search

htrefil / rkvm

Virtual KVM switch for Linux machines
MIT License
386 stars 50 forks source link

UnknownIssuer/UnknownCA TLS certificate errors #54

Closed xBelladonna closed 7 months ago

xBelladonna commented 8 months ago

I've been trying to set up a server and client with my own self-signed certificates as per the README and I can't seem to get the handshake to succeed. These are self-signed certificates that I use in other parts of my setup, and have the root CA installed on both the client and server I'm trying to use. These certificates work with other parts of my setup I use them with, but with rkvm I get the following errors:

Server:

 INFO connection{addr=192.168.1.246:36724}: rkvm_server::server: Connected
ERROR connection{addr=192.168.1.246:36724}: rkvm_server::server: Disconnected: received fatal alert: UnknownCA

Client:

 INFO rkvm_client::client: Connected to server
ERROR rkvm_client: Error: Network error: invalid peer certificate: UnknownIssuer

I've tried generating certificates with the included rkvm-certificate-gen tool but I still get the same errors on both the server and client. Here's what I'm doing to generate the certificates. Can someone spot anything obvious with what I'm doing wrong?

Server: rkvm-certificate-gen /etc/rkvm/certificate.pem /etc/rkvm/key.pem -d architect -i 192.168.0.45 -D 3650

Client: rkvm-certificate-gen /etc/rkvm/certificate.pem /etc/rkvm/key.pem -d birdmachine -i 192.168.1.246 -D 3650

Is there any way to specify a CA certificate as well as a server certificate? If the root CA being unrecognized is the problem then I'd think telling it which root CA to verify the certificate's signature with would work.

gclayburg commented 8 months ago

I just went through the install of this and got it to work. I thought I'd show you what worked for me.

$ rkvm-certificate-gen -d gary-XPS-13-9360 -D 36500 certstore/certificate.pem certstore/key.pem

You only need to do this certificate generation one time. The client needs to communicate with the server. So, just like setting up a TLS web server certificate, only the server needs to have the certificate and private key installed. The client only needs the matching certificate. The name I used gary-XPS-13-9360 is the hostname of my laptop. This is what I'm calling my server because it has the keyboard and mouse I want to use for both machines. I didn't specify any IP address. You'll just need to make sure that you can ping your server from your client using the name you provide here.

Now you just need to copy these files to the /etc/rkvm directory. The server needs both files. The client needs only certificate.pem

You'll also need to closely modify the client.toml file to match the hostname you generated in your certificate.

BTW, so far this rkvm is working great for me. So much better than synergy/barrier for sure.

htrefil commented 7 months ago

@gclayburg is right - you need to run the rkvm-certificate-gen tool only once. The generated certificate is shared across client machines (you need to point the rkvm client daemon to it in its config) while the key remains on the server.

The -d and/or -i options passed to rkvm-certificate-gen are meant to contain the server's DNS names and/or IP addresses.

I'm closing this issue, if it doesn't answer your question, feel free to reopen it.