f57fc02843c8234664adc74551c9148e24494c3cf662ed4
Computed HMAC: 6929b865009230c39087820682eafd34d9c3042dfb93995fc89fb0eb1d8eefb4
Thank you, the trust store was downloaded successfully.
Generating private key and CSR for LDevID
Device Serial number: tpclient_k_iLju2aRFKZsjh9
Uploading CSR to Trustpoint for signing
Traceback (most recent call last):
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 467, in _make_request
    self._validate_conn(conn)
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1096, in _validate_conn
    conn.connect()
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connection.py", line 642, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connection.py", line 782, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 470, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 514, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.100.13.122'. (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 790, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 491, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.100.13.122'. (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 844, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.100.13.122', port=8000): Max retries exceeded with url: /api/onboarding/ldevid/sl0yNQ (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.100.13.122'. (_ssl.c:992)")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/admin/trustpoint-client/trustpoint_client/cli.py", line 97, in provision
    _provision(otp, salt, url, host, tsotp, tssalt, sn, cb.test_callback)
  File "/home/admin/trustpoint-client/trustpoint_client/trustpoint_client.py", line 176, in provision
    request_ldevid(host, url, otp, salt, sn)
  File "/home/admin/trustpoint-client/trustpoint_client/trustpoint_client.py", line 126, in request_ldevid
    crt = requests.post(
          ^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/api.py", line 115, in post
    return request("post", url, data=data, json=json, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/requests/adapters.py", line 517, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.100.13.122', port=8000): Max retries exceeded with url: /api/onboarding/ldevid/sl0yNQ (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '10.100.13.122'. (_ssl.c:992)")))

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/admin/trustpoint-client/trustpoint_client/__main__.py", line 6, in <module>
    cli.cli()
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/.venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/admin/trustpoint-client/trustpoint_client/cli.py", line 100, in provision
    raise ProvisioningCLIError(exc_msg) from e
trustpoint_client.cli.ProvisioningCLIError: Failed to provision the Trustpoint-Client.

[Aircoookie]

This means it's working as designed ;) (although I should probably make the error message more readable)

The client cannot verify the Trustpoint HTTPS server cert as it is issued to localhost, but would need to be issued to 10.100.13.122 in your example.

You can generate the required cert with openssl, substitute https_server.crt and https_server.pem in /tests/data/x509 with the new files and restart the server. You'll also want to run python -m trustpoint_client rm -a on the client, since it would have cached the previous server cert/trust store.

You can use the following openssl conf, save as https_server.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
O = Trustpoint
OU = Trustpoint Server Testing Certificate
CN = localhost
[v3_req]
basicConstraints=critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.2 = 10.100.13.122

with the openssl command:

openssl req -x509 -newkey rsa:4096 -keyout https_server.pem -out https_server.crt -sha256 -days 3650 -nodes -config https_server.conf -extensions 'v3_req'