PEM upload failed: None

[m...@atj.com]

Hello, 

New to Simian and openssl and am generally speaking an all around noob, but even for me have spent an inordinate amount of time trying to figure out why my Simian deployment won't accept the server_private_key.pem I've created. 

Context:  I've successfully deployed the app to App Engine on Google Cloud Platform. Installed openssl and created a CA directory, CA identity and server identities without error. App was deployed with settings.cfg file edited correctly (to my knowledge). Openssl is version 1.1.0f, I'm on MacOs Sierra 10.12.15 (maybe that's part of the problem?), and I have the latest Simian clone pulled using git. Python 2.7 is up to date. 

Issue:  Everything seems to have gone fine up until this point, but when I try and upload the server_private_key.pem file to the app using the Simian web console at Admin Tools >> Config, it gives me the error "PEM Upload failed: None."

Initially it gave me the error "PEM Upload failed: PEM Header is missing..." so I edited the .pem file to include the "RSA" in the header and footer that was missing. Now I just get the "None" error which doesn't give me any clues where to go from there. 

I deleted the Simian server keys, deleted the app engine instance, re-installed Google Apps SDK and re-reployed, then re-issued certs to no avail.

My lack of expertise means I'm not sure what else to troubleshoot from here. Perhaps it's something in Google Apps Engine that's changed and left the directions slightly out of date? Or there's a setting I'm missing somewhere along the way that causes the key to be invalid?  

I attached a screenshot of the error but not any of the commands leading up to it since I followed the instructions on the wiki to the letter and didn't receive any errors so there's not much there to report. Happy to do so if that might help, though. 

Any ideas that could get me back on the right track? Thanks so much!

Max

[m...@atj.com]

I forgot to mention, but both the CA and Server public keys upload to deployment just fine. 

Max

[m...@atj.com]

Hello again, 

Thought I'd post the log file for this. Replaced sensitive info is all. 

The only other warning I'm getting logged is to "stub out fcntl," which appears for various cron tasks and occasionally when I try uploading PEM. I found these comments in the tslite_bridge.py file, but not sure that has anything to do with my issue or how to fix it since I can't find a mention of fcntl in mentioned __init__ or related import files: 

  # __init__ in tlslite imports all avaliable api.

  # part of it relies on fcntl which is not avaliable on appengine.

  # we don't use this api, so safely stub out fcntl for appengine"

I've tried looking through x509.py for clues as to what could be triggering the "None" error and haven't had any luck. Most other errors I see are fairly self explanatory so I'm wondering if there is some value missing altogether that could be causing this. 

15:39:02.140

GET

200

4.33 KB

550 ms

Safari 10

/admin/config?msg=PEM%20upload%20failed:%20None

69.15.85.246 - max [27/Jun/2017:15:39:02 -0600] "GET /admin/config?msg=PEM%20upload%20failed:%20None HTTP/1.1" 200 4436 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" “ourcompanysimian.appspot.com" ms=550 cpu_ms=201 cpm_usd=4.95761e-7 loading_request=0 instance=00c61b117cc36aa9b09630f8ce5448801f5ee99833b21da1b94d644d37fb83a92e3979cb77a80b app_engine_release=1.9.48 trace_id=-

Expand all | Collapse all

{

  protoPayload: {

  @type: "type.googleapis.com/google.appengine.logging.v1.RequestLog"   

  appId: "s~ourcompanysimian"   

  versionId: "9bc0ab5a6d2a"   

  requestId: "5952d07600ff0226852591f8eb0001737e61746a2d73696d69616e0001396263306162356136643261000100"   

  ip: “ourexternalIPgoeshere”   

  startTime: "2017-06-27T21:39:02.140933Z"   

  endTime: "2017-06-27T21:39:02.691774Z"   

  latency: "0.550841s"   

  megaCycles: "201"   

  method: "GET"   

  resource: "/admin/config?msg=PEM%20upload%20failed:%20None"   

  httpVersion: "HTTP/1.1"   

  status: 200   

  responseSize: "4436"   

  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"   

  urlMapEntry: "simian.mac.admin.main.app"   

  host: "ourcompanysimian.appspot.com"   

  cost: 4.95761e-7   

  instanceIndex: -1   

  finished: true   

  instanceId: "00c61b117cc36aa9b09630f8ce5448801f5ee99833b21da1b94d644d37fb83a92e3979cb77a80b"   

  appEngineRelease: "1.9.48"   

  nickname: "max"   

  first: true   

 }

 insertId: "5952d076000c3dec6f439e4e"  

  httpRequest: {

  status: 200   

 }

  resource: {

  type: "gae_app"   

   labels: {…}   

 }

 timestamp: "2017-06-27T21:39:02.140933Z"  

  labels: {

  clone_id: "00c61b117cc36aa9b09630f8ce5448801f5ee99833b21da1b94d644d37fb83a92e3979cb77a80b"   

 }

 logName: "projects/ourcompanysimian/logs/appengine.googleapis.com%2Frequest_log"  

  operation: {

  id: "5952d07600ff0226852591f8eb0001737e61746a2d73696d69616e0001396263306162356136643261000100"   

  producer: "appengine.googleapis.com/request_id"   

  first: true   

  last: true   

 }

 receiveTimestamp: "2017-06-27T21:39:02.806897152Z"  

}

On Monday, June 26, 2017 at 7:56:46 PM UTC-6, m...@atj.com wrote:

[m...@atj.com]

I was able to find an answer to my issue and get the server private key working, so decided I'd share in case it saves someone else from banging their head too hard like I did. 

Essentially, if the header/footer for your private_server_key.pem reads "Begin Private Key" instead of "Begin RSA Private Key", you are using a newer version of openssl and need to convert your pem file to the old style formatting so that Simian accepts it: https://stackoverflow.com/questions/convertprivatetorsakey

Here is the useful part for quick reference:

"Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type (this is known as PKCS8 format). To get the old style key (known as either PKCS1 or traditional OpenSSL format) you can do this:

openssl rsa -in server.key -out server_new.key

Alternately, if you have a PKCS1 key and want PKCS8:

openssl pkcs8 -topk8 -nocrypt -in privkey.pem

" 

Max

On Monday, June 26, 2017 at 7:56:46 PM UTC-6, m...@atj.com wrote: