New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Problems with self signed certificates #15
Comments
Hi @Javieral95 , thanks for this very detailed issue! This makes it much easier to help. I assume there is an issue on how you are creating the certificate. Can you try to follow this guide an provide feedback then? https://gitlab.com/gaia-x/lab/compliance/gx-compliance/-/tree/2206-development#how-to-setup-certificates |
Hi @oceanByte ! Thanks for the quick response and for your excellent work! Im sorry for that, but Im a little bit confused about the process I need to follow.Do you have any guide to help me? Thank you very much again! |
Hi! Sorry to bother you again. I have made some changes and improvements, but I keep getting the same error. Now I deploy all services in my local machine in order to do some test before the final deployment (Gx-Registry, Gx-Compliance and then, self-description-signer). I generated keys and a self signed certificate for my Compliance service (and I save it in the registry database). Then, I generated another keys and certificate (signed by my compliance service's certificate) for my self-description. My keys and certificates are generated using this script:
When I run the self-description-signed, all services are communicated correctly and the registry server checks that the certificate is correct... but the SignatureService function fails inside the Compliace Server when it execute the following line: Getting this error in the compliance server (I added this console log) And the following error in self-description-signer:
Thanks you very much again! |
Could you provide your self-signed self-description with the proof? @Javieral95 |
Of course @Abrom8 !
Thank you for your quick response. :) |
It defaults to your-domain.com/.well-known/did.json if you enter did:web:your-domain.com. You can also specify a specific path, check the did:web specifications for this. Custom paths are only available in version 2206. I see that you are using the old SD format. I would recommend to have a look into the latest 2206 version. It includes many fixes regarding W3C compliance. You can find the new examples in our README and here: https://gitlab.com/gaia-x/lab/compliance/gx-compliance |
I'm getting the same error as well. I'm signing with letsencrypt, too. Please allow me a stupid question: is part of the verification process, that the self description is pulled from the url given as id? |
You do not need to upload your self description anywhere. Can you share a signed Self Description here? |
I found out, that our SD format seems to be outdate. I'll update and retry |
The compliance service fails even with the example in the repo:
Output:
|
this is the file 1664354910655_self-signed_LegalPerson.json:
And this is the did.json:
|
The documentation says:
I didn't publish the x509CertificateChain when I sign my own SD. |
@oceanByte Hi Albert, I am Xin :), thank you very much for your support in the Hackathon sessions! -We should make did.json available under https://my-domain/.well-known/did.json -We should make x509CertificateChain.pem available under https://my-domain/.well-known/x509CertificateChain.pem -We test the verification process again to make SD signed from compliance service officially Could you please check if my understanding is correct? Thank you very much! |
Hi @XDong2022
this still links to the compliance service x509 chain. Using the signer you can generate the correct did by making sure to set the correct environment variables, so the |
Okay, I'll built a container with did.json and x509CertificateChain.pem and will deploy it on a public route given in the json |
@moritzkirstein OK, thank you Moritz for the very clear explanation :)! |
Hi! Thanks you all for your help and new questions. Im very happy to know that I am not the only one with the same issue :) I made the changes you told to me and I am working now with the V2206. Everything works fine... but I still have some problems. I am doing some tests on a local deployment using docker, like the following:
I generated the keys using OpenSSL instead Letsencrypt to avoid the need to have a public domain (I don`t know if isnt correct). The generation is using the following script:
So, I have:
And now I have the following content in my self-description-signer .env file:
The did.json is stored in the
But If I do a normal GET request, I can read the json file. My question is regarding the reason: self signed certificate ... Do I really need a Certificate signed by a GAIA-X Trusted anchor? Or Can I still doing local test? Thanks for all again! |
For the validation to succeed - afaik - a self signed certificate won't work. |
Thanks @kettenbach-it I will try to change the approach and start working with Letsencrypt. I will need to find a way to create a public domain (for security issues in my company it might take a while). Thanks again, you've all been a great help. |
@moritzkirstein @oceanByte Hi Moritz and Albert, we have tested the total signing and verification process successfully :)! Very appreciated for your great support :)! This field is not yet defined as mandatory in the current trust framework specification... @Javieral95 Hi Javier, in your configuration the base_url should not be changed, just use the original value: BASE_URL="https://compliance.gaia-x.eu" Thank you for you all and for any questions I can help, please feel free to let me know :)! |
Hi @XDong2022, thank you very much for your feedback! The mandatory field is named |
Alright! It is now working. Thanks to all of you. Especially to @XDong2022 for the last comment. But against Compliance Gaia-X EU everything works, thanks again. I close the issue. |
Summary
Hi! I have some problems when I try to use this signing tool (I was follow gx-compliance repository).
I tried to generate private/public keys using openSSL and then generate a self signed certificate, the content of these keys are used in .env file.
I used the following script to generate keys/cert:
So, using the previous script the key was in PKCS8 format. I think thats correct. Isnt it?
Anyway, I have modified the code (env and index.js) to add a variable JWT_ALGORITHM inside the .env file (so I can switch to use for example X509)... but I have tried to change this variable and change the method to generate keys and it still fails.
Current Behavior
Fails when try to check self description with the Compliance Service:
Expected Behavior
A successful process
Steps to Reproduce
node ./index.js
after modify self-description.json and env file.Environment
Anything else
When i used yours Hackaton tool everything works!
Also, my self description is the following one:
Thanks a lot!!!
The text was updated successfully, but these errors were encountered: