I’m new to golioth and have a problem with certificate-based authentication. I have followed the instructions
and set up the certificates. I also uploaded the golioth.crt.pem to golioth. If I now try to connect with e.g. the java cf-client, there is a problem in the DTLS handshake. I recorded the connection setup once with Wireshark.
What am I doing wrong? can anyone help me
Thank you in advance
Hi @Soeren, this looks like your cf-client is having trouble validating the Golioth server certificate (see Alert should be BAD_CERTIFICATE instead of DECRYPT_ERROR when certificate chain can't be validated · Issue #2132 · eclipse-californium/californium · GitHub for discussion on
Decrypt Error being used when certificate chain cannot be validated). Are you able to share how you are configuring your client’s trust store?
thank you very much for your quick answer! After creating the certificates, I converted the certificate as a .p12 and imported it into the keytore.
openssl pkcs12 -export -in projectid-deviceid.crt.pem -inkey projectid-deviceid.key.pem -name golioth -out goliothClient.p12
keytool -v -importkeystore -srckeystore goliothClient.p12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/java/cacerts -deststoretype JKS
In connection I have the Cf-Client with the parameter
I hope it is described understandably
@Soeren that looks good from the client certs perspective (i.e.
keystore), but I believe the issue you are facing is that the client (
cf-client) is unable to validate the certificate supplied by the server (
golioth). You should be able to configure this using the
-t, --trusts=<trusted> flag or, alternatively if you are just testing,
--trust-all. (options found in https://github.com/eclipse-californium/californium.tools/blob/main/cf-client/README.md#arguments)