rsa routines::padding check failed

[ChaiByte]

Update: just because RSA mismathed, please stop ca and hub, then restart from the begining.

For Chinese reader:

如果出现这个错误，基本上是公钥和密钥对没匹配上，你可能并没有正确地重新配置...

我在按照教程走的过程中错配了 hub 的公网 ip, 以为只需要重新跑 start ca 和 hub 的命令，以及重新 invite + 正确的 ip 地址就行了，实际上内容可能已经写进本地的 db 了？希望开发者能提供更多细节（有趣的是我已经执行过删除本地 db 文件的操作但还是无效），我在 Hub 端的操作是：

rm -r /root/data/ztm/*  # 我默认 db 和 json 都存这里
ps aux | grep /root/opt/bin/ztm
sudo pkill -f /root/opt/bin/ztm # did not work
ztm stop ca
ztm stop hub

整个配置过程有点摸着石头过河的感觉，输出信息很少，会让人担心走错一步就要重头来。比如如果我反复执行同样的 start ca 和 start hub 命令，到底有什么影响，是和 system service 一样搞出一个杀不掉的进程常驻后台服务呢？还是会怎么样呢... 如果有类似 status ca 和 status hub 这种命令就好了。

---

Original issue:

ztm version: github released prebuild v0.0.3

Follow instructions in readme file, get undefined error:

$ ztm run agent --listen 127.0.0.1:7777 --database ~/data/ztm/agent.db
2024-06-19 22:17:44.985 [INF] [listener] Listening on TCP port 7777 at 127.0.0.1
2024-06-19 22:18:40.561 [INF] Joined chai-net as nas (uuid = 1a0cbba4-ff40-4264-995f-09abb3b0816f)
2024-06-19 22:18:40.586 [INF] Connected to hub x.x.x.x:8888
2024-06-19 22:18:40.614 [ERR] error:0200008A:rsa routines::invalid padding
error:02000072:rsa routines::padding check failed
error:1C880004:Provider routines::RSA lib
error:06880006:asn1 encoding routines::EVP lib
error:0A000086:SSL routines::certificate verify failed
2024-06-19 22:18:40.637 [ERR] Connection to hub x.x.x.x:8888 closed, error = undefined

How I certificate in endpoint (json file was uploaded to endpoint manually)：

ztm join chai-net --as nas --permit ~/data/ztm/nas.json

What should I do to sovle the problem?

Hub information

            .-/+oossssoo+/-.               root@etch
        `:+ssssssssssssssssss+:`           ---------
      -+ssssssssssssssssssyyssss+-         OS: Ubuntu 22.04.4 LTS x86_64
    .ossssssssssssssssssdMMMNysssso.       Host: Alibaba Cloud ECS pc-i440fx-2.1
   /ssssssssssshdmmNNmmyNMMMMhssssss/      Kernel: 5.15.0-107-generic
  +ssssssssshmydMMMMMMMNddddyssssssss+     Uptime: 3 hours, 51 mins
 /sssssssshNMMMyhhyyyyhmNMMMNhssssssss/    Packages: 1012 (dpkg), 4 (snap)
.ssssssssdMMMNhsssssssssshNMMMdssssssss.   Shell: bash 5.1.16
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   Resolution: 1024x768
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   Theme: Adwaita [GTK3]
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   Icons: Adwaita [GTK3]
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   Terminal: /dev/pts/1
.ssssssssdMMMNhsssssssssshNMMMdssssssss.   CPU: Intel Xeon Platinum (2) @ 2.500GHz
 /sssssssshNMMMyhhyyyyhdNMMMNhssssssss/    GPU: 00:02.0 Cirrus Logic GD 5446
  +sssssssssdmydMMMMMMMMddddyssssssss+     Memory: 357MiB / 1673MiB
   /ssssssssssshdmNNNNmyNMMMMhssssss/
    .ossssssssssssssssssdMMMNysssso.
      -+sssssssssssssssssyyyssss+-
        `:+ssssssssssssssssss+:`
            .-/+oossssoo+/-.

Generated JSON content (I formated it and removed my hub public IP):

