Debian C8Y connection error: CertNotValidForName

[jhoo-sag]

Describe the bug Following the "getting started" instructions is successful all the way up until 'sudo tedge connect c8y' where the device throws an error:

WARN rustls::conn: Sending fatal alert BadCertificate ERROR: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: CertNotValidForName") } Error: failed to connect Cumulocity cloud. Caused by: Connection check failed

Same process that has worked for me on Ubuntu 22.04 and 20.04 is failing on this Debian installation with this Simantic IoT 2050 device. Seems like a common rust issue, but not sure what is causing it.

To Reproduce Just following the "Getting Started" guide to install Thin Edge and generate the self signed cert

Environment (please complete the following information):

• OS: Debian
• Hardware: https://cache.industry.siemens.com/dl/files/142/109814142/att_1117657/v1/iot2050_operating_instructions_en_en-US.pdf
• System-Architecture: Linux iot2050-debian 5.10.64 #1 SMD PREEMPT Mon Feb 21 03:00:33 UTC 2022 aarch64 GNU/Linux
• thin-edge.io version: 0.10

[reubenmiller]

@jhoo-sag this is related to #1678.

Currently thin-edge.io does not read by default the operating system (OS) wide CA (certificate authority) trust store (e.g. the list of certificates that the operating system should trust). We are looking to change this to trust the default OS CA store by default to lead to make it easier to debug (since thin-edge.io does not operate in isolation).

Though assuming the root and intermediate certificates are already trusted by your operating system, then you can direct thin-edge.io to use the OS trusted store by executing the following command:

sudo tedge config set c8y.root.cert.path /etc/ssl/certs/ca-certificates.crt

If you are still having problems, then it is most likely that you need to import the missing root and intermediate certificate into your OS truststore first, then you can try again.

[reubenmiller]

Good news @jhoo-sag, the thin-edge.io components now use the operating system CA store by default. We're hoping this makes the behaviour more predictable for users.

So for example as long as the server's certificates have been added to OS's CA store then you should be good to go.

Below is an example of adding the common Let's Encrypt root and intermediate certificates into the cert store (via update-ca-certificates in Debian)

# Download certs
curl https://letsencrypt.org/certs/isrgrootx1.pem | sudo tee /usr/local/share/ca-certificates/ISRGRootX1.crt
curl https://letsencrypt.org/certs/lets-encrypt-r3.pem | sudo tee /usr/local/share/ca-certificates/lets-encrypt-r3.crt

# Regenerate cert store (e.g. /etc/ssl/certs/ca-certificates.crt)
sudo update-ca-certificates

Afterwards you can verify if a server's certificate is trusted or not via a simple curl request (assuming your server supports https), as curl will also use the OS's CA store by default.

curl https://myserver.example.com

How can I try it out?

You can install the latest thin-edge.io pre-release version from our public Debian repository. Instructions can be found here.

[jhoo-sag]

Thanks @reubenmiller - We tried this out with tedge 0.10.0-122-g6b132f32 but no luck so far. The C8Y tenant is hosted on us.cumulocity.com but uses a custom domain with 'USERTrust RSA Certification Authority --> Network Solutions OV Server CA 2' as it's root and intermediate certs. Those should be publicly trusted, so I don't know why it would have an issue, but I tried downloading them anyways with your instructions. Still the same error.

I should add that I can connect with no problem to a normal tenant, but not to the one with a custom domain.

[reubenmiller]

@jhoo-sag Thanks for the feedback. We'll continue investigating the issue:

But currently the status is as follows:

• Uploading of the certificate works (no cert error)
• tedge connect c8y fails with following error:

2023-04-11T22:08:54.752314116Z  WARN rustls::conn: Sending fatal alert BadCertificate
ERROR: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: CertNotValidForName") }
Error: failed to connect Cumulocity cloud.

Caused by:
    Connection check failed

[reubenmiller]

Closing as it should be fixed now in the pre-release version or in the upcoming 0.11.0 release. Please open the ticket again if you are experience the same error after updating.