panic: x509: certificate is valid for Murmur Autogenerated Certificate v2, not <server_address>

[matthieugrieger]

Hi,

I have begun to rewrite MumbleDJ using your new gumble library (I prefer Go over Lua), and I seem to be having connection issues whenever I try to connect to my server. I have tried both my password-protected Mumble server on an external machine, and an unprotected localhost server and got the same result. Both attempts to connect were executed on an Arch Linux machine.

I followed the start-up guide on your README for gumble, here is my code.

Here's the error message that I get (this one is for localhost, but it is identical to the message I would get for external servers):

panic: x509: certificate is valid for Murmur Autogenerated Certificate v2, not localhost

goroutine 16 [running]:
runtime.panic(0x666260, 0xc2081f23e0)
    /usr/lib/go/src/pkg/runtime/panic.c:279 +0xf5
main.main()
    /home/matthieu/programming/go/src/github.com/matthieugrieger/mumbledj/main.go:53 +0x36d

goroutine 19 [finalizer wait]:
runtime.park(0x4143a0, 0xa164e8, 0xa03e49)
    /usr/lib/go/src/pkg/runtime/proc.c:1369 +0x89
runtime.parkunlock(0xa164e8, 0xa03e49)
    /usr/lib/go/src/pkg/runtime/proc.c:1385 +0x3b
runfinq()
    /usr/lib/go/src/pkg/runtime/mgc0.c:2644 +0xcf
runtime.goexit()
    /usr/lib/go/src/pkg/runtime/proc.c:1445

goroutine 17 [syscall]:
runtime.goexit()
    /usr/lib/go/src/pkg/runtime/proc.c:1445

I have a feeling I may simply be missing something related to certificates, but I didn't really have to mess with those on piepan. Thanks!

[ghost]

The issue here is that the server certificate is not signed by anyone trusted, so you can either:

1. Skip certificate checking entirely (not a good idea, but fine for testing):

   config.TLSConfig.InsecureSkipVerify = true

2. Use a certificate that is signed by a CA that your machine trusts.
3. Make the certificate trusted.

I was having some issues with solution 3, in that I was not able to get trusted, murmur generated certificates to be accepted. Additionally, any self-signed certificate that I created and set as trusted could not be used. The only way I managed to get it working was to (a) create a root certificate, then (b) create a new certificate that was signed by the first. After setting my root certificate as trusted, I was able to connect without issue.

[matthieugrieger]

Awesome, this is helpful. You can probably tell that I'm not too experienced with certificates.

Thanks!

Just to clarify, is this kind of what you did for your workaround for number 3? I haven't tried it quite yet, just wanted to confirm.

[ghost]

Just to clarify, is this kind of what you did for your workaround for number 3? I haven't tried it quite yet, just wanted to confirm.

That looks about the same. The CA.pl tool may do it for you, but if it doesn't, remember to add the CA cert to your system.

[matthieugrieger]

Awesome, thanks for the help.

[matthieugrieger]

Hey, just one last quick question. What is different about gumble where it is required to set up a CA cert? Did piepan just skip certificate checking? I'm just asking because it would be a bit of a pain to ask those who use my bot to set up a certificate when they didn't have to do it previously. I'm thinking about just making it a command line option to skip cert checking when launching my bot.

Thanks!

[ghost]

What is different about gumble where it is required to set up a CA cert? Did piepan just skip certificate checking?

That's correct; piepan didn't verify anything, which was very bad.

I have just added gumbleutil.CertificateLockFile which should allow working with self-signed certificates less of a pain.

[matthieugrieger]

I have just added gumbleutil.CertificateLockFile which should allow working with self-signed certificates less of a pain.

Oh, awesome! I will definitely check this out.