You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm having issues with mTLS using master versions of keylime and rust-keylime agent. I'm using very default-y setup where verifier generates the certs for everyone to use, but when I run tenant -c add -u <uuid> ... I get error:
2024-12-03 13:36:23.248 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): 127.0.0.2:8891
2024-12-03 13:36:23.267 - urllib3.connectionpool - DEBUG - https://127.0.0.2:8891 "GET /v2.3/agents/c47b9ea2-2bc2-461b-957b-e77dbcf35e5e HTTP/1.1" 200 3625
2024-12-03 13:36:23.275 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): 127.0.0.3:9002
2024-12-03 13:36:23.279 - keylime.tenant - ERROR - Keylime agent does not recognize mTLS certificate form tenant. Check if agents trusted_client_ca is configured correctly
Tenant talks successfully to registrar, but when connecting to agent, it fails to mTLS. Agent config has trusted_client_ca = "default" and cv_ca is shared between all components. I'v verified with openssl verify -CAfile ... that all certs there are indeed trusted via the cacert.crt.
Looking at the shared certificates, they're all only root readable.
[root@keylime-agent cv_ca]# ll
total 56
-rw-r----- 1 root root 451 Dec 3 13:26 ca-public.pem
-rw-r----- 1 root root 1432 Dec 3 13:26 cacert.crt
-rw-r----- 1 root root 448 Dec 3 13:26 cacrl.der
-rw-r----- 1 root root 658 Dec 3 13:26 cacrl.pem
-rw-r----- 1 root root 1371 Dec 3 13:26 client-cert.crt
-rw-r----- 1 root root 1704 Dec 3 13:26 client-private.pem
-rw-r----- 1 root root 451 Dec 3 13:26 client-public.pem
-rw-r----- 1 root root 13383 Dec 3 13:26 private.yml
-rw-r----- 1 root root 1371 Dec 3 13:26 server-cert.crt
-rw-r----- 1 root root 1704 Dec 3 13:26 server-private.pem
-rw-r----- 1 root root 451 Dec 3 13:26 server-public.pem
Current behavior
Certs are not readable by the Agent who is dropping privileges and running as keylime:tss. Agent does not say anything about not being able to access the certificates at any point, even when rust logging is set to debug.
Expected behavior
Agent would complain and fail to startup, if it cannot read the certificates it is pointed to via the configuration file/env variables.
The text was updated successfully, but these errors were encountered:
Issue
I'm having issues with mTLS using master versions of keylime and rust-keylime agent. I'm using very default-y setup where verifier generates the certs for everyone to use, but when I run
tenant -c add -u <uuid> ...I get error:Tenant talks successfully to registrar, but when connecting to agent, it fails to mTLS. Agent config has
trusted_client_ca = "default"andcv_cais shared between all components. I'v verified withopenssl verify -CAfile ...that all certs there are indeed trusted via thecacert.crt.Looking at the shared certificates, they're all only root readable.
Current behavior
Certs are not readable by the Agent who is dropping privileges and running as
keylime:tss. Agent does not say anything about not being able to access the certificates at any point, even when rust logging is set to debug.Expected behavior
Agent would complain and fail to startup, if it cannot read the certificates it is pointed to via the configuration file/env variables.
The text was updated successfully, but these errors were encountered: