sony / nmos-cpp

An NMOS (Networked Media Open Specifications) Registry and Node in C++ (IS-04, IS-05)
Apache License 2.0
143 stars 80 forks source link

Invalid or empty TLS context supplied: BCP-003-01 implementation guidance #236

Open ds1k99 opened 2 years ago

ds1k99 commented 2 years ago

I'm trying to secure the registry in a dev environment however I have yet to find a method of getting the registry to successfully open https on the server with locally generated certs/keys. Root cert for the dev CA is installed in the local devices trusted certificate stores. Local browsers confirm the certificate is recognised and active. I'm then using openssl to generate the cert and private key for the server. CSR references the FQDN for the server. I installed the key/cert on an apache server to test their validity and worked as expected. I have no doubt this is operator error and not a bug however I'm at a loss at where the problem is.

Is anyone able to provide any guidance/experience on how https has been successfully deployed with this library? Specifically the process of key/cert generation. Registry config.json is clear on how to present the config at launch, can't see that being the problem.

I'm using the dockerised implementation from nvidia. Having read through their Dockerfiles I am relatively confident nothing in the containerisation process would interfere. I've attached the log from that, includes configuration that is being passed at launch.

dockernmos.log

garethsb commented 2 years ago

Hi Dave.

Sorry you're having trouble. The GitHub Actions always run and test the Node and Registry in secure mode. The testing script is here: https://github.com/sony/nmos-cpp/blob/master/Sandbox/run_nmos_testing.sh

Can you compare your certificate and config set up with that?

ds1k99 commented 2 years ago

Thanks Gareth, as suspected, operator error.

Thanks, for steering me in the right direction, generateCerts from nmos testing helped me figure it out. I was generating the certs and key from a remote machine and deploying them to several servers using ansible. I haven't quite figured out why, but there is a permissions issue with the cert and key causing the library troubles with loading them. Out of interest, do you check for open permissions on private keys?

I've changed the automation to clone the CA and generateCerts file from nmos testing directly into the containers and generate from there, It's working as expected now. Cheers for the quick response.