Getting stuck while generating the custom certificates

[LalitPunera]

Current set of certs are already expired and are unusable. When tried to create new set of certificates and then tried to start the nts-ke server, the server is throwing the BadCertificate. Below are some encountered error logs :

certs]# Aug 11 09:39:33.659 INFO initializing keys with memcached, component: nts_ke, module: cfnts::nts_ke::server::server:110
Aug 11 09:39:33.659 INFO spawning metrics, component: nts_ke, module: cfnts::nts_ke::server::server:121
Aug 11 09:39:33.659 INFO starting NTS-KE server over TCP/TLS on [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::server:139
Aug 11 09:43:20.810 INFO accepting new connection from [::ffff:44.234.122.164]:48402, component: nts_ke, module: cfnts::nts_ke::server::listener:172
Aug 11 09:43:20.811 ERRO TLS alert received: Message {
typ: Alert,
version: TLSv1_3,
payload: Alert(
AlertMessagePayload {
level: Fatal,
description: BadCertificate,
},
),
}, module: rustls::session:571
Aug 11 09:43:20.811 ERRO cannot process packet: received fatal alert: BadCertificate, client: [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::connection:211
Aug 11 10:05:34.211 INFO accepting new connection from [::ffff:44.234.122.164]:48560, component: nts_ke, module: cfnts::nts_ke::server::listener:172
Aug 11 10:05:34.212 ERRO TLS alert received: Message {
typ: Alert,
version: TLSv1_3,
payload: Alert(
AlertMessagePayload {
level: Fatal,
description: BadCertificate,
},
),
}, module: rustls::session:571
Aug 11 10:05:34.212 ERRO cannot process packet: received fatal alert: BadCertificate, client: [::]:4460, component: nts_ke, module: cfnts::nts_ke::server::connection:211
Aug 11 09:39:33.677 INFO Initializing keys with memcached, component: ntp, module: cfnts::ntp::server::server:204
Aug 11 09:39:33.677 INFO setting stratum to 1, component: ntp, module: cfnts::ntp::server::server:244
Aug 11 09:39:33.678 INFO spawning metrics, component: ntp, module: cfnts::ntp::server::server:251
Aug 11 09:39:33.678 INFO Listening on: 127.0.0.1:456, listen_addr: 127.0.0.1:456, component: ntp, module: cfnts::ntp::server::server:267
Aug 11 09:39:33.671 INFO Initializing keys with memcached, component: ntp, module: cfnts::ntp::server::server:204
Aug 11 09:39:33.676 INFO setting stratum to 1, component: ntp, module: cfnts::ntp::server::server:244
Aug 11 09:39:33.676 INFO spawning metrics, component: ntp, module: cfnts::ntp::server::server:251
Aug 11 09:39:33.676 INFO Listening on: 0.0.0.0:123, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:267
Aug 11 09:39:33.676 INFO Listening on: 0.0.0.0:789, listen_addr: 0.0.0.0:789, component: ntp, module: cfnts::ntp::server::server:267
Aug 11 09:39:33.676 INFO Listening on: [::]:123, listen_addr: [::]:123, component: ntp, module: cfnts::ntp::server::server:267
Aug 11 10:11:02.608 ERRO mangled packet, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:194
Aug 11 10:15:23.241 ERRO mangled packet, listen_addr: 0.0.0.0:123, component: ntp, module: cfnts::ntp::server::server:194

When trying to connect to the KE server with the configured endpoint, getting below error :

cfnts_bkp]# ./target/release/cfnts client -p 4460 xyz.customdns.com
Aug 11 10:41:31.055 WARN Sending fatal alert BadCertificate, module: rustls::session:815
failure of tls stage: invalid certificate: UnknownIssuer

Can someone please help in resolving this issue as it has become a bottleneck and I'm unable to move ahead? Can we get some steps to create the custom certificates?

[wbl]

Run gencerts.sh and see if that works. Note the private keys need to be in PKCS8 format.

[LalitPunera]

Hi Watson,

The gencerts.sh is not available in the repo. I could find the generate.sh script which does the cert generation work. I tried with the same previously as well which you have suggested and still the issue is the same.

When I tried to run the generate.sh which would renew or regenerate a new set of the Certs, I'm still getting the BadCertificate issue for the certs generated by generate.sh script. Ideally, I should not see this issue as new certs are generated with the same older Root Certs which are ca.pem and ca-key.pem but still facing this issue.

Can you please look into this from your end by trying the same once?

[wbl]

If you are using certificates signed by a local ca like the one in test you need to pass the -c flag to the client. Look at the scripts in the scripts directory to see how this is done.