Cannot load server certificate

Asked by Daniel Nygate on 2013-12-03

Hi,

Recently installed IPROHC and run into the following error.

Dec 3 17:05:07 server iprohc_server[9965]: load server certificate from file '/etc/ssl/server_voip.p12'
Dec 3 17:05:07 server iprohc_server[9965]: failed load server certificate from file '/etc/ssl/server_voip.p12'
Dec 3 17:05:07 server iprohc_server[9965]: remove pidfile '/var/run/iprohc_server.pid'
Dec 3 17:05:07 server iprohc_server[9965]: server stops with exit code 1
Dec 3 17:05:07 server iprohc_server[9965]: close syslog session

Ive followed the cert generation instructions multiple times to ensure no mistakes were made.

Please advise.

Regards

Daniel

Question information

Language:
English Edit question
Status:
Solved
For:
rohc Edit question
Assignee:
No assignee Edit question
Solved by:
Daniel Nygate
Solved:
2013-12-10
Last query:
2013-12-10
Last reply:
2013-12-07
Daniel Nygate (d-nygate) said : #1

Just some additional info, when the iprohc_run guide wasnt producing results i used http://spectlog.com/content/Create_Certificate_Authority_%28CA%29_instead_of_using_self-signed_Certificates which caused the same error.

OS = Centos 6.4

Thanks

Hello,

Please tell me which software version do you run? Run the program with the -v option if you don't know.

To get more details, please run the program again with the -d option added:
 # /path/to/iprohc_server <same options as before> -d

Regards,
Didier

Daniel Nygate (d-nygate) said : #3

-v states invalid option, although the folder pass includes 0.7.1 for IProhc and -d does nothing.

Regards

Hello,

There are not enough traces in the PKCS#12 code to be able to find the source of the problem. Could you please apply the patch below on the 0.7.1 sources, build the program again, then reproduce the problem?

$ patch -p0 < /path/to/iprohc-0.7.1-pkcs12-traces.patch
$ make

Regards,
Didier

=== modified file 'server/tls.c'
--- server/tls.c 2013-03-18 14:12:31 +0000
+++ server/tls.c 2013-12-04 18:51:31 +0000
@@ -122,17 +122,21 @@ bool load_p12(gnutls_certificate_credent
  p12blob.data = malloc(32768 * sizeof(char));
  p12blob.size = fread((void*) p12blob.data, sizeof(char), 32768, p12file);
  fclose(p12file);
+ trace(LOG_INFO, "read %u bytes of PKCS#12 data from disk", p12blob.size);

  /* Init structure and import P12 */
  ret = gnutls_pkcs12_init(&p12);
  if(ret < 0)
  {
+ trace(LOG_ERR, "failed to init PKCS#12 context");
   goto free_blob;
  }

  ret = gnutls_pkcs12_import(p12, &p12blob, GNUTLS_X509_FMT_DER, 0);
  if(ret < 0)
  {
+ trace(LOG_ERR, "failed to import %u bytes of PKCS#12 data",
+ p12blob.size);
   goto deinit_pkcs12;
  }

@@ -141,6 +145,7 @@ bool load_p12(gnutls_certificate_credent
   ret = gnutls_pkcs12_verify_mac(p12, password);
   if(ret < 0)
   {
+ trace(LOG_ERR, "PKCS#12 verification failed");
    goto deinit_pkcs12;
   }
  }
@@ -156,13 +161,13 @@ bool load_p12(gnutls_certificate_credent
   trace(LOG_ERR, "too few certificates in PKCS#12 file '%s'", p12_file);
   goto free_certs_key;
  }
-
+
  /* get the ID of private key */
  key_id_size = sizeof(key_id);
  ret = gnutls_x509_privkey_get_key_id(key, 0, key_id, &key_id_size);
  if(ret < 0)
  {
- trace(LOG_ERR, "failed to get key ID");
+ trace(LOG_ERR, "failed to get private key ID");
   goto free_certs_key;
  }

@@ -176,6 +181,7 @@ bool load_p12(gnutls_certificate_credent
   ret = gnutls_x509_crt_get_key_id(certs[i], 0, cert_id, &cert_id_size);
   if(ret < 0)
   {
+ trace(LOG_ERR, "failed to get key ID for certificate #%d", i + 1);
    goto free_certs_key;
   }

Daniel Nygate (d-nygate) said : #5

Hi Didier,

Thanks for your help so far, unfortunately i now get the following when trying to patch.