{
    "ca": "-----BEGIN CERTIFICATE-----\nMIICoTCCAYkCFGfVAlr4KjUlKo4I3PWLETT10i+IMA0GCSqGSIb3DQEBCwUAMA0x\nCzAJBgNVBAMMAmNhMB4XDTI0MDYxOTE0MTYyMFoXDTI1MDYxOTE0MTYyMFowDTEL\nMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwjU+x\n3xBXejjXKc8p56YGSVc/9C5sjuTMMr0TWM0rocJ0b/R8AoHOEmG4qGTsHSGj5T4f\nIaxOCrivsaYl6uY4vdel+gqZkQ5z66rByDdXaS9PH+Nf9rUKuMwWC7wkNGSuO1RW\n0ipZwvk1qd4JiOxqCQ7J7t6WBk0e08aKlV+h3iDxpfy9GDTLwxe8Wz8CcK2YxWxi\nkXnNnc0CERxVuChdGRFZykf5Q1/tBPceeJthHEP6P1YNUnvyMHuHxvpBQQ4Q8aA9\nvfjxtyKO12ES/xbpah7On1z5sMYZEWmSX1sHyOTr/sjaKogOyWNFLE8eGC+d02XK\nRvtyhAcOhGeW+Hm9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAACQufpT6L1ETDCE\nyY+Y9msuDEA9fjv5ZYKOQBr8BjOZxK7trAW5gVba4Hw9K/7rZsACLiV5h4U8x70A\noHuY8SEfVxu9OpXbEOmBUo1qzGgcSvkforw1JbJ4ZTiCNM4jkTf+89MPxIU6t/ct\n5PveN//zwJnwQ/0rdQqgvSg4c1vqZJlFe76DzozFyJRHKd2xIr7fGANbqdFsf51J\nxEKDGa3BYw88cY2xSrf/dtA+5++Z4JUs3aqh/izbkl538oSYKiUPfW3APqbAdgKz\nM6Htw44fQJ/d+LhDsDZ7VKwXRBzpbvsazG1CGUo3GrxsneDca3D4O30lroPnRBUH\nWrarowU=\n-----END CERTIFICATE-----\n",
    "agent": {
        "certificate": "-----BEGIN CERTIFICATE-----\nMIICojCCAYoCFD/D9lGwR8UZI3F9HobkGN35orWUMA0GCSqGSIb3DQEBCwUAMA0x\nCzAJBgNVBAMMAmNhMB4XDTI0MDYxOTE0MTYzMVoXDTI1MDYxOTE0MTYzMVowDjEM\nMAoGA1UEAwwDbmFzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nM9\nFv+4TPp8xWFRz3EodgBfs4gXbvMNyO8wC6yAsq1eg8fzbOSBma9kIZASeY7XWG7O\n/uiMXO3l/1x0WIOtW1Emv29cKdGHu0bQ08y15AfpDbX/nWVwSZdHAne/LEgT3vCK\n/c6zlDMLZNio+y0PTXUzIKVDfclFp5GPN6P7Bt0zdH2CxYmYf34VtlO5OTwboC3D\nJN3t/cfxePi9nKNvLAlaM+tI9Vv7gzbECWR2oQh0877pY7hGuqa/TtN6280nhOM4\nD597vwUNBVeL3pAsbeaTsIQN+U5I7Dz39ieGFCwnCBiTF4cUNdVwc9vBnl0e+ASv\ni+6VyUP1ufGifwSeqwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCFUxOxPuxoY0GQ\na1go/qtbtxjLzOblmfwtsOxG9IU5X/KZ4mggx/YPmLhG3bPQgGo6shDupXUcbmHc\nvvPs863ICemKyV/1/jWXv7B8WstPeqFLt3Lp63w5c93hE9f7bMBqbyxrucmEe7oq\n4MbvvdfljhJEQQFdR8zLeWY2htUkBcCc0DF55QM/3ojSUqevHKkhl5bLmMltlnaT\n/3iydIo3MEfmBHcyl0Xw7SVVEmB+L8HC4ZFj8LFHo2LkETulCFa8HG5U7ApOII2g\ncT+FPRrFHuKxHwA7aeY8Sod3pqwL3reXbHahzFXvomUdaEYGaSO0GHp48cdRSc7M\n/eUB8wxZ\n-----END CERTIFICATE-----\n",
        "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWcz0W/7hM+nzF\nYVHPcSh2AF+ziBdu8w3I7zALrICyrV6Dx/Ns5IGZr2QhkBJ5jtdYbs7+6Ixc7eX/\nXHRYg61bUSa/b1wp0Ye7RtDTzLXkB+kNtf+dZXBJl0cCd78sSBPe8Ir9zrOUMwtk\n2Kj7LQ9NdTMgpUN9yUWnkY83o/sG3TN0fYLFiZh/fhW2U7k5PBugLcMk3e39x/F4\n+L2co28sCVoz60j1W/uDNsQJZHahCHTzvuljuEa6pr9O03rbzSeE4zgPn3u/BQ0F\nV4vekCxt5pOwhA35TkjsPPf2J4YULCcIGJMXhxQ11XBz28GeXR74BK+L7pXJQ/W5\n8aJ/BJ6rAgMBAAECggEAWzX/hUE1v9QIbqFCfSNJjMsC6WbYZLHPKqgFPOndgWG4\n4f8RG78jGl1djuLq4LXvBOd4djYtwTbUTOUjfSRgfwcInoK8ZfL/Mpnfpz4aHQd6\nSgEfW/AxrrM/mh6ZermbbgbMb0BT5BRD49w9HzwelpjjKp7wElehnzCLhCRkWBnE\n96e7J73qhUPD/904A65hRDPLj2zDrdCxI5EU3y7T6J4NsVwquES66M9WvIk8JoDd\nRalk43qEHO5RW5AqtLn6iYM8KmlI27vIftXkyyP4X1wFEuSmTD7C7CC13qC+ksLP\n5gJ/fwrR0ZQGTXvT9+wSrrzBGLTZfQmK8vzPzuFyyQKBgQDuw8ls+GzsUCETi42C\ngVr5cQSi2DVscPAMTg8rI5YL/o6EARu36d37XaFjVQQWIj1NW3P+Cg03ef5W07Nr\n5NFZ0ahciPpPxzpu6wK2qZleIYVlZOAcv2bV3VHbD0tgnzUVjqzR7hmqvdKPXR6G\nvKa3IsQO2aI+E5/3HbC1qyoK8wKBgQDl7iIwhbqBvBxDZmZHUJHAfjdU2TBrX+cL\nbjOh9sCNlK5XqpqXqHFnLpYOk9/eKHaw+CBbA+6AaM1FJ9zXvNZ+362WV2TUowyZ\nHDlsBHOgMjXyms8n7C8L6d5s2aXOpRcms0DvGZUBbbVNjCWBfaEX1lwVupP+m3Fh\nrZmOsIebaQKBgCyy0Imq9FFFKvwKuyI8bziVdOW7jjzP49CZ6HMOBXAXZrzFrFfA\n24LMY4NCDjLKlClgPpXHcfP5zaiZl1RSkPK8skUoi5vV01Wif26Mz550rhFuUhpv\npqPQ/BsDgPwEsh5oCGiAp6N0R+/44dcdiCRuyL9y9NGkQOU1VLid45ALAoGBANPP\nLsesKUdh1ldweT+wxNOica5D9Qq06c3p0r6c5HyIPqKbkpWqoez/SVRcfJnWhKA5\nsvSlBoxb/tx6AELsvltaCjq4fzYyjWRuT6dl4m3sUy4N1k9cj2pWIoP7a3aVNmJ8\nNpEL6+vI+H9bXyGObVvcKDAMFFEzOJtWpGKB1CohAoGBANJ6Y+JbObOA3evQ9EJG\ncUp3VLXyCYBoCRnOfM8Y6jmN+6u1xiS0rCUNOMg+XY1Yegw59tzylT2/RXMlz3Hd\nCkVQCiWobVWYc2VabkT0POSbj52Gb+3/gxNBm2LJs4S9851jvP2fP46oJSFbpTAk\nQX5PbZ4RehKdub+ccpDpOLnW\n-----END PRIVATE KEY-----\n"
    },
    "bootstraps": [
        "x.x.x.x:8888"
    ]
}

