FORT-validator icon indicating copy to clipboard operation
FORT-validator copied to clipboard

Published 20 hours ago verified publisher icon NICMx

fort does not accept publication point self signed certificate

Open cli0 opened this issue 2 years ago • 10 comments

I am using self signed certificates for my Publication Server and wanted to test Fort as RP. I added the self signed certs to /usr/lib/ssl/certs according to the website. Also ran openssl rehash. Fort was compiled and installed using the git repository. However Fort throws me this error:

Jan  6 11:24:38 INF: Starting validation.
Jan  6 11:24:38 INF [Validation]: /root/tal/ta.tal: HTTP GET: https://server.com/ta/ta.cer
Jan  6 11:24:38 ERR [Validation]: /root/tal/ta.tal: Error requesting URL: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding. (HTTP code: 0)
Jan  6 11:24:38 WRN [Validation]: /root/tal/ta.tal: TAL URI 'https://server.com/ta/ta.cer' could not be downloaded.
Jan  6 11:24:38 WRN [Validation]: /root/tal/ta.tal: Looking for the TA certificate at the local files.
Jan  6 11:24:38 ERR [Validation]: /root/tal/ta.tal: stat(repository/server.com/ta/ta.cer) failed: No such file or directory
Jan  6 11:24:38 ERR [Validation]: /root/tal/ta.tal: stat(repository/server.com/ta/ta.cer) failed: No such file or directory
Jan  6 11:24:38 ERR: /root/tal/ta.tal: None of the URIs of the TAL '/root/tal/ta.tal' yielded a successful traversal.
Stack trace:
  fort(print_stack_trace+0x3b) [0x5627abbd78cb]
  fort(pr_op_err+0x9f) [0x5627abbd800f]
  fort(+0x35dda) [0x5627abbeadda]
  fort(+0x44aac) [0x5627abbf9aac]
  /lib/x86_64-linux-gnu/libpthread.so.0(+0x9609) [0x7f8a486fe609]
  /lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7f8a48625293]
(End of stack trace)
Jan  6 11:24:38 WRN: Validation from TAL '/root/tal/ta.tal' yielded error, discarding any other validation results.
Jan  6 11:24:38 INF: Validation finished:
Jan  6 11:24:38 INF: - Valid ROAs: 0
Jan  6 11:24:38 INF: - Valid Router Keys: 0
Jan  6 11:24:38 INF: - No serial number.
Jan  6 11:24:38 INF: - Real execution time: 0 secs.
Jan  6 11:24:38 ERR: First validation wasn't successful.
Stack trace:
  fort(print_stack_trace+0x3b) [0x5627abbd78cb]
  fort(pr_op_err+0x9f) [0x5627abbd800f]
  fort(main+0x180) [0x5627abbd35e0]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f8a4852a0b3]
  fort(_start+0x2e) [0x5627abbd362e]
(End of stack trace)

I turned off CURL_SSL_VERIFYPEER to 0L and then CURL_SSL_VERIFYHOST to 0L in http.c and now the error (for either change) becomes this:

Jan  6 11:28:49 INF: Starting validation.
Jan  6 11:28:49 INF [Validation]: /root/tal/ta.tal: HTTP GET: https://server.com/ta/ta.cer
Jan  6 11:28:49 INF [Validation]: https://server.com/rrdp/notification.xml: HTTP GET: https://server.com/rrdp/notification.xml
Jan  6 11:28:49 ERR [Validation]: https://server.com/rrdp/notification.xml: Type positiveInteger doesn't allow value '0' (at line 1)
Jan  6 11:28:49 ERR [Validation]: https://server.com/rrdp/notification.xml: Element notification failed to validate attributes (at line 1)
Jan  6 11:28:49 ERR [Validation]: https://server.com/rrdp/notification.xml: Invalid attribute serial for element notification (at line 1)
Jan  6 11:28:49 ERR [Validation]: https://server.com/rrdp/notification.xml: XML document isn't valid.
Jan  6 11:28:49 INF [Validation]: https://server.com/ta/ta.cer: Couldn't fetch data from RRDP repository 'https://server.com/rrdp/notification.xml', trying to fetch data now from 'rsync://server.com/repo/ta/0'.
Jan  6 11:28:49 ERR [Validation]: https://server.com/ta/ta.cer: stat(repository/server.com/repo/ta/0/6346E2BA25F361C1B04124AAE7A3831FA54840C7.mft) failed: No such file or directory
Jan  6 11:28:49 WRN: Validation from TAL '/root/tal/ta.tal' yielded error, discarding any other validation results.
Jan  6 11:28:49 INF: Validation finished:
Jan  6 11:28:49 INF: - Valid ROAs: 0
Jan  6 11:28:49 INF: - Valid Router Keys: 0
Jan  6 11:28:49 INF: - No serial number.
Jan  6 11:28:49 INF: - Real execution time: 0 secs.
Jan  6 11:28:49 ERR: First validation wasn't successful.
Stack trace:
  fort(print_stack_trace+0x3b) [0x55b0aa4548cb]
  fort(pr_op_err+0x9f) [0x55b0aa45500f]
  fort(main+0x180) [0x55b0aa4505e0]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f775c3b40b3]
  fort(_start+0x2e) [0x55b0aa45062e]
(End of stack trace)

Both errors were not raised by any other RP (Routinator or Octorpki) connecting to the same PP with the exact same certificates, only Fort. I have restarted Krill but nothing changes with regards to how Fort interprets the data. Can anyone explain the error in the second log output and what it means? And is there an alternative way to make self signed certs as recognizable by Fort without throwing errors?

Update:

The second error message is apparently due to Krill starting its serial with 0 which is apparently not RFC compliant. After adding a ROA to the manifest the serial increased so the error does not appear anymore. However, for the same Publication Server I get now another type of error and the error stack is not transparent enough to debug. Fort is the only RP sensitive enough to pick up on whatever the error here is. How to debug whatever potential error Fort is picking up on?


Jan  7 16:11:42 INF [Validation]: https://server.com/rrdp/notification.xml: HTTP GET: https://server.com/rrdp/notification.xml
Jan  7 16:11:42 INF [Validation]: https://server.com/rrdp/52664a41-5b37-473e-9062-63b95df45f77/1/8f7b82f5afc5e86b/snapshot.xml: HTTP GET: https://server.com/rrdp/52664a41-5b37-473e-9062-63b95df45f77/1/8f7b82f5afc5e86b/snapshot.xml
Jan  7 16:11:42 ERR [Validation]: rsync://server.com/repo/ca2/0/9492043940A2E3E9CFA7912107996984F20674CD.mft: Error reading certificate
Jan  7 16:11:42 ERR [Validation]: rsync://server.com/repo/ca2/0/9492043940A2E3E9CFA7912107996984F20674CD.mft: libcrypto error stack:
Jan  7 16:11:42 ERR [Validation]: rsync://server.com/repo/ca2/0/9492043940A2E3E9CFA7912107996984F20674CD.mft: 
Jan  7 16:11:42 ERR [Validation]: rsync://server.com/repo/ca2/0/9492043940A2E3E9CFA7912107996984F20674CD.mft: 
Jan  7 16:11:42 ERR [Validation]: rsync://server.com/repo/ca2/0/9492043940A2E3E9CFA7912107996984F20674CD.mft: End of libcrypto stack.
Jan  7 16:11:42 INF: Validation finished:
Jan  7 16:11:42 INF: - Valid ROAs: 0
Jan  7 16:11:42 INF: - Valid Router Keys: 0
Jan  7 16:11:42 INF: - Serial: 1
Jan  7 16:11:42 INF: - Real execution time: 0 secs.
Jan  7 16:11:42 WRN: First validation cycle successfully ended, now you can connect your router(s)

cli0 avatar Jan 06 '22 11:01 cli0