How to configure SWUpdate to connect to https instance of HAwkbit
1,616 views
Skip to first unread message
Krupa Rajashekhar
Oct 27, 2017, 5:24:40 AM10/27/17
to swup...@googlegroups.com
Hi,
I have hosted Hawkbit on https using self-signed certificate. Now when I run SWUpdate on my device, it gives a 'Peer certificate cannot be authenticated with given CA certificates' error.
How can I configure SWUpdate to successfully register on my hawkbit server?
Appreciate any help on this. Thanks.
Krupa.
Christian Storm
Oct 27, 2017, 7:45:01 AM10/27/17
to swup...@googlegroups.com
Hi Krupa,
For development/debugging you might try SWUpdate/suricatta's
--nocheckcert option.
For production, you have to setup your certificates properly.
Refer, e.g., to your distro's documentation on how to do this.
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
--nocheckcert option.
For production, you have to setup your certificates properly.
Refer, e.g., to your distro's documentation on how to do this.
Kind regards,
Christian
--
Dr. Christian Storm
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Otto-Hahn-Ring 6, 81739 München, Germany
kru...@gmail.com
Oct 27, 2017, 8:02:10 AM10/27/17
to swupdate
Hi Christian,
I tried the following command to start SWUpdate
sudo swupdate -k public.pem -u '-t default -x -u https://<ip>:<port> -i 13'
But I still get the same error. Can you please let me know what I am missing? Thanks.
kru...@gmail.com
Oct 30, 2017, 6:34:04 AM10/30/17
to swupdate
Hi Christian,
Further to my post on Friday, I did the following:
added my certificate to ca-certificates folder in /usr/share
Added the certificate name to ca-certificates.conf folder in /etc
After this, the initial error (Peer certificate cannot be authorized with given CA certificates) went away. But then it threw another error 'SSL peer certificate or SSH remote key was not OK'. Also, after sometime it is now giving me "Channel get operation failed (27): 'Out of memory'" error.
I am using --nocheckcert option in swupdate.
Below are my logs:
[TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/swupdateprog from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/swupdateprog
[TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/sockinstctrl from systemd
[TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/sockinstctrl
* Trying 52.88.148.232...
* Connected to <ec2 instance , ip> port 443 (#0)
* SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161)
* Closing connection 0
[ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get : 879 : Channel get operation failed (27): 'Out of memory'
[DEBUG] : SWUPDATE running : [suricatta_wait] : Sleeping for 45 seconds.
Can you please let me know how I can fix this?
Christian Storm
Nov 2, 2017, 4:17:51 AM11/2/17
to swupdate
Hi Krupa,
> Further to my post on Friday, I did the following:
> added my certificate to ca-certificates folder in /usr/share
> Added the certificate name to ca-certificates.conf folder in /etc
>
> After this, the initial error (Peer certificate cannot be authorized
> with given CA certificates) went away. But then it threw another error
> 'SSL peer certificate or SSH remote key was not OK'.
This peer certificate error happens when the validation of the trust
chain, not the actual certificate, fails. Please make sure that you have
a valid SSL installation on the client as well as on the server.
Follow your distribution's documentation on how to accomplish this.
> Also, after sometime it is now giving me "Channel get operation failed
> (27): 'Out of memory'" error.
I guess this is not really an out of memory condition but a result from
the above error.
What version of openssl are you using? Are you using different versions
at run- and at compile-time?
> I am using --nocheckcert option in swupdate.
>
> Below are my logs:
> [TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
> [TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/swupdateprog from systemd
> [TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/swupdateprog
> [TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/sockinstctrl from systemd
> [TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/sockinstctrl
> * Trying 52.88.148.232...
> * Connected to <ec2 instance , ip> port 443 (#0)
> * SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161)
> * Closing connection 0
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get : 879 : Channel get operation failed (27): 'Out of memory'
>
> [DEBUG] : SWUPDATE running : [suricatta_wait] : Sleeping for 45 seconds.
>
> Can you please let me know how I can fix this?
If strictssl is set to true, then in channel_hawkbit.c:370 there are
some curl settings applied. You may try to set some curl options in the
else case which turn off more checkings than done per default in curl
and see if that helps.
> Further to my post on Friday, I did the following:
> added my certificate to ca-certificates folder in /usr/share
> Added the certificate name to ca-certificates.conf folder in /etc
>
> After this, the initial error (Peer certificate cannot be authorized
> with given CA certificates) went away. But then it threw another error
> 'SSL peer certificate or SSH remote key was not OK'.
chain, not the actual certificate, fails. Please make sure that you have
a valid SSL installation on the client as well as on the server.
Follow your distribution's documentation on how to accomplish this.
> Also, after sometime it is now giving me "Channel get operation failed
> (27): 'Out of memory'" error.
the above error.
What version of openssl are you using? Are you using different versions
at run- and at compile-time?
