Problem with the CN of my own certificate (Wildcard Certificate)

[Axel Andriot]

Hello,

I'm trying to install Velociraptor. To start, I installed in Self Signed Mode and everything was ok so i wanted to put my own certificat and i had a little problem. Indeed, I've a gRPC error message so I checked in the code to find a solution and i discovered something.

As you can see with the attached,  the code is like this (link: https://github.com/Velocidex/velociraptor/blob/master/api/proxy.go#L268):

l.268 : gw_name= CN of my gw_cert

l.269: we compare gw_name and what i put in API.PinnedGwName in my server.config file

l.270: return error if gw_name and API.PinnedGwName don't match.

So here we have a simple "String compare" with 2 parameters, gw_name and API.PinnedGwName. 

My problem is, my CN so gw_name is "*.XXXXXX"(Wildcard Certificate) which normally means i can put all i want before the dot. But i can't write this in API.PinnedGwName because somewhere else in the code, there is a rule says "only alphanumeric informations in the server.config file" .

So i think wildcard certificate won't work with the actual code.

To remind you, a wildcard certificate is used to get many websites with just one certificate, I don't know if many companies use it.  It could be a plus for the application if something is done for this type of certificate. :)

However if you have a solution for my problem, I'm all ears ! 

Best Regards.

Axel

[Mike Cohen]

Hi Axel,

   I can not think of a reason for you to need to replace the gw certificates - it is not needed and probably not supported.

Just to explain, grpc is the protocol that is running the API server. The grpc gateway is basically a reverse proxy that converts AJAX style HTTP requests to grpc calls for the API. The GUI is a javascript application which makes AJAX calls to the gateway. For each call, the gateway is forwarding this call to the grpc API server. Velociraptor's GRPC API service uses mutual certificate authentications to verify the caller - this is why it needs its own certificates signed by the internal Velociraptor CA.

Normally the API server uses the client's certificate to work out who made the call, so they can attach ACLs to the caller. But in the special case where the call came from the gateway this means that the actual user that made the call is not really the gateway (this is just a proxy) but the user is identified via some other process (usually oauth2 or basic auth depending on the configuration) and the caller is calling on behalf of someone else (it is impersonating the real user). So there is a special exception for the API server when it is dealing with a special caller identified by its name - the hard coded name is in API.PinnedGwName and any API caller with this name has extra trust that allows them to impersonate another user. So it is a very important special name which is in the config file but you never need to change it because it is created when you initially create the config. The special name is inside the gateway certificate so you can not replace that certificate and it would not make sense anyway. The gw certificate is only used to call from the gateway to the api service (i.e. internally in the same process over loopback).

What are you actually trying to solve? If you want to use a properly purchased certificate which is not let's encrypt you need to just add the path to the certificate and private key to https://github.com/Velocidex/velociraptor/blob/a5c7797cb76695f90e290885481921465a5d0d60/config/proto/config.proto#L499

I dont know for sure but I think it should support wildcard certs because they are pretty standard.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises M  ‭+61 470 238 491‬  E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/427a5fbe-2ad1-4609-810e-0ce438c682ban%40googlegroups.com.

[Axel Andriot]

Mike,

Thanks for your response.

I'd like to use my wildcard certificate, yes. So for that, I started with Signed Self SSL conf. I changed the frontend certificate,the private key with mine and switched "use_self_signed_ssl" off.

My server started but i had a error message : "connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for XXXXXXX, not VelociraptorServer" "

So I changed the pinner_server_name. And the message error changed: "connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"  "

Then I searched and found that gw_certificate and frontend certificate could be the same, so I wondered if my problem didn't come from there because the gw_certificate was auto-generated with self signed ssl conf. 

So I changed and the error from my last message came.

Therefore, now with your help, I regenerated a self signed ssl conf and i added tls_certificate_filename (.pem) ,tls_private_key_filename (.key), dns_name, changed frontend certificate/private key, switched "use_self_signed_ssl" off and changed pinner_server_name. 

But I've still the error message on the GUI  " connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"  " and it's weird because with chrome i've the cadlock which says "validated certificate" and when I click on "details", I see everything is ok with my CN, etc.. 

I don't put the CN of my frontend certificate in Client.Pinner_server_name, could it come from there ? But if yes i've the same problem from the last message, i can't put "*" in the server.config file.

Thank you for taking your time to help me ! 

BR.

Axel

[Mike Cohen]

The frontend certificate in the config is used for multiple things (including the API -> GW connection) - do not change it! If you want to use your own TLS certificate all you have to do is to specify them using the config options I mentioned above (tls_certificate_filename and tls_private_key). This will **only** change the TLS certificates.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises M  ‭+61 470 238 491‬  E mi...@velocidex.com

[Axel]

Hello Mike,

Thanks a lot for your help ! 

Everything works as i wanted, so i just did "use_self_signed_SSL = false" and added  Frontend.tls_certificate_filename, Frontend.tls_private_key and Frontend.dns_name. I thought frontend certificate was the certificate auto-generated by self signed option from the wizard that's why I changed it.

Have a nice day.

BR.

Axel