Re: [Handle-info] SSL certificate error on Rest API request

[Jean-François Rivière <jean-francois.riviere@openedition.org>]

Thanks for your answer!

I just tried with the correct key but I still have the same error.

There's maybe something obvious. I'm not comfortable with SSL and certificates...

$ sudo ../handle-9.3.0/bin/hdl-convert-key privkey.bin -o privkey-2022-02-04.pem
$ sudo openssl req -new -x509 -key /usr/local/hdl/privkey-2022-02-04.pem -subj '/UID=300:0.NA\/20.500.13090' -days 365 -out /usr/local/hdl/cert2022-02-04.pem
$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-04.pem --key /usr/local/hdl/privkey-2022-02-04.pem -H 'Authorization: Handle clientCert="true"' 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
*   Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid
* Closing connection 0
curl: (35) error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid

Jean-François

Le ven. 4 févr. 2022 à 07:18, Robert Tupelo-Schneck <schneck@cnri.reston.va.us> a écrit :

You created your certificate with admpriv.bin, but the server actually uses privkey.bin.  admpriv.bin is a convenience to use for an administrative identity, whereas privkey.bin is the server's own key.

I suspect if you recreate with privkey.bin it will work for you!

Robert

On Thu, Feb 3, 2022 at 1:15 PM Jean-François Rivière <jean-francois.riviere@openedition.org> wrote:

Hi,

I am trying to use the Rest API on my Handle server.

It works fine without authentication on GET request

$ curl -s 'http://192.168.178.224:8000/api/handles/20.500.13090/test?index=1' | json_pp

{

   "handle" : "20.500.13090/test",

   "responseCode" : 1,

   "values" : [

      {

         "data" : {

            "format" : "string",

            "value" : "https://books.openedition.org"

         },

         "index" : 1,

         "timestamp" : "2022-01-16T21:13:51Z",

         "ttl" : 86400,

         "type" : "URL"

      }

   ]

}

But it fails with an SSL certificate error on https :

curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

I tried the method described in this message to generate certificate: http://www.handle.net/mail-archive/handle-info/msg00816.html

$ sudo ../handle-9.3.0/bin/hdl-convert-key admpriv.bin -o admprivatekey-2022-02-03.pem

$ sudo openssl req -new -x509 -key /usr/local/hdl/admprivatekey-2022-02-03.pem -subj '/UID=300:0.NA\/20.500.13090' -days 365 -out /usr/local/hdl/cert2022-02-03.pem

Error on GET request:

$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-03.pem --key /usr/local/hdl/admprivatekey-2022-02-03.pem -H 'Authorization: Handle clientCert="true"' 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'

*   Trying 192.168.178.224:8000...

* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (OUT), TLS alert, decrypt error (563):

* error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

* Closing connection 0

curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

Error on DELETE request:

riviere@handle-dev:~$ curl -i -k -v --cert /usr/local/hdl/cert2022-02-03.pem --key /usr/local/hdl/admprivatekey-2022-02-03.pem -H 'Authorization: Handle clientCert="true"'-X DELETE 'https://192.168.178.224:8000/api/handles/20.500.13090/test?index=1'
* Could not resolve host: DELETE
* Closing connection 0
curl: (6) Could not resolve host: DELETE
*   Trying 192.168.178.224:8000...
* Connected to 192.168.178.224 (192.168.178.224) port 8000 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
* error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
* Closing connection 1
curl: (35) error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid

Does anyone have any idea what I am doing wrong? 

Thanks,

Jean-François

--

Jean-François Rivière
OpenEdition, service données

jean-francois.riviere@openedition.org

Tél. +33 4 13 55 03 50

22, rue John Maynard Keynes, BAT C, 13013 Marseille

http://www.openedition.org

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

--

Jean-François Rivière
OpenEdition, service données

jean-francois.riviere@openedition.org

Tél. +33 4 13 55 03 50

22, rue John Maynard Keynes, BAT C, 13013 Marseille

http://www.openedition.org

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info