atuin icon indicating copy to clipboard operation
atuin copied to clipboard

Published 20 hours ago verified publisher icon atuinsh

Getting "invalid peer certificate: UnsupportedCertVersion" when trying "atuin server start"

Open MacSlow opened this issue 2 years ago • 5 comments

Greetings folks!

Have to embarrass myself here admitting, that I cannot successfully setup an atuin sync server on my own.

When starting atuin server start on my sever machine, I see this in /var/log/postgresql/postgresql-12-main.log (with verbose error-logging enabled):

2023-02-10 15:43:18.089 CET [31044] [unknown]@[unknown] LOG: 08P01: could not accept SSL connection: sslv3 alert bad certificate 2023-02-10 15:43:18.089 CET [31044] [unknown]@[unknown] LOCATION: be_tls_open_server, be-secure-openssl.c:466

And atuin spits out this on stdout:

Caused by: 0: error communicating with database: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion 1: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion

The version of atuin used is atuin_12.0.0_amd64.deb provided by the install.sh script listed in the installation documentation. According to the conversation and remarks from ellie and conradludgate in issue https://github.com/ellie/atuin/issues/570, release 12 of atuin has this fix regarding rustls-tls-native-roots. So my guess is, that the error I see is something new.

What irritates me is this [unknown]@[unknown] in the PostgreSQL-log. I would assume to see the credentials there I stated in ~/.config/atuin/server.toml. That file on the server currently looks like this (and no, that not my real password... don't worry :):

host = "127.0.0.1"
port = 5432
open_registration = true
db_uri="postgres://macslow:youneverguesswhatmypasswordis@localhost/atuin"
path=""

I can successfully connect remotely to PostgreSQL using the psql frontend using a dedicated database-user, thus configuration-wise I guess everything is fine on the PostgreSQL-side of things. This is what I see when I use psql from a remote client machine:

1> psql -h macslow.org -U macslow -p 5432 -d atuin
Password for user macslow: 
psql (12.13 (Ubuntu 12.13-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

atuin=>

The same success I have, when I do locally on the server:

1> psql -h 127.0.0.1 -U macslow -p 5432 -d atuin
Password for user macslow:
psql (12.13 (Ubuntu 12.13-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

atuin=>

It all boils down to what is happening in lines 22-24 in <atuin_root>/atuin-server/src/lib.rs, but I really cannot dig into a new language right now to sort it out. Not that rust isn't compelling.

Thanks in advance for your help and advice!

Best regards...

MacSlow

MacSlow avatar Feb 10 '23 14:02 MacSlow

Hey!

Are you connecting to your postgres over the public internet? Do you have SSL certificates configured on your database server?

If not, try adding ?sslmode=disable to the end of your postgres connection string.

ellie avatar Feb 10 '23 15:02 ellie

also - nice supermoto!

ellie avatar Feb 10 '23 15:02 ellie

First of all... yeah, the Husky is the best... with my Hypermotard being a close second! :)

I added that suggested snipped to the db_uri-entry. That at least changed to error reported from atuin to:

thread 'main' panicked at 'error binding to 127.0.0.1:5432: error creating server listener: Address already in use (os error 98)', /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.20/src/server/server.rs:77:13

Then I changed the port to use 8888 and I got rid of the above error, but there is no response from atuin server start. Should it return to the shell prompt or do I have to detach it manually from the current shell-process?

Trying to connect from the client-side with atuin I get this:

1> atuin login
Please enter username: macslow (this is the database-user I created in PostgreSQL)
Please enter encryption key: <put the stuff here I get from 'atuin key'>
Please enter password: <put the corresponding password for the database-user here>
Error: error decoding response body: expected value at line 1 column 1

Caused by:
    expected value at line 1 column 1

Location:
    /home/runner/work/atuin/atuin/atuin-client/src/api_client.rs:82:21

Sorry, if I might be missing something obvious... can you tell I hate database-stuff? :)

MacSlow avatar Feb 10 '23 16:02 MacSlow

Should I figure it out, I'll promise to write a summary on my blog for future reference. All this started with writing an output-rotation patch, mouse-selection cut&paste and some bug-fixes for kmscon. The rabbit-hole always goes deeper than you initially anticipate :)

MacSlow avatar Feb 10 '23 16:02 MacSlow

In the meantime I have figured out how to setup PostgreSQL to use my "Let's Encrypt"-certificate, which I use for my web-server.

To verify the basic operation of the working certificat I used the command: openssl s_client -starttls postgres -connect macslow.org:5432 </dev/null which generates the ouput:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = macslow.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISA7fdx63SblaICJ+NLGKTSlx4MA0GCSqGSIb3DQEBCwUA
... bla bla bla and so on ...
58G4smTZiKYMamPkLVujqaYpMaHshix4SskffQ60DCbb
-----END CERTIFICATE-----
subject=CN = macslow.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4708 bytes and written 727 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Local and remote connections to PostgreSQL are now using the proper SSL-certificate, if I can believe this select-statement I issued on my server hosting the PostgreSQL-database (using the psql frontend):

postgres=# select ssl.pid, usename, datname, ssl, ssl.version, ssl.cipher, ssl.bits, ssl.compression, client_addr from pg_catalog.pg_stat_ssl ssl, pg_catalog.pg_stat_activity activity where ssl.pid = activity.pid and client_addr is not null;
  pid  | usename  | datname  | ssl | version |         cipher         | bits | compression |  client_addr  
-------+----------+----------+-----+---------+------------------------+------+-------------+---------------
 36892 | postgres | postgres | t   | TLSv1.3 | TLS_AES_256_GCM_SHA384 |  256 | f           | 127.0.0.1
 36909 | macslow  | atuin    | t   | TLSv1.3 | TLS_AES_256_GCM_SHA384 |  256 | f           | 91.57.254.111

Again, with all that in place executing atuin server start on the PostgreSQL-server machine still does not seem to work. It does not return to the shell-promt, I don't see anything in the PostgreSQL-log and also nothing shows up in the select-statement about an additional connection.

I guess the ball in back in atuin-land to figure out what's still wrong or missing.

MacSlow avatar Feb 10 '23 17:02 MacSlow