Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting private_key_pw results in SSL Error #108

Closed
lukehinds opened this issue Apr 16, 2019 · 7 comments
Closed

Setting private_key_pw results in SSL Error #108

lukehinds opened this issue Apr 16, 2019 · 7 comments
Labels
enhancement wontfix
Projects
Keylime
Milestone
5.1

Comments

@lukehinds
Copy link
Member

Environment

  • OS / version: Fedora 29
  • Processor architecture: X86_64
  • TPM Manufacturer: Intel
  • Keylime version: master

Description

When setting private_key_pw the keylime registrar exits with a stack trace.

# keylime_registrar
Using config file /etc/keylime.conf
2019-04-16 09:24:34.425 - keylime.cloudverifier_common - INFO - Setting up TLS...
Traceback (most recent call last):
  File "/usr/bin/keylime_registrar", line 11, in <module>
    load_entry_point('keylime==1.2', 'console_scripts', 'keylime_registrar')()
  File "/usr/lib/python2.7/site-packages/keylime-1.2-py2.7.egg/keylime/registrar.py", line 34, in main
    registrar_common.start(config.getint('general', 'registrar_tls_port'),config.getint('general', 'registrar_port'),config.get('registrar', 'db_filename'))
  File "/usr/lib/python2.7/site-packages/keylime-1.2-py2.7.egg/keylime/registrar_common.py", line 428, in start
    generatedir='reg_ca')
  File "/usr/lib/python2.7/site-packages/keylime-1.2-py2.7.egg/keylime/cloud_verifier_common.py", line 154, in init_mtls
    context.load_cert_chain(certfile=my_cert,keyfile=my_priv_key,password=my_key_pw)
ssl.SSLError: [SSL] PEM lib (_ssl.c:2798)

Reverting back to default results in the registrar starting without any issue.

Expected behavior vs. actual behavior

Steps to reproduce problem

  1. Set private_key_pw = kjshd89y98hohfjhjhj in /etc/keylime.conf
  2. Start the registrar
@lukehinds lukehinds added the bug label Apr 16, 2019
@lukehinds lukehinds added this to To do in Keylime via automation Apr 16, 2019
@jetwhiz
Copy link
Member

jetwhiz commented Apr 16, 2019

Hi @lukehinds , if you're using CV-generated keys then the password for the registrar and tenant must be the same as the password set for the verifier (since they all use the same keys).

See the notes under tenant and registrar:

Does it work if you update those passwords to match the one you set in the cloud_verifier section?

@lukehinds
Copy link
Member Author

Hi @jetwhiz , my bad I missed that.

I will keep this open and we can perhaps validate this somehow so its captured. Will change to enhancement.

@lukehinds lukehinds added enhancement and removed bug labels Apr 16, 2019
@jetwhiz
Copy link
Member

jetwhiz commented Apr 16, 2019

It could definitely use some clarification that this needs to be done. Maybe all three sections can mention that the related passwords must all be updated if they are CV-generated and the pw is not set to "default"?

@stale
Copy link

stale bot commented Jun 15, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jun 15, 2019
@stale stale bot closed this as completed Jun 22, 2019
Keylime automation moved this from To do to Done Jun 22, 2019
@lukehinds lukehinds reopened this Jun 22, 2019
Keylime automation moved this from Done to In progress Jun 22, 2019
@stale stale bot removed the wontfix label Jun 22, 2019
@stale
Copy link

stale bot commented Aug 21, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Aug 21, 2019
@lukehinds
Copy link
Member Author

Keep

@stale stale bot removed the wontfix label Aug 22, 2019
@lukehinds lukehinds added this to the 5.1 milestone Sep 12, 2019
@lukehinds lukehinds moved this from In progress to To do in Keylime Sep 26, 2019
@stale
Copy link

stale bot commented Nov 11, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Nov 11, 2019
@stale stale bot closed this as completed Nov 18, 2019
Keylime automation moved this from To do to Done Nov 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement wontfix
Projects
Keylime
  
Done
Milestone
5.1
Development

No branches or pull requests
2 participants
@jetwhiz @lukehinds