Skip to content

Agent does not complain if it cannot read the certificates it is configured to use #880

New issue
New issue
Open
Open
Agent does not complain if it cannot read the certificates it is configured to use#880
@tuminoid

Description

@tuminoid
tuminoid
opened on Dec 3, 2024

Issue

I'm having issues with mTLS using master versions of keylime and rust-keylime agent. I'm using very default-y setup where verifier generates the certs for everyone to use, but when I run tenant -c add -u <uuid> ... I get error:

2024-12-03 13:36:23.248 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): 127.0.0.2:8891
2024-12-03 13:36:23.267 - urllib3.connectionpool - DEBUG - https://127.0.0.2:8891 "GET /v2.3/agents/c47b9ea2-2bc2-461b-957b-e77dbcf35e5e HTTP/1.1" 200 3625
2024-12-03 13:36:23.275 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): 127.0.0.3:9002
2024-12-03 13:36:23.279 - keylime.tenant - ERROR - Keylime agent does not recognize mTLS certificate form tenant. Check if agents trusted_client_ca is configured correctly

Tenant talks successfully to registrar, but when connecting to agent, it fails to mTLS. Agent config has trusted_client_ca = "default" and cv_ca is shared between all components. I'v verified with openssl verify -CAfile ... that all certs there are indeed trusted via the cacert.crt.

Looking at the shared certificates, they're all only root readable.

[root@keylime-agent cv_ca]# ll
total 56
-rw-r----- 1 root root   451 Dec  3 13:26 ca-public.pem
-rw-r----- 1 root root  1432 Dec  3 13:26 cacert.crt
-rw-r----- 1 root root   448 Dec  3 13:26 cacrl.der
-rw-r----- 1 root root   658 Dec  3 13:26 cacrl.pem
-rw-r----- 1 root root  1371 Dec  3 13:26 client-cert.crt
-rw-r----- 1 root root  1704 Dec  3 13:26 client-private.pem
-rw-r----- 1 root root   451 Dec  3 13:26 client-public.pem
-rw-r----- 1 root root 13383 Dec  3 13:26 private.yml
-rw-r----- 1 root root  1371 Dec  3 13:26 server-cert.crt
-rw-r----- 1 root root  1704 Dec  3 13:26 server-private.pem
-rw-r----- 1 root root   451 Dec  3 13:26 server-public.pem

Current behavior

Certs are not readable by the Agent who is dropping privileges and running as keylime:tss. Agent does not say anything about not being able to access the certificates at any point, even when rust logging is set to debug.

Expected behavior

Agent would complain and fail to startup, if it cannot read the certificates it is pointed to via the configuration file/env variables.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions