KubeFATE Generate TLS files for docker compose failed

**What deployment mode you are use? ** docker-compose

**What KubeFATE and FATE version you are using? ** v1.7.1.1

MUST Please state the KubeFATE and FATE version you found the issue This issue is not assicated to KubeFATE or FATE.

**What OS you are using for docker-compse or Kubernetes? Please also clear the version of OS. ** CentOS Linux release 7.9.2009 (Core)

Desktop (please complete the following information): None

To Reproduce Just follow this document to generate TLS files. https://github.com/FederatedAI/KubeFATE/blob/develop-1.9.0/docs/Eggroll_with_TLS.md

The input and output of my command lines are:

(base) [root@server01 ~]# pwd
/root
(base) [root@server01 ~]# mkdir my-ca
(base) [root@server01 ~]# cd my-ca
(base) [root@server01 my-ca]# wget https://raw.githubusercontent.com/apache/pulsar/master/tests/certificate-authority/openssl.cnf
--2022-08-05 15:43:33--  https://raw.githubusercontent.com/apache/pulsar/master/tests/certificate-authority/openssl.cnf
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3695 (3.6K) [text/plain]
Saving to: ‘openssl.cnf’

100%[======================================================================================================================================================================================================================================================>] 3,695       --.-K/s   in 0s      

2022-08-05 15:43:34 (43.3 MB/s) - ‘openssl.cnf’ saved [3695/3695]

(base) [root@server01 my-ca]# export CA_HOME=$(pwd)
(base) [root@server01 my-ca]# mkdir certs crl newcerts private
(base) [root@server01 my-ca]# chmod 700 private/
(base) [root@server01 my-ca]# touch index.txt
(base) [root@server01 my-ca]# echo 1000 > serial
(base) [root@server01 my-ca]# openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................++++
..............................................................................++++
e is 65537 (0x010001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
(base) [root@server01 my-ca]# chmod 400 private/ca.key.pem
(base) [root@server01 my-ca]# openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name []:server01.fate9999.com
(base) [root@server01 my-ca]# chmod 444 certs/ca.cert.pem
(base) [root@server01 my-ca]# mkdir fate-9999
(base) [root@server01 my-ca]# openssl genrsa -out fate-9999/client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@server01 my-ca]# openssl pkcs8 -topk8 -inform PEM -in fate-9999/client.key -outform PEM -out fate-9999/client.key -nocrypt
unable to load key
140532918806336:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

What happen?

(base) [root@server01 my-ca]# openssl pkcs8 -topk8 -inform PEM -in fate-9999/client.key -outform PEM -out fate-9999/client.key -nocrypt unable to load key 140532918806336:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

Screenshots Same as in "To Reproduce"

Additional context None

Thank you!

Aug 05 '22 08:08 hqsh

Could you please check https://stackoverflow.com/questions/18460035/unable-to-load-private-key-pem-routinespem-read-biono-start-linepem-lib-c6

Seems like some kind of encoding issue, I didn't meet this issue.

Aug 09 '22 02:08 JingChen23

Could you please check https://stackoverflow.com/questions/18460035/unable-to-load-private-key-pem-routinespem-read-biono-start-linepem-lib-c6

Seems like some kind of encoding issue, I didn't meet this issue.

I read the stackoverflow and found it is not the reason.

Now, I found the command in https://github.com/FederatedAI/KubeFATE/blob/develop-1.9.0/docs/Eggroll_with_TLS.md:

openssl pkcs8 -topk8 -inform PEM -in fate-9999/client.key -outform PEM -out fate-9999/client.key -nocrypt

In this command, the input file and output file is same: fate-9999/client.key.

I think this may be the reason. However, what is the correct command?

Aug 10 '22 06:08 hqsh

Yes, the line does have a problem, let me modify the doc a little bit.

Aug 10 '22 13:08 JingChen23

@hqsh Please check the diff of

https://github.com/FederatedAI/KubeFATE/pull/711/files

Aug 10 '22 13:08 JingChen23

@hqsh Please check the diff of

https://github.com/FederatedAI/KubeFATE/pull/711/files

Thank you!

However, it failed in last step.

In document: https://github.com/FederatedAI/KubeFATE/blob/develop-1.9.0/docs/Eggroll_with_TLS.md. This command failed.

openssl ca -config openssl.cnf -days 10000 -extensions server_cert -notext -md sha256 -in fate-9999/server.csr -out fate-9999/server.crt

or I not use "-extensions server_cert" (the command as follow, similar as the client), also failed.

openssl ca -config openssl.cnf -days 10000 -notext -md sha256 -in fate-9999/server.csr -out fate-9999/server.crt

error message: ERROR:There is already a certificate for /CN=xxxxxxxxx

error image

Aug 11 '22 02:08 hqsh

This means that you cannot sign 2 crts with the same common name.

Could be because you didn't clean up index.txt and serial.

You can clean up everything and start from step 1.

Aug 11 '22 03:08 JingChen23

This means that you cannot sign 2 crts with the same common name.

Could be because you didn't clean up index.txt and serial.

You can clean up everything and start from step 1.

I have cleared all. And I just create ca, fate-9999-client, fate-9999-server as the document. But failed again with the same error output.

The problem may be I don't known how to input the CN (common name) three times: for CA, for fate-9999-client, for fate-9999-server.

My fate server domain name and party id as follow.

party_id	domain name
10001	fate10001.fl.xxxxx.com
10000	fate10001.fl.xxxxx.com
9999	fate9999.fl.xxxxx.com
none	ca.fl.xxxxx.com

I create TLS files on ca.fl.xxxxx.com.

I wonder what are the three CNs (common names, for CA, for fate-9999-client, for fate-9999-server) ?

Thank you!

Aug 13 '22 14:08 hqsh

The common name of the root certification must be a substring of the parties.

party_id	domain name
10001	fate10001.fl.xxxxx.com
10000	fate10001.fl.xxxxx.com
9999	fate9999.fl.xxxxx.com
none	ca.fl.xxxxx.com

If you do like this, I would suggest change ca.fl.xxxxx.com to fl.xxxxx.com

Aug 16 '22 05:08 JingChen23

Follow your suggestion, I found it failed again.

This is my commands, same as the documents.

mkdir my-ca cd my-ca wget https://raw.githubusercontent.com/apache/pulsar/master/tests/certificate-authority/openssl.cnf export CA_HOME=$(pwd) mkdir certs crl newcerts private chmod 700 private/ touch index.txt echo 1000 > serial

openssl genrsa -aes256 -out private/ca.key.pem 4096 chmod 400 private/ca.key.pem

openssl req -config openssl.cnf -key private/ca.key.pem
-new -x509 -days 7300 -sha256 -extensions v3_ca
-out certs/ca.cert.pem # fl.xxxxx.com chmod 444 certs/ca.cert.pem

mkdir fate-9999 openssl genrsa -out fate-9999/client_rsa.key 2048 openssl pkcs8 -topk8 -inform PEM -in fate-9999/client_rsa.key -outform PEM -out fate-9999/client.key -nocrypt

openssl req -config openssl.cnf -key fate-9999/client.key -new -sha256 -out fate-9999/client.csr # fate9999.fl.xxxxx.com

openssl ca -config openssl.cnf -days 10000 -notext -md sha256 -in fate-9999/client.csr -out fate-9999/client.crt

openssl genrsa -out fate-9999/server_rsa.key 2048 openssl pkcs8 -topk8 -inform PEM -in fate-9999/server_rsa.key -outform PEM -out fate-9999/server.key -nocrypt openssl req -config openssl.cnf -key fate-9999/server.key -new -sha256 -out fate-9999/server.csr # fate9999.fl.xxxxx.com

openssl ca -config openssl.cnf -days 10000 -extensions server_cert -notext -md sha256 -in fate-9999/server.csr -out fate-9999/server.crt

Aug 21 '22 14:08 hqsh

KubeFATE KubeFATE copied to clipboard

Generate TLS files for docker compose failed

KubeFATE
KubeFATE copied to clipboard