[root@server ~]# patch -p0 < /root/iprohc-0.7.1/server/iprohc-0.7.1-pkcs12-traces.patch
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|=== modified file 'server/tls.c'
|--- server/tls.c 2013-03-18 14:12:31 +0000
|+++ server/tls.c 2013-12-04 18:51:31 +0000
--------------------------
File to patch: /root/iprohc-0.7.1/server/tls.c
patching file /root/iprohc-0.7.1/server/tls.c
Hunk #1 FAILED at 122.
Hunk #2 FAILED at 141.
Hunk #3 FAILED at 156.
patch unexpectedly ends in middle of line
Hunk #4 FAILED at 176.
4 out of 4 hunks FAILED -- saving rejects to file /root/iprohc-0.7.1/server/tls.c.rej

The patch was probably mangled by launchpad. Please find the full modified file here: http://pastealacon.com/33649

Regards,
Didier

Daniel Nygate (d-nygate) said : #7

Hi Didier,

The original issue still persists, i will try on a fresh debian install shortly.

Warm Regards

Daniel Nygate (d-nygate) said : #8

Hi Didier, before i switch to Debian i tried again and finally got this from the new patch.

Dec 6 18:17:05 server iprohc_server[18274]: load server certificate from file ' /etc/ssl/server_voip.p12'
Dec 6 18:17:05 server iprohc_server[18274]: read 3661 bytes of PKCS#12 data fro m disk
Dec 6 18:17:05 server iprohc_server[18274]: PKCS#12 verification failed
Dec 6 18:17:05 server iprohc_server[18274]: failed load server certificate from file '/etc/ssl/server_voip.p12'
Dec 6 18:17:05 server iprohc_server[18274]: remove pidfile '/var/run/iprohc_ser ver.pid'
Dec 6 18:17:05 server iprohc_server[18274]: server stops with exit code 1
Dec 6 18:17:05 server iprohc_server[18274]: close syslog session

Regards

Daniel Nygate (d-nygate) said : #9

Hi Didier,

I finally got the server working, it was a mistake i made.

Anyway now im having trouble with the client .

Dec 6 14:35:21 voip iprohc_client[1678]: local address 10.0.0.145:47273 is used to contact server
Dec 6 14:35:21 voip iprohc_client[1678]: TLS handshake succeeded
Dec 6 14:35:21 voip iprohc_client[1678]: certificate cannot be verified (status 514)

Ive tried create the -newreq and -sign on the server and the client as well as a -newreq on the client to be signed by the server, im unsure what i am doing wrong in regards to generating a client cert.

Thanks

Daniel Nygate (d-nygate) said : #10

Hi Didier,

even more information for you.

After trying to apply the above patch to the client aswell (not sure i f i should have) i recieve the following.

Dec 6 15:03:36 voip iprohc_client[2182]: read 3661 bytes of PKCS#12 data from disk
Dec 6 15:03:36 voip iprohc_client[2182]: failed to decrypt bag #1
Dec 6 15:03:36 voip iprohc_client[2182]: failed to get bag #1
Dec 6 15:03:36 voip iprohc_client[2182]: failed to parse PKCS#12 file '/etc/ssl/client1.p12'
Dec 6 15:03:36 voip iprohc_client[2182]: local address 10.0.0.145:47281 is used to contact server
Dec 6 15:03:36 voip iprohc_client[2182]: TLS handshake succeeded
Dec 6 15:03:36 voip iprohc_client[2182]: certificate cannot be verified (status 66)
Dec 6 15:03:36 voip iprohc_client[2182]: - Unable to trust certificate issuer

Hello,

Did you create both client and server certificates with the same CA? It is important for the client to accept server's certificate.

Regards,
Didier

Daniel Nygate (d-nygate) said : #12

Hi Didier,

I get the following still, using the Server CA for both certs with the request being generated on the respective unit.

Dec 9 09:28:24 voip iprohc_client[1716]: read 3645 bytes of PKCS#12 data from disk
Dec 9 09:28:24 voip iprohc_client[1716]: failed to decrypt bag #1
Dec 9 09:28:24 voip iprohc_client[1716]: failed to get bag #1
Dec 9 09:28:24 voip iprohc_client[1716]: failed to parse PKCS#12 file '/etc/ssl/client1.p12'
Dec 9 09:28:24 voip iprohc_client[1716]: local address 10.0.0.145:59599 is used to contact server
Dec 9 09:28:25 voip iprohc_client[1716]: TLS handshake succeeded
Dec 9 09:28:25 voip iprohc_client[1716]: certificate cannot be verified (status 66)
Dec 9 09:28:25 voip iprohc_client[1716]: - Unable to trust certificate issuer

THanks

Daniel Nygate (d-nygate) said : #13

Hi Didier,

The problem still persists, according to the server logs the client never sends the certificate, both certificates are now made with CAcert.org and still the same problem.

Regards

Daniel Nygate (d-nygate) said : #14

Hi Didier,

Problem is now solved after reinstalling the IPRohc files and using a trusted certificate issuer as well as installing the relevant CA files into the Centos environment.

Warm Regards and thank you for all your help.