Opened 3 months ago

Closed 3 months ago

#2622 closed defect (not a bug)

CA-validated Cloudflare TLS Certificate is not recognized during reseed process.

Reported by: np-tokumei Owned by: backup
Priority: minor Milestone: undecided
Component: www/reseed Version: 0.9.42
Keywords: reseed server TLS certificate Cc:
Parent Tickets: Sensitive: no

Description

I am implementing a reseed server with its traffic routed through Cloudflare. Therefore, the TLS certificate being used to encrypt the traffic between the I2P client and Cloudflare is provided by Cloudflare and is certified by CA. Therefore, apart from the reseed certificate that I have to put in ~/.i2p/certificates/reseed, I think I wouldn't need to put the TLS crt from Cloudflare to ~/.i2p/certificates/ssl as it's certified by CA.

Without the TLS crt in $HOME/.i2p/certificates/ssl, I could successfully reseed from my reseed server. However, there was this error message in the log:

9/12/19 11:12:19 PM ERROR [Reseed ] net.i2p.crypto.KeyStoreUtil : Error reading X509 Certificate: /Users/username/Library/Application Support/i2p/certificates/ssl/.DS_Store
     java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
     at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:110)
     at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
     at net.i2p.crypto.CertUtil.loadCert(CertUtil.java:295)
     at net.i2p.crypto.KeyStoreUtil.addCert(KeyStoreUtil.java:529)
     at net.i2p.crypto.KeyStoreUtil.addCerts(KeyStoreUtil.java:495)
     at net.i2p.util.SSLEepGet.initSSLContext(SSLEepGet.java:390)
     at net.i2p.util.SSLEepGet.<init>(SSLEepGet.java:249)
     at net.i2p.util.SSLEepGet.<init>(SSLEepGet.java:146)
     at net.i2p.util.SSLEepGet.<init>(SSLEepGet.java:136)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.fetchURL(Reseeder.java:1041)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseedSU3OrZip(Reseeder.java:785)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseedSU3(Reseeder.java:747)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseed(Reseeder.java:594)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.reseed(Reseeder.java:569)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run2(Reseeder.java:355)
     at net.i2p.router.networkdb.reseed.Reseeder$ReseedRunner.run(Reseeder.java:326)
     at java.lang.Thread.run(Thread.java:745)
     at net.i2p.util.I2PThread.run(I2PThread.java:103)
     Caused by: java.io.IOException: Empty input
     at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:106)
     ... 17 more

I then capture the Cloudflare TLS certificate from my traffic with Wireshark, put it in ~/.i2p/certificates/ssl, then the error message gone. Can anyone tell me what's going wrong here? Isn't the Cloudflare crt already certified? Below is the Cloudflate TLS crt. You can download it to your machine and see that it's validated by COMODO CA.

-----BEGIN CERTIFICATE-----
MIIImDCCCD6gAwIBAgIRAP8mWv+0Q4BPv9xisQcp21kwCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xOTA5MTIwMDAwMDBaFw0yMDAzMjAyMzU5NTlaMGsxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSMwIQYDVQQDExpzbmkzNjgxNC5jbG91ZGZsYXJlc3NsLmNvbTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABP0O6l+KLMDYSy7QfVhrqSW+goM//TN8
DoqW5hHkwcY58IEd7EGb4vG1eN2vOtWJZEuV9a2C1DTgZdr9ykB4cnyjggaZMIIG
lTAfBgNVHSMEGDAWgBRACWFn8LyDcU/eEggsb9TUK3Y9ljAdBgNVHQ4EFgQUv9aK
+O8d6n/mYITnTKvHSGLMycswDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYB
BAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv
bS9DUFMwCAYGZ4EMAQIBMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwuY29t
b2RvY2E0LmNvbS9DT01PRE9FQ0NEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVy
Q0EyLmNybDCBiAYIKwYBBQUHAQEEfDB6MFEGCCsGAQUFBzAChkVodHRwOi8vY3J0
LmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNl
cnZlckNBMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLmNvbW9kb2NhNC5j
b20wggPXBgNVHREEggPOMIIDyoIac25pMzY4MTQuY2xvdWRmbGFyZXNzbC5jb22C
ESouYWxscG9raWVzLmNvLm56gg8qLmFyZ2x5Y3Rpbm8ubWyCDiouYmFoaXNpbmku
Y29tghQqLmNsdWJkaWdpdGFsLmNvbS5hdYITKi5jc2Rwcm9qZWN0cy5jby51a4Ia
Ki5lbnZpcm9uLWluc3VsYXRpb24uY28udWuCFiouZmxvcmVuY2Vjb2ZmZWVjby5u
ZXSCESouZnJhbmthbmRmcmVkLmNvgg8qLmZyYW5rZnJlZC5uZXSCFCouZnJhbmtm
cmVkLnBhcnRuZXJzghQqLmZyYW5rZnJlZHN0b3JlLmNvbYIOKi5mdWR1Z3RvZ2Eu
Z2GCECouZnV0Ym9sY2FmZS5jb22CECouamh2cGh5c2ljcy5jb22CDSoubGlmZW9s
YS5jb22CEioubGl2ZWRlYWxlci5jby5ueoIQKi5sdW5hbWFyLmNvbS50coIQKi5t
YWV3aGl0bWFuLmNvbYIQKi5uYXBlY3NpbmdsaS5nYYIQKi5ucC10b2t1bWVpLm5l
dIIPKi5yYWlnYXJoMjQuY29tgg8qLnNoYW1ha2Vybi5jb22CEyouc2hhcmVwb2lu
dGxtcy5jb22CESouc3BvcmtsYXZ1ejEuY29tghQqLnRhbmdzYWNjb3VudGluZy5j
YYINKi50aWxlcGEuaW5mb4IPYWxscG9raWVzLmNvLm56gg1hcmdseWN0aW5vLm1s
ggxiYWhpc2luaS5jb22CEmNsdWJkaWdpdGFsLmNvbS5hdYIRY3NkcHJvamVjdHMu
Y28udWuCGGVudmlyb24taW5zdWxhdGlvbi5jby51a4IUZmxvcmVuY2Vjb2ZmZWVj
by5uZXSCD2ZyYW5rYW5kZnJlZC5jb4INZnJhbmtmcmVkLm5ldIISZnJhbmtmcmVk
LnBhcnRuZXJzghJmcmFua2ZyZWRzdG9yZS5jb22CDGZ1ZHVndG9nYS5nYYIOZnV0
Ym9sY2FmZS5jb22CDmpodnBoeXNpY3MuY29tggtsaWZlb2xhLmNvbYIQbGl2ZWRl
YWxlci5jby5ueoIObHVuYW1hci5jb20udHKCDm1hZXdoaXRtYW4uY29tgg5uYXBl
Y3NpbmdsaS5nYYIObnAtdG9rdW1laS5uZXSCDXJhaWdhcmgyNC5jb22CDXNoYW1h
a2Vybi5jb22CEXNoYXJlcG9pbnRsbXMuY29tgg9zcG9ya2xhdnV6MS5jb22CEnRh
bmdzYWNjb3VudGluZy5jYYILdGlsZXBhLmluZm8wggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAW0mrQWT
AAAEAwBIMEYCIQCe32gOPLKLuhBVX1RDvTNN60ufIPA2bzxpvu5qXVxsKAIhAPKT
mX2UQuhC970NCKcOkNPAu/e1NeRlNS1be6aFhMElAHYAXqdz+d9WwOe1Nkh90Eng
MnqRmgyEoRIShBh1loFxRVgAAAFtJq0FuAAABAMARzBFAiEApI5WUsoQOeEshPLo
mKZfFhOIU9AbMIdAVf7wrtHmFBQCIDKFnfZor7uP6D2nCwjuS1XrG+i3n1dyvn/T
AM2gGx/YMAoGCCqGSM49BAMCA0gAMEUCIH5eg5I7Z8mrHevlR3QpqZ27092IsTbd
9DKp9SX1WZ/bAiEA7oaJ5bdXs2jPwzeAXTxFLlXMRuuUnoqcjCl3VI6o2sY=
-----END CERTIFICATE-----

Subtickets

Change History (7)

comment:1 Changed 3 months ago by zzz

obviously you're on a Mac. The empty .DS_STORE file is a Mac thing. I don't know how it got there. I don't see it in our repo. Maybe it somehow snuck into the mac build? But more likely you navigated to that directory to look at files there and it got put in there? We could filter based on file suffix but there's so many possibly suffixes for cert files that I didn't bother. I guess we should skip files that start with "." though.

The "bad" cert (empty file) shouldn't have caused any issues other than the log message, so I'm not sure what's going on here with your cloudflare issue.

If you do think we shipped the file in our installer, please provide full version info and how you installed it (new native mac installer, or older linux/mac installer)

comment:2 Changed 3 months ago by zzz

skip files starting with "."
in bc9bdf629e67716903bf764dc3c4e33ce1762185 to be 0.9.42-8

comment:3 Changed 3 months ago by Eche|on

reseed certs needs to be included into I2P installation, CloudFlare? is not trusted by default.
We need control and security about our official used reseed servers, as why we include each cert manually into distribution.
Including a wildcard like CloudFlare? would be not really secure, as anyone could host a reseed server and be verified as "fine" despite offering bad seed files.

comment:4 Changed 3 months ago by zzz

@echelon this whole ticket is mislabeled, it's just about a .DS_STORE file in our cert dir.

Don't forget there's two sets of certs, as it says in the OP. One to sign the su3 file, and one for selfsigned SSL. For the most part, we don't nee SSL certs because most people use Lets Encrypt now. Putting in a cloudflare SSL cert wouldn't affect the su3 certs.

comment:5 Changed 3 months ago by np-tokumei

Resolution: fixed
Status: newclosed

Thanks @zzz and @echelon for the comments. I actually figured out that the path that I used to copy my su3 signing certificate was wrong. It should not be ~/.i2p/certificates/reseed, but /Applications/i2p/certificates/reseed/ for MacOS, and /usr/share/i2p/certificates/reseed/ for Ubuntu. Putting my su3 signing certificate correctly in these locations would make the reseeding process complete successfully. For SSL/TLS certificate, I don't have to do anything with it because my reseed server is fronted by Cloudflare so their certiciate is already validated by CA. I wrote up a breif summary of how I did it at https://reseed.np-tokumei.net. So I think we can close this ticket. Again, thank you for your time!

comment:6 Changed 3 months ago by zzz

Resolution: fixed
Status: closedreopened

comment:7 Changed 3 months ago by zzz

Resolution: not a bug
Status: reopenedclosed
Note: See TracTickets for help on using tickets.