Open v12venator opened 4 days ago
v12venator
commented
4 days ago Looked at the debug nginx log again, and the proxy is returning SSL error 46 when a query attempt is made
Line from error.log: [info] 1146455#1146455: *32 SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking,
brian7704
commented
4 days ago I'm guessing that error is from the server with the self signed cert. Have you loaded truststore-root.p12 into ATAK in the server config?
v12venator
commented
4 days ago The behavior was observed with both the self-signed and Let's Encrypt servers.
I loaded the p12 file into the truststore slot when configuring and enrolling the device with both servers, since the CA certificates were used for generating client authentication certificates. I also loaded the self signed CA public certificate into the android system store for the server without Let's Encrypt certificates.
I also set up a third and fourth ubuntu and ubuntu server installation separately with self-signed certificates and the issue was not observed on those systems.
I suspect that the root cause is a bug with the Debian provided version of nginx, where the ssl_client_certificate directive in the ots_https config file is not truly honored. I will be attempting to replace the Debian version with the Nginx provided mainline and stable versions to see if the issue persists or is resolved.
v12venator
commented
3 days ago I was able to test both the mainline and stable versions of Nginx on Debian 12, and the behavior was observed with both versions from the Nginx repository for the software.
brian7704
commented
3 days ago Can you post your nginx configs?
v12venator
commented
2 days ago My apologies for misunderstanding, I was not using the config bundle to enroll the device, I was entering all of the info manually to connect to the server.
The relevant configs are attached. ots_https.txt ots_certificate_enrollment.txt
I reviewed the example docs on the io site, and I don't see any discrepancies with the attached configs, aside from the cert locations, but the OTS directory is owned by the unprivileged user that was used to install the server.
I also installed the CA public certificate to the Debian system trust store with dpkg-reconfigure to see if that would fix the unknown CA error codes that the NGINX server was reporting, but that did not make any difference after import.
When connected to an opentakserver, EUD is unable to push or query data packages to/from server. Found all network connectivity settings and ensured the device was able to connect to 8443 on the server through the NGINX proxy. The EUD's return code for data package query is:
Data Package Search Failed Socket is closed
Attempting to run this from ATAK client on two different Debian 12 opentakservers, one with Let's Encrypt certificates and one with the generated self-signed certificates.