Auth certificate import failed about x-road-development HOT 6 CLOSED

Hi @diver90,

Thank you for the background information. The Security Server can be registered in one X-Road instance and the instance cannot be changed afterwards. As your Security Server has been originally registered to ee-dev instance, you must use CAs approved in that instance. In practice, you must apply certificates to ee-dev instance from RIA. The easiest way forward with ee-dev instance is to create a new auth key and apply a new auth cert from RIA.

In case you want to join ee-test instance, you need to install a new Security Server, create new sign and auth keys, and apply certificates for them from SK. This means that you cannot use the SK certificates that you already have, because they were issued to the private keys of the first Security Server. The Security Server does not provide a feature that enables exporting/importing private keys from one Security Server to another.

I'd recommend you to contact RIA's help desk ([email protected]) for more detailed information on X-tee related questions.

Best regards,
Petteri

from x-road-development.

Here is the log of signer.log:

2020-01-15 17:48:43,849 ERROR [Signer-akka.actor.default-dispatcher-1272283] e.r.x.s.p.h.ImportCertRequestHandler - Failed to import certificate
ee.ria.xroad.common.CodedException: CannotCreateCertPath.InternalError: Certificate is not issued by approved certification service provider.

And there some errors from proxy.log:

2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.common.util.AdminPort - Admin request: /timestampstatus
2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - /timestampstatus
2020-01-16 10:34:31,105 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://tsa-demo.ria.ee/
2020-01-16 10:34:31,151 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://tsa-demo.ria.ee/
2020-01-16 10:34:31,188 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,188 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,231 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,237 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,237 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,242 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,438 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,438 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - result {http://tsa-demo.ria.ee/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.188, nextUpdate=null, description=http://tsa-demo.ria.ee/), http://demo.sk.ee/tsa/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.438, nextUpdate=null, description=http://demo.sk.ee/tsa/)}
2020-01-16 10:34:31,439 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - statusFromLogManager {}

I am running Security Server version 6.16.0-0.20171128173309git05cf71f

from x-road-development.

Hi @diver90,

Based on the error message (Certificate is not issued by approved certification service provider.) the certificate is signed using a CA certificate that has not been defined trusted in the X-tee test environment. When you requested the certificate from SK, did you specify that the certificate is for the X-tee test environment? Issuing the certificate using SK's production CA would explain the problem and the error message.

The INFO and WARN entries in the proxy.log are related to the diagnostics view. They can be ignored.

You're running a very old version of the Security Server that does not receive updates anymore. Officially supported versions are 6.22, 6.21 and 6.20. You should upgrade your Security Server to a newer version.

Best regards,
Petteri

from x-road-development.

Hi @petkivim,

Maybe you can help me in this situation?
I will tell you from the very beginning.
I received a server from a past programmer, in this state:

• server installed
• configured ee-dev instance
• generated auth and sign CSR for ria.ee
• successful imported ee-dev sign cert from ria.ee (for X-tee dev)
• failed import auth cert from ria.ee, because someone deleted auth key
• generated auth and sign CSR for SK
  And now we are trying to import SK test certificates. Am I right that we need to install another server (an ee-test instance) for these certificates?

from x-road-development.

Here is CA certificates from server.

from x-road-development.

Hi @petkivim

Thank you very much for helping me understand this situation!

Best regards,
Mykhailo

from x-road-development.