Logging in with certificates issue

[Jayanth Othayoth]

Paul,


   - *Background*: The link
   https://gerrit.openbmc.org/c/openbmc/phosphor-certificate-manager/+/49130
   to the Gerrit review provides context on why the certificate manager allows
   the installation of certificates even when the
   X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error is encountered.
   - *Current Behavior*: With the latest code, the certificate manager
   permits the installation of certificates with this specific error, and
   BMCweb can use these certificates.

If you have more questions or need clarification, we can discuss here or on
Discord.

On Wed, Nov 27, 2024 at 9:01 PM Paul Gildea <Paul.Gildea at klasgroup.com>
wrote:

> Hi,
>
> I'm trying to log in over HTTPS via certificate with my browser and it
> doesn't work. I've followed this setup process and checked that the
> verification is correct:
>
>
> https://gerrit.openbmc.org/plugins/gitiles/openbmc/docs/+/ef6af2726cdd976a6d767e569fabd639f8abb6d2/security/TLS-configuration.md
>
> Checking the logs I see this output:
>
> Nov 22 14:35:33 vm3 phosphor-certificate-manager[215]: Certificate
>> install, FILEPATH:/tmp/Cert
>> s.Adv311/cert.pem
>> Nov 22 14:35:33 vm3 systemd[1]: Reloading Start bmcweb server...
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Check if host is
>> running
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Host is running!
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Received signal
>> that host is running
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Change to Host
>> State: xyz.openbmc_projec
>> t.State.Host.HostState.Running
>> Nov 22 14:35:33 vm3 systemd[1]: Reloaded Start bmcweb server.
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Check if host is
>> running
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Host is running!
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Received signal
>> that host is running
>> Nov 22 14:35:33 vm3 phosphor-host-state-manager[367]: Change to Host
>> State: xyz.openbmc_projec
>> t.State.Host.HostState.Running
>> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Certificate
>> install, FILEPATH:/tmp/Cert
>> s.jDVxEN/cert.pem
>>
>> *Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Error occurred
>> during X509_verify_cert**call, checking for known error, ERRCODE:20,
>> ERROR_STR:unable to get local issuer certificate*
>> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Certificate
>> compareKeys, FILEPATH:/tmp/
>> Certs.jDVxEN/cert.pem
>> Nov 22 14:36:16 vm3 phosphor-certificate-manager[216]: Inotify callback
>> to update certificate
>> properties
>> Nov 22 14:36:16 vm3 systemd[1]: Reloading Start bmcweb server...
>> Nov 22 14:36:16 vm3 systemd[1]: Reloaded Start bmcweb server.
>
>
>
> Noting the error and looking at a build based on old code from a few years
> ago I get the same error in the logs, but it does log in with the
> certificate anyway.
>
> Reading the code, there looks to be a trusted chain bypass for certain
> issues, including this one, but from my understanding this still shouldn't
> log in over HTTPS, and the newer behaviour is correct? If so, any idea what
> might be wrong?
>
> Thanks,
> Paul
>
>
>
> This message is intended solely for the person or entity to which it is
> addressed and may contain confidential and/or privileged material.  If you
> have received this message in error, please send it back to us, immediately
> and permanently delete it, and do not use, copy or disclose the information
> contained in this message or in any attachment.
>
> Klas LTD (Company Number 163303) trading as Klas, an Irish private company
> limited by shares, with its registered office at One Kilmainham Square,
> Dublin 8, Ireland D08 ET1W.
>
> Klas Telecom Inc., a Virginia Corporation with offices at 1101 30th St.
> NW, Washington, DC 20007.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241128/75df2083/attachment.htm>