Server won't start when TLS configuration uses "WindowsLocalMachine" store

[wooti]

Observed behavior

I am using a certificate from the Windows Certificate Store (see also) in my TLS configuration. The certificate is stored in the Windows Local Machine certificate store.

port: 3333
http_port: 4444
tls: {
  cert_store: "WindowsLocalMachine"
  cert_match_by: "Subject"
  cert_match: "TestCertificate"
  verify: true
  timeout: 2
}
jetstream: enabled
jetstream: {
  max_memory_store: 1G
  max_file_store: 100G
}

The server refuses to start, with the following error:

nats-server: nats-streaming.conf:3:1: unable to open certificate store or store not available

Expected behavior

The server should load the specified certificate from the Local Machine store, and start successfully.

Server and client version

nats-server: v2.10.22

Host environment

Windows 10, AMD64

Steps to reproduce

This problem goes away if I use the WindowsCurrentUser store, or if I run nats-server.exe in admin mode. Unfortunately corporate policy does not allow either of these workarounds.

Note: This does not seem to be a permissions issue, as there are other applications running in the same (non-administrative) context which can access the Local Machine certificate store. It seems to be an issue with the way NATS attempts access.

[neilalexander]

Can you please try commit 14351d1 from the neil/certstorero branch and let me know if that fixes the problem?

[wooti]

I don't have a development environment configured - is there a place I grab a binary for this change?

[neilalexander]

Yep, try this: https://binaries.nats.dev/binary/github.com/nats-io/nats-server/v2?os=windows&arch=amd64&version= 14351d1

It should spit out an .exe file for that commit after a brief wait, but you might need to rename the file to pop the .exe on the end.

[wooti]

Amazing, thank you. I can confirm it starts successfully now ☺

[neilalexander]

Thanks for confirming, have raised the PR!