-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RAUC Bundle Verification failing with Easy-RSA Framework #568
Comments
"unable to get local issuer certificate" means that it doesn't find the (matching) ca or intermediate certificate. |
Thanks @jluebbe for the comment. I double checked and I do have the root CA certificate as the keyring in system.conf and it is present by the name ca.cert.pem under /etc/rauc on the device. Here are the steps I used to create the PKI with easy-rsa:
|
@jluebbe One more bit of information, to be clear - this is what I have /etc/rauc on the device:
The "ca.cert.pem" above, is the same as the easy-rsa /pki/ca.crt file. The system.conf file has the following entry:
And the error is:
Thank you. |
|
@jluebbe I just rebuilt my Yocto image with a new set of keys generated from Easy-RSA. I took out the codeSigning section but unfortunately, it still fails. The error indicates a suitable CA Cert cannot be found to verify the bundle. Does RAUC only look at the cert file specificed in system.conf ( meaning it does not have to be known to ca-certificates )? Thank you very much for the help. |
@pclass-sensonix you can specify both You can verify files locally with |
@ejoerns Thanks for the information - that is good to know. It seems neither the ca.cert.pem or X-PKI-Server.crt generated from easy-rsa work - please see the following:
|
I've pushed my branch to support the code-signing purpose: https://github.com/jluebbe/rauc/commits/cert-purpose If that doesn't help here, I'll have to reproduce the setup you're using. Could you send the output of |
@jluebbe - An update. I built and tried your latest branch:
Unfortunately, I get the same issue. |
This leaf cert is not signed by this root cert. You can check that by comparing the information in the leaf's authority key id
with the root's subject key id
You can see that the root cert is self-signed (the authority key id is it's own).
|
@jluebbe Thanks for the information! I am getting closer. Now I get the error:
I was using the wrong command for easy-rsa - apparently I needed to do:
instead of:
|
If your certificates still have "TLS Web Server Authentication" you need to specify the corresponding purpose for verification. You need to use #570 to have the necessary support for that. Alternatively, if this CA will only be used to sign rauc bundles, you could configure easy-rsa to no add key usage attributes to the certificates. |
@jluebbe Thank you for the help with this issue. I will wait for that pull-request to be merged. I need to use this CA for other purposes as well. |
The PR now contains some more documentation and I'd very much appreciate some external testing. |
@jluebbe The following works for me with my own Easy-RSA PKI ( ca.crt ):
Thanks for your work on this! |
If only |
The check-purpose feature has been released with 1.3. Nevertheless: |
@jluebbe I agree there must be something inconsistent there - I still need to investigate. I did verify that this worked in our Yocto builds. Thanks for the work on this issue. |
At risk of a slight necro (because I'm currently stuck on 1.2 which doesn't support check-purpose) it's also possible to tell easy-rsa to not set keyUsage / extendedKeyUsage by creating a new file in x509-types with those lines removed. (you can also drop it in the eg. copy
Then sign the key mentioning that type. |
I've been successfully using RAUC in a new Embedded Linux product and am now at the point where I am setting up my own PKI. I am using Yocto to create my image.
In Yocto, I bbappend the rauc recipe with the following:
Also, my bundle bitbake recipe declares the key and cert:
Up until this point I was using the output of the openssl-ca.sh script from the Documentation mentioned here:
RAUC uses OpenSSL as a library for signing and verification of bundles. A PKI with intermediate CAs for the unit tests is generated by the test/openssl-ca.sh shell script available from GitHub, which may also be useful as an example for creating your own PKI.
Specifically, I put the ca.cert.pem file in /etc/rauc/ on the filesystem, and added the keychain directive to point to this file in the system.conf file - and everything worked great.
Section 4.1.1. PKI Setup of the documentation ( https://readthedocs.org/projects/rauc/downloads/pdf/latest/ ) mentions "easy-rsa" as one method to setup your own PKI. That is what I used to setup my PKI on an Ubuntu 18.04 PC. I created a Root CA in easy-rsa with a public cert by the default name of ca.crt.
I also used the following command to generate a X.crt and X.key file pair to represent my Embedded Linux Device.
easyrsa build-client-full X nopass
I've tried to copy the X.crt file to the device under /etc/rauc as the name ca.cert.pem ( as well as ca.crt ) - however both files give the following error:
What do I have to do to get easy-rsa to work with RAUC?
Thanks!
The text was updated successfully, but these errors were encountered: