search

microsoft / onnx-server-openenclave

An Open Enclave port of the ONNX inference server with data encryption and attestation capabilities to enable confidential inference on Azure Confidential Computing.
MIT License
55 stars 9 forks source link

got CRL expiration error when launching client #3

Open wangsu502 opened 4 years ago

wangsu502 commented 4 years ago

Hi, I was trying to launch onnx client, and got the following error. it's in ubuntu 18.04 and I've installed sgx sdk 2.11 and dcap driver 1.8 Anything else I need install? thanks, Leo

leo@leo-Inspiron:~/onnx-server-openenclave$ python3 -m confonnx.main --url http://localhost:8888/ --enclave-hash bc07410d251920537a587ce41d11cd964efced5c0812defc90c7e1696723efd3 --enclave-model-hash-file model.hash --json-in input.json --json-out output.json --enclave-allow-debug STEP 1: Establishing encrypted & attested connection with enclave Sending request (0.1 KiB) Received response after 31.9 ms (4.8 KiB) 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | X509_verify_cert failed! error: (12) CRL has expired (oe_result_t=OE_VERIFY_CRL_EXPIRED) [../host/crypto/openssl/cert.c:_verify_cert:361] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | :OE_VERIFY_CRL_EXPIRED [../host/crypto/openssl/cert.c:oe_cert_verify:730] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | Failed to verify leaf certificate. OE_VERIFY_CRL_EXPIRED (oe_result_t=OE_VERIFY_CRL_EXPIRED) [../common/sgx/collateral.c:oe_validate_revocation_list:323] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | :OE_INVALID_PARAMETER [../host/crypto/openssl/cert.c:oe_cert_free:574] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | Failed to validate revocation info. OE_VERIFY_CRL_EXPIRED (oe_result_t=OE_VERIFY_CRL_EXPIRED) [../common/sgx/quote.c:oe_get_sgx_quote_validity:666] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | Failed to validate quote. OE_VERIFY_CRL_EXPIRED (oe_result_t=OE_VERIFY_CRL_EXPIRED) [../common/sgx/quote.c:oe_verify_quote_with_sgx_endorsements:506] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | :OE_VERIFY_CRL_EXPIRED [../common/sgx/quote.c:oe_verify_sgx_quote:471] 2020-10-19T05:34:47.000000Z [(H)ERROR] tid(0x7f28601b1740) | :OE_VERIFY_CRL_EXPIRED [../host/sgx/hostverify_report.c:oe_verify_remote_report:46] ERROR: Enclave quote invalid

letmaik commented 4 years ago

Sounds like you're not running this on Azure. At the moment we don't provide support/instructions for this scenario. If you figure it out feel free to submit a PR :) It's probably related to using the Azure DCAP Client in the server image vs. the Intel variant on the client host.

ad-l commented 4 years ago

Check that the error is solved with az-dcap-client (and your clock is set correctly). The underlying problem is likely that the Azure cache is lagging about one month behind Intel. You can try building the server to use the Intel DCAP following the instructions at https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/Contributors/NonAccMachineSGXLinuxGettingStarted.md

wangsu502 commented 4 years ago

thank you, guys! @ad-l @letmaik