> I am using --nocheckcert option in swupdate.
>
> Below are my logs:
> [TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
> [TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/swupdateprog from systemd
> [TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/swupdateprog
> [TRACE] : SWUPDATE running : [listener_create] : got no socket at /tmp/sockinstctrl from systemd
> [TRACE] : SWUPDATE running : [listener_create] : creating socket at /tmp/sockinstctrl
> * Trying 52.88.148.232...
> * Connected to <ec2 instance , ip> port 443 (#0)
> * SSL: couldn't create a context: error:140A90A1:lib(20):func(169):reason(161)
> * Closing connection 0
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get : 879 : Channel get operation failed (27): 'Out of memory'
>
> [DEBUG] : SWUPDATE running : [suricatta_wait] : Sleeping for 45 seconds.
>
> Can you please let me know how I can fix this?
some curl settings applied. You may try to set some curl options in the
else case which turn off more checkings than done per default in curl
and see if that helps.
Stefano Babic
Nov 2, 2017, 5:51:19 AM11/2/17
to kru...@gmail.com, swupdate
Hi Krupa,
If a context cannot be created, openSSL was not initialized correctly.
But have you enabled CONFIG_SURICATTA_SSL ?
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get : 879 : Channel get operation failed (27): 'Out of memory'
>
> [DEBUG] : SWUPDATE running : [suricatta_wait] : Sleeping for 45 seconds.
>
> Can you please let me know how I can fix this?
>
Best regards,
Stefano Babic
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
But have you enabled CONFIG_SURICATTA_SSL ?
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get : 879 : Channel get operation failed (27): 'Out of memory'
>
> [DEBUG] : SWUPDATE running : [suricatta_wait] : Sleeping for 45 seconds.
>
> Can you please let me know how I can fix this?
>
Stefano Babic
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
ayoub zaki
Nov 6, 2017, 9:57:48 AM11/6/17
to swupdate
Hi Christian,
I'm wondering what the option -x --nocheckcert is ?:
In the code suricatta/server_hawkbit.c:
if (channel_data->strictssl == true) {
if ((curl_easy_setopt(channel_curl->handle,
CURLOPT_SSL_VERIFYHOST,
2L) != CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle,
CURLOPT_CAINFO,
channel_data->cafile) != CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle,
CURLOPT_SSLKEY,
channel_data->sslkey) != CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle,
CURLOPT_SSLCERT,
channel_data->sslcert) != CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle,
CURLOPT_SSL_VERIFYPEER,
1L) != CURLE_OK)) {
result = CHANNEL_EINIT;
goto cleanup;
}
}
In the fact libcurl default settings for CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are respectively 1L and 2L.
shouldn't be the other way around : in case of channel_data->strictssl == false set them to 0 ?
Christian Storm
Nov 6, 2017, 10:52:13 AM11/6/17
to swupdate
Hi Krupa,
> > > I have hosted Hawkbit on https using self-signed certificate. Now when I
> > > run SWUpdate on my device, it gives a 'Peer certificate cannot be
> > > authenticated with given CA certificates' error.
> > >
> > > How can I configure SWUpdate to successfully register on my hawkbit
> > server?
> > >
> > > Appreciate any help on this. Thanks.
> >
> > For development/debugging you might try SWUpdate/suricatta's
> > --nocheckcert option.
> >
> > For production, you have to setup your certificates properly.
> > Refer, e.g., to your distro's documentation on how to do this.
>
>
> > > I have hosted Hawkbit on https using self-signed certificate. Now when I
> > > run SWUpdate on my device, it gives a 'Peer certificate cannot be
> > > authenticated with given CA certificates' error.
> > >
> > > How can I configure SWUpdate to successfully register on my hawkbit
> > server?
> > >
> > > Appreciate any help on this. Thanks.
> >
> > For development/debugging you might try SWUpdate/suricatta's
> > --nocheckcert option.
> >
> > For production, you have to setup your certificates properly.
> > Refer, e.g., to your distro's documentation on how to do this.
>
>
> I'm wondering what the option -x --nocheckcert is ?:
> In the code suricatta/server_hawkbit.c:
> if (channel_data->strictssl == true) {
strictssl is 'true' by default.
> In the code suricatta/server_hawkbit.c:
> if (channel_data->strictssl == true) {
> if ((curl_easy_setopt(channel_curl->handle,
> CURLOPT_SSL_VERIFYHOST,
> 2L) != CURLE_OK) ||
> (curl_easy_setopt(channel_curl->handle,
> CURLOPT_CAINFO,
Default: Built-in system specific
> channel_data->cafile) != CURLE_OK) ||
> (curl_easy_setopt(channel_curl->handle,
> CURLOPT_SSLKEY,
> channel_data->sslkey) != CURLE_OK) ||
> (curl_easy_setopt(channel_curl->handle,
> CURLOPT_SSLCERT,
> channel_data->sslcert) != CURLE_OK) ||
> (curl_easy_setopt(channel_curl->handle,
> CURLOPT_SSL_VERIFYPEER,
> 1L) != CURLE_OK)) {
> result = CHANNEL_EINIT;
> goto cleanup;
> }
> }
>
> In the fact libcurl default settings for CURLOPT_SSL_VERIFYPEER and
> CURLOPT_SSL_VERIFYHOST are respectively 1L and 2L.
for the other curl settings, strictssl serves it's purpose...
> shouldn't be the other way around : in case of channel_data->strictssl ==
> false set them to 0 ?
options are set to "unsafe". If you test for the inverted option, you
would have an else { ... } block nonetheless for the other options.
Ayoub Zaki
Nov 6, 2017, 1:55:18 PM11/6/17
to swup...@googlegroups.com
Hi Christian,
In case of self-signed certificates it does not work :
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: hwId --> ipse
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: hwVersion --> 333
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: serialNo --> 1234567890
[TRACE] : SWUPDATE running : [listener_create] : creating socket at
/tmp/swupdateprog
[TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
[TRACE] : SWUPDATE running : [listener_create] : creating socket at
/tmp/sockinstctrl
[TRACE] : SWUPDATE running : [get_state] : Read state=4 from persistent
storage.
[DEBUG] : SWUPDATE running : [server_handle_initial_state] : State is
STATE_OK/STATE_NOT_AVAILABLE, nothing to report to server.
[TRACE] : SWUPDATE running : [start_suricatta] : Server initialized,
entering suricatta main loop.
[DEBUG] : SWUPDATE running : [server_get_device_info] : Getting
information for device '123456'
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET
https://embexus.duckdns.org/hawkbit/default/controller/v1/123456
* Trying 89.12.122.245...
* Connected to embexus.duckdns.org (89.12.122.245) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL certificate problem: self signed certificate
* Closing connection 0
Thank you :-)
Best regards
--
Ayoub Zaki
Embedded Systems Consultant
Vaihinger Straße 2/1
D-71634 Ludwigsburg
Tel. : +4971415074546
Mobile : +4917662901545
Email : ayoub...@embexus.com
Homepage : https://embexus.com
VAT No. : DE313902634
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: hwId --> ipse
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: hwVersion --> 333
[TRACE] : SWUPDATE running : [suricatta_configdata_settings] : Identify
for configData: serialNo --> 1234567890
[TRACE] : SWUPDATE running : [listener_create] : creating socket at
/tmp/swupdateprog
[TRACE] : SWUPDATE running : [listener_create] : creating socket at
/tmp/sockinstctrl
[TRACE] : SWUPDATE running : [get_state] : Read state=4 from persistent
storage.
[DEBUG] : SWUPDATE running : [server_handle_initial_state] : State is
STATE_OK/STATE_NOT_AVAILABLE, nothing to report to server.
[TRACE] : SWUPDATE running : [start_suricatta] : Server initialized,
entering suricatta main loop.
[DEBUG] : SWUPDATE running : [server_get_device_info] : Getting
information for device '123456'
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET
https://embexus.duckdns.org/hawkbit/default/controller/v1/123456
* Trying 89.12.122.245...
* Connected to embexus.duckdns.org (89.12.122.245) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL certificate problem: self signed certificate
* Closing connection 0
[ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c :
channel_get : 879 : Channel get operation failed (60): 'Peer certificate
cannot be authenticated with given CA certificates'
>
>
>> shouldn't be the other way around : in case of channel_data->strictssl ==
>> false set them to 0 ?
> Or you just implement an else { ... } block in which all the curl
> options are set to "unsafe". If you test for the inverted option, you
> would have an else { ... } block nonetheless for the other options.
Yes I think this the way it should be done, I'll send a patch.
>> false set them to 0 ?
> Or you just implement an else { ... } block in which all the curl
> options are set to "unsafe". If you test for the inverted option, you
> would have an else { ... } block nonetheless for the other options.
Thank you :-)
Best regards
--
Ayoub Zaki
Embedded Systems Consultant
Vaihinger Straße 2/1
D-71634 Ludwigsburg
Tel. : +4971415074546
Mobile : +4917662901545
Email : ayoub...@embexus.com
Homepage : https://embexus.com
VAT No. : DE313902634
omar.abe...@gmail.com
Feb 15, 2018, 9:57:04 PM2/15/18
to swupdate
How do i set logs for swupdate and where can i find them?
Keshava Kumar
Nov 23, 2021, 6:30:49 AM11/23/21
to swupdate
Hi Swupdate community,
I am having some issues with Hawkbit with swupdate. Here is my issue:
Anyone can put some light on issues I am facing and steps followed to enable https?
Thanks,
Keshava
Reply all
Reply to author
Forward
0 new messages