how to resolve "tlsv1 alert unknown ca"

[huang8235]

"tlsv1 alert unknown ca" occurred while ssl handshake, how to resolve this problem? my cert is self-signed cert

[Anjaliintel-21]

Can you please mention the use-case? Are you trying using curl ? please add more details about the issue

[edtanous]

No response from submitter; Lack of details provided, and bug doesn't follow the bug template. Minimal info provided looks like a certificate mismatch issue, not a bug in OpenBMC. Closing.

[AlexD202]

I have the same issue. I am not able to connect to the gui or use rest api calls.

I created the ticket under openbmc, but noone is answering there.

Note on Bugs I am trying to access the BMC module using the web and REST API, but both of them don't seem to be working for me. I checked out the code and followed steps to build the image for BMC. Loaded the image onto BMC. I can ping and ssh into the BMC from the host, but I am not able to open its page using https://BMC_IP (I get unauthorized message). I am also unable to use curl to connect to loginto the BMC: HOST# export bmc=x.x.x.x HOST# curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST https://${bmc}/login -d "{"data": [ "root", "0penBmc" ] }" curl: (35) OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to x.x.x.x:443

Unexpected behavior you saw webpage shows as unauthorized and nothing shows up. curl shows SSL_ERROR_ZERO_RETURN when trying to use REST API calls.

Expected behavior To be able to use web and REST API to configure the module

To Reproduce

Checkout the code and follow the steps to build an image for ast2500 Load the image on to the BMC module access the webpage by going to https://BMC_IP OpenBMC Information: root@evb-ast2500:~# cat /etc/os-release ID=openbmc-phosphor NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)" VERSION="2.14.0-dev" VERSION_ID=2.14.0-dev-1020-g18caa9759-dirty VERSION_CODENAME="langdale" PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.14.0-dev" BUILD_ID="20230510214217" OPENBMC_TARGET_MACHINE="evb-ast2500" EXTENDED_VERSION="2.14.0-dev-1020-g18caa9759-dirty"

root@evb-ast2500:~# uname -a Linux evb-ast2500 6.1.15-580639a-dirty-914a4fb https://github.com/openbmc/openbmc/pull/1 Thu Apr 6 00:55:09 UTC 2023 armv6l GNU/Linux

Additional context root@evb-ast2500:~# ps | grep bmcweb 177 root 13008 S /usr/bin/bmcweb 184 root 12148 S /usr/bin/phosphor-certificate-manager --endpoint ldap --path /etc/ssl/certs/authority --type authority --unit bmcweb.service 185 root 12392 S /usr/bin/phosphor-certificate-manager --endpoint https --path /etc/ssl/certs/https/server.pem --type server --unit bmcweb.serv 2645 root 2924 S grep bmcweb

root@evb-ast2500:~# systemctl status bmcweb

bmcweb.service - Start bmcweb server Loaded: loaded (/lib/systemd/system/bmcweb.service; enabled; preset: enabled) Active: active (running) since Thu 2023-03-09 08:29:15 UTC; 1 day 23h ago TriggeredBy: * bmcweb.socket Process: 1504 ExecReload=kill -s HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 177 (bmcweb) CPU: 6.325s CGroup: /system.slice/bmcweb.service `-177 /usr/bin/bmcweb Mar 10 09:12:20 BMC bmcweb[177]: Generating EC key Mar 10 09:12:20 BMC bmcweb[177]: Generating x509 Certificate Mar 10 09:12:20 BMC systemd[1]: Reloading Start bmcweb server... Mar 10 09:12:20 BMC systemd[1]: Reloaded Start bmcweb server. Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Checking certs in file /etc/ssl/certs/https/server.pem Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating new keys Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating EC key Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating x509 Certificate Mar 10 09:13:38 evb-ast2500 systemd[1]: Reloading Start bmcweb server... Mar 10 09:13:38 evb-ast2500 systemd[1]: Reloaded Start bmcweb server.

root@evb-ast2500:~# journalctl -u bmcweb Mar 09 08:29:15 evb-ast2500 systemd[1]: Started Start bmcweb server. Mar 10 04:40:30 evb-ast2500 bmcweb[177]: pam_tally2(webserver:auth): pam_get_uid; no such user Mar 10 04:40:30 evb-ast2500 bmcweb[177]: pam_unix(webserver:auth): check pass; user unknown Mar 10 04:40:30 evb-ast2500 bmcweb[177]: pam_unix(webserver:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Mar 10 04:40:30 evb-ast2500 bmcweb[177]: pam_ldap(webserver:auth): error opening connection to nslcd: No such file or directory Mar 10 04:41:24 evb-ast2500 bmcweb[177]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "root" Mar 10 04:42:05 evb-ast2500 bmcweb[177]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "root" Mar 10 04:42:46 evb-ast2500 bmcweb[177]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "root" Mar 10 05:05:49 evb-ast2500 bmcweb[177]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "root" Mar 10 05:06:45 evb-ast2500 bmcweb[177]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "root" Mar 10 09:12:20 BMC bmcweb[177]: Checking certs in file /etc/ssl/certs/https/server.pem Mar 10 09:12:20 BMC bmcweb[177]: Generating new keys Mar 10 09:12:20 BMC bmcweb[177]: Generating EC key Mar 10 09:12:20 BMC bmcweb[177]: Generating x509 Certificate Mar 10 09:12:20 BMC systemd[1]: Reloading Start bmcweb server... Mar 10 09:12:20 BMC systemd[1]: Reloaded Start bmcweb server. Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Checking certs in file /etc/ssl/certs/https/server.pem Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating new keys Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating EC key Mar 10 09:13:38 evb-ast2500 bmcweb[177]: Generating x509 Certificate Mar 10 09:13:38 evb-ast2500 systemd[1]: Reloading Start bmcweb server... Mar 10 09:13:38 evb-ast2500 systemd[1]: Reloaded Start bmcweb server.