Endpoint Information

A Synology NAS

Linux DSM 4.4.302+ #69057 SMP Fri Jan 12 17:02:28 CST 2024 x86_64 GNU/Linux synology_geminilake_920+

[ChaiByte]

I discovered an issue where if a user misconfigures the public server's IP and attempts to rerun the setup command with the correct IP from the beginning, it may not work as expected. I found that the following commands were necessary to return the system to its initial state:

rm -r /root/data/ztm/*  # 我默认 db 和 json 都存这里
ps aux | grep /root/opt/bin/ztm
sudo pkill -f /root/opt/bin/ztm # did not work
ztm stop ca
ztm stop hub

Restart might also work? I'm not sure when I started CA and Hub, when happened in detial.

It would be extremely helpful if the manual could instruct users to stop the CA and Hub when a misconfiguration is discovered. I initially thought that simply rerunning the start command would reconfigure everything, but it turns out that the processes were still running in the background. This clarification in the documentation would greatly assist users in troubleshooting their setup.

[addozhang]

@ChaiByte "if a user misconfigures the public server's IP and attempts to rerun the setup command with the correct IP from the beginning"

I think you must want to re-invite with correct public server's IP. If yes, you should run ztm evict XXX to evict user first and re-run the ztm invite command.

If you want to start from the beginning, you should delete the db files of ca and hub, and restart them.

We will continue to improve the guide to cover this issue.

[addozhang]

@ChaiByte Append more here.

The ztm start command will init and start a system service. Then we can check the status with systemctl status xxx(it accepts ztm-ca, ztm-hub or ztm-agent). Similarly systemctl restart is used to restart service.

[ChaiByte]

@ChaiByte Append more here.

The ztm start command will init and start a system service. Then we can check the status with systemctl status xxx(it accepts ztm-ca, ztm-hub or ztm-agent). Similarly systemctl restart is used to restart service.

Thanks. I will close this issue soon.