Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to configure TLS #825

Closed
golinegianni opened this issue Dec 1, 2022 · 9 comments · Fixed by #831
Closed

Unable to configure TLS #825

golinegianni opened this issue Dec 1, 2022 · 9 comments · Fixed by #831

Comments

@golinegianni
Copy link

When we add to /etc/routinator/routinator.conf the following lines:

http-tls-listen = ["IPv4:8324", "[IPv6]:8324"]
http-tls-cert = "/etc/ssl/certificate.crt"
http-tls-key = "/etc/sss/private.key"
log = "file"
log-file = "/var/log/routinator.log"
log-level = "debug"

the service doesn't start and any debug log is written.
Could you tell us if we are configuring it wrong or if there is some mispell?
Both certificate and private key are in PEM format.
@partim
Copy link
Member

partim commented Dec 1, 2022

Those lines look fine – and should work.

If it doesn’t start, there should be some kind of output. It may, however, not be in the log file you specified but on stderr. This happens for instance if it can’t read your config file.

If you start the service via systemd, then this output should appear of you run journalctl -u routinator.

@johannesmoos
Copy link

johannesmoos commented Dec 5, 2022
edited
Loading

Hi, we see a similar problem, however with an error message:

$ sudo -u routinator routinator -v -c /etc/routinator/routinator.conf server
[ERROR] TLS key file '/etc/pki/tls/private/cert.key' does not contain any usable keys.

Config:

$ grep tls routinator.conf
http-tls-listen = [ "10.34.4.10:443" ]
http-tls-cert = "/etc/pki/tls/certs/cert.pem"
http-tls-key = "/etc/pki/tls/private/cert.key"

$ routinator -V
Routinator 0.12.0

Cert and key look fine, however. They also work with our existing reverse proxy (stunnel).
Let me know if I can provide more input.

@partim
Copy link
Member

partim commented Dec 6, 2022

As it says, the key file doesn’t contain a key (yeah, it could be more helpful, but this is coming from a dependency). Is it perchance using a passphrase? We can’t deal with that.

@golinegianni
Copy link
Author

We solved with this operations:

  • cleaned the certificate.crt removing the attribute inside the file, before the "-----BEGIN CERTIFICATE-----";
  • decrypted private,key and saved in plain text.

After this operation routinator started successsfully.

@johannesmoos
Copy link

Is it perchance using a passphrase? We can’t deal with that.

It contains a (single) key in PEM format. The exact same key/cert pair works with e.g. stunnel.

@johannesmoos
Copy link

OK, got it working now, it does not like

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Removing RSA did the trick.

@partim
Copy link
Member

partim commented Dec 12, 2022
edited
Loading

Oh, interesting! That would explain why my tests all succeeded. My test key – generated with OpenSSL – only has the BEGIN PRIVATE KEY bit.

@partim partim mentioned this issue Dec 12, 2022
Merged
@partim
Copy link
Member

partim commented Dec 12, 2022

Turns out I was “holding it wrong.”

We’ll sneak this one into the upcoming 0.12.1 with a new release candidate following soon.

@johannesmoos
Copy link

Great, thanks! Glad that I wasn't holding it wrong and you already fixed it in no time :)
Will give the new version a try.

@johannesmoos johannesmoos mentioned this issue Nov 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Accept both PRIVATE KEY and RSA PRIVATE KEY items in PEM files. NLnetLabs/routinator
3 participants
@partim @johannesmoos @golinegianni