Closed jumaffre closed 5 years ago
Our CI and local build on machines supporting SGX currently fail, e.g.:
./cchost --enclave-file=./libsmallbankenc.so.signed --raft-election-timeout-ms=100 000 --raft-host=127.37.17.198 --raft-port=59176 --tls-host=127.37.17.198 --tls-pubhost=127.37.17.198 --tls-port=5745 8 --ledger-file=0.ledger --node-cert-file=0.pem --enclave-type=debug --log-level=info --quote-file=quote0.bin [info]../src/host/main.cpp:245 - - Starting new node. [info]../src/host/main.cpp:263 - - Created new node. 15:08:16:190698 tid(0x7fc841795740) (H)[ERROR]:OE_BUFFER_TOO_SMALL[../host/crypto/openssl/cert.c oe_cert_find_extension:991] 15:08:16:190715 tid(0x7fc841795740) (H)[ERROR]:OE_BUFFER_TOO_SMALL[../host/crypto/openssl/cert.c oe_cert_find_extension:991] 15:08:17:376146 tid(0x7fc841795740) (H)[ERROR]X509_verify_cert failed! error: (12) CRL has expired (oe_result_t=OE_VERIFY_CRL_EXPIRED)[../host/crypto/openssl/cert.c oe_cert_verify:721] 15:08:17:376170 tid(0x7fc841795740) (H)[ERROR]oe_cer_verify failed with error = CRL has expired (oe_result_t=OE_VERIFY_CRL_EXPIRED)[../common/sgx/revocation.c oe_enforce_revocation:248] 15:08:17:376174 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595] 15:08:17:376176 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595] 15:08:17:376177 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595] 15:08:17:376179 tid(0x7fc841795740) (H)[ERROR]enforcing CRL (oe_result_t=(null))[OE_VERIFY_CRL_EXPIRED ../common/sgx/quote.c:5139712] 15:08:17:376183 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/key.c oe_public_key_free:314] 15:08:17:376185 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595] 15:08:17:376187 tid(0x7fc841795740) (H)[ERROR]:OE_VERIFY_CRL_EXPIRED[../host/sgx/report.c oe_verify_report:315] [fail]../src/host/enclave.h:154 - - Quote could not be verified: OE_VERIFY_CRL_EXPIRED [fatal]../src/host/main.cpp:289 - - Verification of local node quote failed terminate called after throwing an instance of 'std::logic_error' what(): Fatal: [fatal]../src/host/main.cpp:289 - - Verification of local node quote failed
See https://github.com/microsoft/openenclave/issues/1842 for further details.
The issue seems to have been in the az-dcap-client or further upstream caching the CA CRL for an incorrect amount of time.
Our CI and local build on machines supporting SGX currently fail, e.g.:
See https://github.com/microsoft/openenclave/issues/1842 for further details.