Keywhiz TLS/PEM issue
157 views
Skip to first unread message
Matthew Halder
Jul 31, 2016, 12:51:33 PM7/31/16
to keywhiz-users
I've set up a root and intermediate CA with the Keywhiz server working with the intermediate certs. Then created key and csr on the keywhiz-fs client that was signed by the intermediary. Importing the signed cert back to the client I cannot get keywhiz-fs to accept the cert/key pair. At first it keywhiz-fs wasn't able to handle to the passphrase protected key and cert so new key/cert pair was generated; then a root-intermediate CA chain was created so that the client would be aware of the certificates in the chain. The latest errors I've been receiving are:
ubuntu@ip-172-20-2-22:~$ sudo /home/ubuntu/work/bin/keywhiz-fs --key=/usr/local/ca/private/www.example2.2.com.key.pem --ca=/usr/local/ca/certs/ca-chain.cert.pem --cert=/usr/local/ca/certs/www.example2.2.com.cert.pem https://172.20.0.51:4444 /secrets/kwfs --debug
ERROR kwfs_main[/secrets/kwfs]: 2016/07/31 16:40:08 panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
goroutine 1 [running]:
panic(0x89b920, 0xc820017830)
/usr/local/go/src/runtime/panic.go:481 +0x3e6
main.panicOnError(0x7fa66ce0e050, 0xc820017830)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:161 +0x13b
main.NewClient(0x7ffd9cf81872, 0x2f, 0x7ffd9cf8180f, 0x30, 0x7ffd9cf81845, 0x25, 0xc82007a580, 0x4a817c800, 0x1, 0x7ffd9cf818bb, ...)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/client.go:83 +0x207
main.main()
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:82 +0x680
ubuntu@ip-172-20-2-22:~$ sudo /home/ubuntu/work/bin/keywhiz-fs --asuser="root" --group="root" --key=/usr/local/ca/private/www.example2.2.com.key.pem --ca=/usr/local/ca/certs/ca-chain.cert.pem --cert=/usr/local/ca/certs/www.example2.2.com.cert.pem https://172.20.0.51:4444 /secrets/kwfs --debug
ERROR kwfs_main[/secrets/kwfs]: 2016/07/31 16:40:39 panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
goroutine 1 [running]:
panic(0x89b920, 0xc820017850)
/usr/local/go/src/runtime/panic.go:481 +0x3e6
main.panicOnError(0x7f94afd24050, 0xc820017850)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:161 +0x13b
main.NewClient(0x7fff17658857, 0x2f, 0x7fff176587f4, 0x30, 0x7fff1765882a, 0x25, 0xc820078580, 0x4a817c800, 0x1, 0x7fff176588a0, ...)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/client.go:83 +0x207
main.main()
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:82 +0x680
The system won't allow non-root users to read the key/cert at this time so that's the reason for root user usage (PoC on test system). I'd love to get some suggestions or feedback on other things that could be checked to get this going. I feel I'm probably to close the problem to fully troubleshoot. Thank you.
-Matt
ubuntu@ip-172-20-2-22:~$ sudo /home/ubuntu/work/bin/keywhiz-fs --key=/usr/local/ca/private/www.example2.2.com.key.pem --ca=/usr/local/ca/certs/ca-chain.cert.pem --cert=/usr/local/ca/certs/www.example2.2.com.cert.pem https://172.20.0.51:4444 /secrets/kwfs --debug
ERROR kwfs_main[/secrets/kwfs]: 2016/07/31 16:40:08 panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
goroutine 1 [running]:
panic(0x89b920, 0xc820017830)
/usr/local/go/src/runtime/panic.go:481 +0x3e6
main.panicOnError(0x7fa66ce0e050, 0xc820017830)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:161 +0x13b
main.NewClient(0x7ffd9cf81872, 0x2f, 0x7ffd9cf8180f, 0x30, 0x7ffd9cf81845, 0x25, 0xc82007a580, 0x4a817c800, 0x1, 0x7ffd9cf818bb, ...)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/client.go:83 +0x207
main.main()
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:82 +0x680
ubuntu@ip-172-20-2-22:~$ sudo /home/ubuntu/work/bin/keywhiz-fs --asuser="root" --group="root" --key=/usr/local/ca/private/www.example2.2.com.key.pem --ca=/usr/local/ca/certs/ca-chain.cert.pem --cert=/usr/local/ca/certs/www.example2.2.com.cert.pem https://172.20.0.51:4444 /secrets/kwfs --debug
ERROR kwfs_main[/secrets/kwfs]: 2016/07/31 16:40:39 panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
panic: crypto/tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
goroutine 1 [running]:
panic(0x89b920, 0xc820017850)
/usr/local/go/src/runtime/panic.go:481 +0x3e6
main.panicOnError(0x7f94afd24050, 0xc820017850)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:161 +0x13b
main.NewClient(0x7fff17658857, 0x2f, 0x7fff176587f4, 0x30, 0x7fff1765882a, 0x25, 0xc820078580, 0x4a817c800, 0x1, 0x7fff176588a0, ...)
/home/ubuntu/work/src/github.com/square/keywhiz-fs/client.go:83 +0x207
main.main()
/home/ubuntu/work/src/github.com/square/keywhiz-fs/main.go:82 +0x680
The system won't allow non-root users to read the key/cert at this time so that's the reason for root user usage (PoC on test system). I'd love to get some suggestions or feedback on other things that could be checked to get this going. I feel I'm probably to close the problem to fully troubleshoot. Thank you.
-Matt
Matthew Halder
Aug 1, 2016, 1:11:43 PM8/1/16
to keywhiz-users
The issue here was that the certificate was unsigned [derp], so anybody seeing this in the future should be sure to use "openssl verify -verbose -CAfile ${/path/to/ca-chain.pem} ${/path/to/client/cert}" and ensure that your cert is verifiable before proceeding.
Also, I'd recommend that users add the internal hostname or IP to the CA cnf file as a SAN (subjectAltName); certificates, by default, will be for localhost only.
Lastly, if you're reading this and wonder why I'm replying to my own posts here is a relevant xkcd.
Also, I'd recommend that users add the internal hostname or IP to the CA cnf file as a SAN (subjectAltName); certificates, by default, will be for localhost only.
Lastly, if you're reading this and wonder why I'm replying to my own posts here is a relevant xkcd.
Sarah Harvey
Aug 1, 2016, 1:16:21 PM8/1/16
to Matthew Halder, keywhiz-users
Relatedly, we have had a lot of trouble getting openssl to give us useful information in the past, which is why we released certigo: https://github.com/square/certigo
Perhaps this may be of use for future certificate debugging endeavours.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/f6b7b7a6-dd13-45b2-8a33-5ae8e2e2db0f%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages