cfnts icon indicating copy to clipboard operation
cfnts copied to clipboard
verified publisher icon cloudflare

Getting stuck while generating the custom certificates

Open LalitPunera opened this issue 4 years ago • 3 comments

Current set of certs are already expired and are unusable. When tried to create new set of certificates and then tried to start the nts-ke server, the server is throwing the BadCertificate. Below are some encountered error logs :

certs]# Aug 11 09:39:33.659 INFO initializing keys with memcached, component: nts_ke, module: cfnts::nts_ke::server::server:110 Aug 11 09:39:33.659 INFO spawning metrics, component: nts_ke, module: cfnts::nts_ke::server::server:121 Aug 11 09:39:33.659 INFO starting NTS-KE server over TCP/TLS on [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::server:139 Aug 11 09:43:20.810 INFO accepting new connection from [::ffff:44.234.122.164]:48402, component: nts_ke, module: cfnts::nts_ke::server::listener:172 Aug 11 09:43:20.811 ERRO TLS alert received: Message { typ: Alert, version: TLSv1_3, payload: Alert( AlertMessagePayload { level: Fatal, description: BadCertificate, }, ), }, module: rustls::session:571 Aug 11 09:43:20.811 ERRO cannot process packet: received fatal alert: BadCertificate, client: [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::connection:211 Aug 11 10:05:34.211 INFO accepting new connection from [::ffff:44.234.122.164]:48560, component: nts_ke, module: cfnts::nts_ke::server::listener:172 Aug 11 10:05:34.212 ERRO TLS alert received: Message { typ: Alert, version: TLSv1_3, payload: Alert( AlertMessagePayload { level: Fatal, description: BadCertificate, }, ), }, module: rustls::session:571 Aug 11 10:05:34.212 ERRO cannot process packet: received fatal alert: BadCertificate, client: [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::connection:211 Aug 11 09:39:33.677 INFO Initializing keys with memcached, component: ntp, module: cfnts::ntp::server::server:204 Aug 11 09:39:33.677 INFO setting stratum to 1, component: ntp, module: cfnts::ntp::server::server:244 Aug 11 09:39:33.678 INFO spawning metrics, component: ntp, module: cfnts::ntp::server::server:251 Aug 11 09:39:33.678 INFO Listening on: 127.0.0.1:456, listen_addr: 127.0.0.1:456, component: ntp, module: cfnts::ntp::server::server:267 Aug 11 09:39:33.671 INFO Initializing keys with memcached, component: ntp, module: cfnts::ntp::server::server:204 Aug 11 09:39:33.676 INFO setting stratum to 1, component: ntp, module: cfnts::ntp::server::server:244 Aug 11 09:39:33.676 INFO spawning metrics, component: ntp, module: cfnts::ntp::server::server:251 Aug 11 09:39:33.676 INFO Listening on: 0.0.0.0:123, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:267 Aug 11 09:39:33.676 INFO Listening on: 0.0.0.0:789, listen_addr: 0.0.0.0:789, component: ntp, module: cfnts::ntp::server::server:267 Aug 11 09:39:33.676 INFO Listening on: [::]:123, listen_addr: [::]:123, component: ntp, module: cfnts::ntp::server::server:267 Aug 11 10:11:02.608 ERRO mangled packet, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:194 Aug 11 10:15:23.241 ERRO mangled packet, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:194

When trying to connect to the KE server with the configured endpoint, getting below error :

cfnts_bkp]# ./target/release/cfnts client -p 4460 xyz.customdns.com Aug 11 10:41:31.055 WARN Sending fatal alert BadCertificate, module: rustls::session:815 failure of tls stage: invalid certificate: UnknownIssuer

Can someone please help in resolving this issue as it has become a bottleneck and I'm unable to move ahead? Can we get some steps to create the custom certificates?

LalitPunera avatar Aug 11 '21 11:08 LalitPunera

Run gencerts.sh and see if that works. Note the private keys need to be in PKCS8 format.

wbl avatar Aug 13 '21 01:08 wbl

Hi Watson,

The gencerts.sh is not available in the repo. I could find the generate.sh script which does the cert generation work. I tried with the same previously as well which you have suggested and still the issue is the same.

When I tried to run the generate.sh which would renew or regenerate a new set of the Certs, I'm still getting the BadCertificate issue for the certs generated by generate.sh script. Ideally, I should not see this issue as new certs are generated with the same older Root Certs which are ca.pem and ca-key.pem but still facing this issue.

Can you please look into this from your end by trying the same once?

LalitPunera avatar Aug 16 '21 03:08 LalitPunera

If you are using certificates signed by a local ca like the one in test you need to pass the -c flag to the client. Look at the scripts in the scripts directory to see how this is done.

wbl avatar Aug 20 '21 06:08 wbl