Hello everyone,
I’m new to golioth and have a problem with certificate-based authentication. I have followed the instructions
and set up the certificates. I also uploaded the golioth.crt.pem to golioth. If I now try to connect with e.g. the java cf-client, there is a problem in the DTLS handshake. I recorded the connection setup once with Wireshark.
What am I doing wrong? can anyone help me
Thank you in advance
Hi @Soeren, this looks like your cf-client is having trouble validating the Golioth server certificate (see Alert should be BAD_CERTIFICATE instead of DECRYPT_ERROR when certificate chain can't be validated · Issue #2132 · eclipse-californium/californium · GitHub for discussion on Decrypt Error being used when certificate chain cannot be validated). Are you able to share how you are configuring your client’s trust store?
Hi @hasheddan,
thank you very much for your quick answer! After creating the certificates, I converted the certificate as a .p12 and imported it into the keytore.
openssl pkcs12 -export -in projectid-deviceid.crt.pem -inkey projectid-deviceid.key.pem -name golioth -out goliothClient.p12
keytool -v -importkeystore -srckeystore goliothClient.p12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/java/cacerts -deststoretype JKS
In connection I have the Cf-Client with the parameter
-c /etc/ssl/certs/java/cacerts#hashedpw#hashedpw#golioth
called.
I hope it is described understandably
@Soeren that looks good from the client certs perspective (i.e. keystore), but I believe the issue you are facing is that the client (cf-client) is unable to validate the certificate supplied by the server (golioth). You should be able to configure this using the -t, --trusts=<trusted> flag or, alternatively if you are just testing, --trust-all. (options found in https://github.com/eclipse-californium/californium.tools/blob/main/cf-client/README.md#arguments)
