Client specifies HTTPS but did not supply TLS certificate

Question

Client specifies HTTPS but did not supply TLS certificate

lubeHub opened this issue 2 months ago · 7 comments

Hello, I have one security server, with two subsystems (named Provider and Consumer). In part Provider -> Internal servers, in section Information System TLS certificate I added certificate from my service (let's call him weather). I got this certificate from browser download, when I go to weather website.

Then I added service in section Provider -> Services, checked box Verify TLS Certificates, and my IP address is https://10.43.X.X.(Everything is local network, both services as well as Security and Central servers).

I also added my Consumer subsystem in part Access Rights.

When I try to call now this weather service via https://security-server-link:8443/r1/my/data/for/PROVIDER/WeatherForecast I get error
"type": "Server.ClientProxy.SslAuthenticationFailed",
"message": "Client (my/data/for/CONSUMER) specifies HTTPS but did not supply TLS certificate".

What step in registration I miss? I checked proxy.log, but still got same error there.

Answer 1 · 2024-07-01T11:59:21.000Z

Hi @lubeHub! More information about the issue is available here.

Answer 2 · 2024-07-01T12:11:53.000Z

I followed step by step, but I still get same error

Answer 3 · 2024-07-01T12:13:31.000Z

You have to wait for a minute or two after updating the configuration. The Security Server has an internal cache and the changes are applied only after the cache is refreshed.

Answer 4 · 2024-07-01T12:22:57.000Z

I know about cache. So, I went to Consumer -> Internal servers -> Security Server certificate, and exported certificate. Because everything is on same Security server, certificate is same in both Consumer and Provider subsystem. I added this certificate information in Information System TLS certificate for both subsystem, but still same error.

Answer 5 · 2024-07-01T12:31:00.000Z

That's not the right way to do it - you shouldn't add the Security Server's certificate under the Information System TLS certificate section. Instead, you should add the certificate used by the client information system there. For example:

Create a new key pair and certificate:

openssl req -x509 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem -days 365 -nodes

Upload the mycert.pem certificate to Consumer -> Internal servers -> Information System TLS certificate.
Use the private key and certificate when submitting a service request:

curl -E mycert.pem --key mykey.pem -X GET -H 'X-Road-Client: PLAYGROUND/COM/1234567-8/TestClient' -i 'https://testcomss01.playground.x-road.systems/r1/PLAYGROUND/GOV/8765432-1/TestService/XRoadStatistics/instances' -k

Alternatively, you can change the consumer subsystem's Connection Type to "HTTPS NO AUTH". In that way, there's no need to configure the certificate. However, that kind of configuration is considered insecure and should only be used for test and/or development purposes.

Answer 6 · 2024-07-01T13:18:00.000Z

It was a bit of clarification that I missed. Thank you so much, now it works

Answer 7 · 2024-07-01T13:28:00.000Z

You're welcome!