Closed adrianogaibotti closed 5 months ago
Hi @adrianogaibotti - First, I suggest you use the mozzila_trust_anchors.pem certificate bundle to connect to the Demo environment (ACV_CA_FILE env var)
Next, ensure your ACV_TOTP_SEED environment variable is set and contains the TOTP seed string value (not the reference/pointer to the totp file).
Finally, see if you can first use libacvp to connect to this endpoint to test connectivity and authentication. This will list out all of the algorithms supported by the environment if it is successful:
acvp_app --get /acvp/v1/algorithms
Thanks @jarnold01 for the prompt feedback. Unfortunately, changing the trust anchor doesn't solve the issue. The ACV_TOTP_SEED variable contains the seed string value (I tried with and without double quotes wrapping, but the result is always the same).
./app/acvp_app --get /acvp/v1/algorithms --disable_fips
***********************************************************************************
* WARNING: You have chosen to not fetch the FIPS provider for this run. Any tests *
* created or performed during this run MUST NOT have any validation requested *
* on it unless the FIPS provider is exclusively loaded or enabled by default in *
* your configuration. Proceed at your own risk. Continuing in 5 seconds... *
***********************************************************************************
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE: certs/mozzila_trust_anchors.pem
ACV_CERT_FILE: certs/xxx_Demo.cer
ACV_KEY_FILE: certs/xxx_private.key
[ACVP]: Logging in...
[ACVP][ERROR]: 403 error received from server. Message:
[ACVP][ERROR]: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
Best regards, Adriano
Hi Adriano, Some more things to try:
Usually, TOTP issues would present a different error, so I wouldn't worry too much about that for this specific error.
Thanks, Andrew
Thanks for chiming in @abkarcher ; much appreciated.
@adrianogaibotti Please give it another try. I noticed a small issue with your user account entry that I fixed, and that may have likely been the issue impacting your ability to authenticate. Thanks.
Hi @jarnold01, I tried again but I still continue to have the same error. Please let me know if I need to generate a new certificate request.
BR, Adriano
Hmm okay @adrianogaibotti - please try accessing the demo server again, and reply back with the date/time stamp of your attempt so that I can check the server logs and see if I can determine what is happening. Something like:
date; ./app/acvp_app --verbose --get /acvp/v1/algorithms
Thanks again for the support :). Below the output of the command (p.s. I'm disabling the fips check just as a first test, but I don't think the issue relies on that. Or at least I hope :))
date; ./app/acvp_app --verbose --get /acvp/v1/algorithms --disable_fips
Mon Apr 22 02:03:01 PM CEST 2024
***********************************************************************************
* WARNING: You have chosen to not fetch the FIPS provider for this run. Any tests *
* created or performed during this run MUST NOT have any validation requested *
* on it unless the FIPS provider is exclusively loaded or enabled by default in *
* your configuration. Proceed at your own risk. Continuing in 5 seconds... *
***********************************************************************************
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE: /local/home/gaibotta/acvp/libacvp/certs/mozzila_trust_anchors.pem
ACV_CERT_FILE: /local/home/gaibotta/acvp/libacvp/certs/ST_Adriano_Gaibotti_Demo.cer
ACV_KEY_FILE: /local/home/gaibotta/acvp/libacvp/certs/ST_Adriano_Gaibotti_private.key
[ACVP]: HTTP User-Agent: libacvp/2.1.0;Linux;6.5.0-26-generic;x86_64;Intel(R) Xeon(R) w5-3425;GCC/11.4.0
[ACVP]: Logging in...
[ACVP]: POST Login...
Status: 403
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved
[ACVP][ERROR]: 403 error received from server. Message:
[ACVP][ERROR]: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
I'm seeing the HTTP error 403.7 in the server logs. Usually when I see this error, it is typically because of an outbound enterprise proxy that is disassembling the outbound TLS traffic, inspecting it, and when it is reassembled, it uses the proxy's TLS certificate, which is the certificate that gets presented to the server. The server would, of course, reject this certificate since we have no knowledge of it.
Assuming this is the case, I would ask that if you are operating from within a corporate network environment, that you confirm with your network IT group that such an outbound proxy is in place, and if so, request that your test platform IP address be excepted from the outbound proxy so that the traffic may pass through untouched.
Thank you @jarnold01 for the immediate feedback. Indeed, we are inside a corporate network with a corporate certificate. I'm contacting our IT department to understand how to get the exception.
You're welcome @adrianogaibotti . I'm going to close this issue, but feel free to re-open it (or just email me directly) if you continue having access issues once the corporate proxy situation has been resolved.
May I suggest putting this information/troubleshooting regarding outbound proxies in the README page in github. It may be tortuous to find out without prior experience. :)
On Tue, Apr 23, 2024 at 10:29 AM Jason Arnold @.***> wrote:
You're welcome @adrianogaibotti https://github.com/adrianogaibotti . I'm going to close this issue, but feel free to re-open it (or just email me directly) if you continue having access issues once the corporate proxy situation has been resolved.
— Reply to this email directly, view it on GitHub https://github.com/usnistgov/ACVP-Server/issues/329#issuecomment-2072711046, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHDIKVKGMET5WU2PYITS4TY6Z47HAVCNFSM6AAAAABGNSOACSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZSG4YTCMBUGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I just received the signed certificate and TOTP for accessing the demo server. After compiling libacvp and setting up needed environment variables, I tried to launch a request but the server refused my request to access. I'm providing the command I gave and the resulting output:
Best regards