Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getting Started Documentation: failed to verify certificate #497

Closed
f403 opened this issue Dec 18, 2024 · 2 comments
Closed

Getting Started Documentation: failed to verify certificate #497

f403 opened this issue Dec 18, 2024 · 2 comments
Assignees

Comments

@f403
Copy link

f403 commented Dec 18, 2024

Bug describtion

I'm following KES Getting Started guide, and it doesn't work. Kes client doesn't accept the self-signed certificate of the server, and all "solutions", I've found [1,2], recommend disabling TLS to make KES work. This is very strange: why would I install KMS and KES to later disable encryption?

What is the correct way to run kes with a self-signed or "custom" certificate?

How to reproduce (just follow the tutorial):

kes identity new --ip "127.0.0.1" --key "private.key" --cert "public.crt" localhost
kes identity new --key=client.key --cert=client.crt MyApp
cat <<EOF >config.yaml
address: 0.0.0.0:7373 # Listen on all network interfaces on port 7373

admin:
  identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # The client.crt identity

tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate

keystore:
  fs:
    path: ./keys

EOF

kes server --config config.yaml


export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_CERT=client.crt
export KES_CLIENT_KEY=client.key
kes key create my-key-1

Output of the last command:

Error: failed to create key "my-key-1": Post "https://127.0.0.1:7373/v1/key/create/my-key-1": tls: failed to verify certificate: x509: certificate signed by unknown authority

Expected behavior

Tutorial/documentation must show correct configuration, including the case with self-signed certificates.
Avoid recommending to disable TLS for anything except debugging.

@f403 f403 changed the title Getting Started Documentation: Getting Started Documentation: failed to verify certificate Dec 18, 2024
@aead
Copy link
Member

aead commented Dec 23, 2024

A KES server is secure-by-default and can only be run with TLS. In this guide, we use self-signed certificates for simplicity.
The following command generates a new TLS private key (private.key) and a self-signed X.509 certificate (public.crt) issued for the IP 127.0.0.1 and DNS name localhost

You are providing a self-signed certificate for the KES server. Hence, the KES CLI (client) cannot verify whether the certificate presented by the KES server is "authentic".
Either add this certificate to the OS CA certificates or use the -k / --insecure flag for the KES CLI commands.

@aead aead closed this as completed Dec 23, 2024
@f403
Copy link
Author

f403 commented Dec 25, 2024

I'm following the official documentation, and it doesn't work.
Ideally KES CLI must support custom CA.
Alternatively, you can simply provide instructions to disable TLS (I would not recommend showing bad practice in the documentation, though).
In any case the documentation should be updated, as it makes an impression of minio/kes not being mature enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants