default den cert renewal broken?
so I havent been using the default den on my PC for quite a while by now and well, I cannot connect, which is not awesome.
basically some kind of signature seems to fail.
2020-06-18 10:03:30 NowService::service [DEBUG] - Den url: wss://den.wayk.net
2020-06-18 10:03:30 NowService::service [DEBUG] - den_client_on_state_change finished successfully
2020-06-18 10:03:30 NowService::service::callbacks [DEBUG] - den_client_on_state_change successfully finished
2020-06-18 10:03:30 common::logging [DEBUG] - curl url: https://api.den.wayk.net/.well-known/configuration (proxy: )
2020-06-18 10:03:30 now_update::update_monitor [DEBUG] - Waiting on update loop timeout (900 seconds)
2020-06-18 10:03:30 common::logging [DEBUG] - pipe event NNG_PIPE_EV_ADD_PRE (ipc://wayk_service_control [L])
2020-06-18 10:03:30 common::logging [DEBUG] - pipe event NNG_PIPE_EV_ADD_POST (ipc://wayk_service_control [L])
2020-06-18 10:03:30 NowService::main [INFO] - NowService::on_client_connected
2020-06-18 10:03:30 NowService::main [DEBUG] - Adding client 1 to clients list
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_channel_state (name = NowClipboard)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_channel_state (name = NowFileTransfer)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_channel_state (name = NowExec)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_channel_state (name = NowChat)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::is_sharer_active
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::is_sharer_paused
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 1)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 2)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 3)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 4)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 5)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::get_access_control_state (id = 6)
2020-06-18 10:03:30 NowService::main [DEBUG] - >> NowService::set_auth_info
2020-06-18 10:03:30 common::logging [DEBUG] - curl url: https://api.den.wayk.net/publish/key (proxy: )
2020-06-18 10:03:31 common::logging [DEBUG] - Connecting to wss://den.wayk.net:443/cow
2020-06-18 10:03:32 common::logging [DEBUG] - resolved 52.168.176.241 for den.wayk.net
2020-06-18 10:03:32 common::logging [WARN] - setsockopt(SOL_TCP, TCP_KEEPCNT) failed
2020-06-18 10:03:32 common::logging [WARN] - setsockopt(SOL_TCP, TCP_KEEPINTVL) failed
2020-06-18 10:03:32 common::logging [WARN] - setsockopt(SOL_TCP, TCP_KEEPCNT) failed
2020-06-18 10:03:32 common::logging [WARN] - setsockopt(SOL_TCP, TCP_KEEPINTVL) failed
2020-06-18 10:03:32 common::logging [DEBUG] - pipe event NNG_PIPE_EV_ADD_PRE (ipc://wayk_service_broadcast [L])
2020-06-18 10:03:32 common::logging [DEBUG] - pipe event NNG_PIPE_EV_ADD_POST (ipc://wayk_service_broadcast [L])
2020-06-18 10:03:32 common::logging [DEBUG] - HTTP/1.1 101 Switching Protocols
2020-06-18 10:03:32 common::logging [DEBUG] - Server: nginx/1.17.8
2020-06-18 10:03:32 common::logging [DEBUG] - Date: Thu, 18 Jun 2020 08:03:57 GMT
2020-06-18 10:03:32 common::logging [DEBUG] - Connection: upgrade
2020-06-18 10:03:32 common::logging [DEBUG] - Upgrade: websocket
2020-06-18 10:03:32 common::logging [DEBUG] - Sec-WebSocket-Accept: 5LmXAU/EYsap31F4O6LL+0P1NfM=
2020-06-18 10:03:32 common::logging [DEBUG] - Strict-Transport-Security: max-age=15724800; includeSubDomains
2020-06-18 10:03:32 common::logging [INFO] - << Handshake Response
2020-06-18 10:03:32 common::logging [INFO] - << Register Response
2020-06-18 10:03:32 common::logging [INFO] - Connected to rpc server
2020-06-18 10:03:32 common::logging [INFO] - Resolving "den"
2020-06-18 10:03:33 common::logging [INFO] - << Resolve Response
2020-06-18 10:03:33 common::logging [INFO] - Resolved "den" -> (0x9648030E) in 125 ms
2020-06-18 10:03:33 wayk_rust::den [DEBUG] - Entered Den::capabilities_v3
2020-06-18 10:03:33 wayk_rust::den::den_http [DEBUG] - Entered DenHttpClient::capabilities_v3
2020-06-18 10:03:33 wayk_rust::den::den_http [INFO] - Estimated clock difference with server: 25s (+/- 0.23s)
2020-06-18 10:03:33 wayk_rust::den::den_http [DEBUG] - Exited DenHttpClient::capabilities_v3 successfully
2020-06-18 10:03:33 wayk_rust::den [DEBUG] - Exited Den::capabilities_v3 successfully
2020-06-18 10:03:33 common::logging [DEBUG] - NowDen_Capabilities: version: 3 capabilities: 0x00000000
2020-06-18 10:03:33 common::logging [DEBUG] - Check server peer certificate
2020-06-18 10:03:33 common::logging [WARN] - failed to load certificate because key pair didn't match
2020-06-18 10:03:33 common::logging [DEBUG] - curl url: https://api.den.wayk.net/picky/chain (proxy: )
2020-06-18 10:03:33 common::logging [INFO] - Renew certificate for 0a55b1f3-NOPE
2020-06-18 10:03:33 wayk_rust::den [DEBUG] - Entered Den::renew_peer_id_v3
2020-06-18 10:03:34 wayk_rust::curl_helper [ERROR] - Error status code 401. Server response: {"type":"/wayk/problems/bad-http-signature","title":"Bad HTTP signature","status":401,"detail":"signature error: invalid signature"}
2020-06-18 10:03:34 wayk_rust::den [ERROR] - Error with den.renew_peer_id_v3(requested_id, &identity, u64::from(timeout)): HTTP Response error 401
2020-06-18 10:03:34 common::logging [WARN] - NowDen_RenewPeerCertificate failure: -1
2020-06-18 10:03:34 common::logging [WARN] - NowDen_PeerCertificateInit (server) failure: -1
2020-06-18 10:03:34 NowService::service::callbacks [DEBUG] - den_client_on_state_change called - state=Failure
2020-06-18 10:03:34 NowService::service [DEBUG] - Den url: wss://den.wayk.net
2020-06-18 10:03:34 NowService::service [DEBUG] - den_client_on_state_change finished successfully
2020-06-18 10:03:34 NowService::service::callbacks [DEBUG] - den_client_on_state_change successfully finished
2020-06-18 10:03:34 common::logging [WARN] - failed to call NOW_DISPATCH_QUIT
2020-06-18 10:03:34 common::logging [INFO] - << Terminate Response
2020-06-18 10:03:34 NowService::service::callbacks [DEBUG] - den_client_on_state_change called - state=Disconnected
All Comments (3)
Hi,
I think the problem stems from "[WARN] - failed to load certificate because key pair didn't match", which leads to the bad signature error that follows. Is this with the Windows unattended service, or the Linux unattended service? It looks like the certificate + private key may not have been upgraded properly when installing Wayk Now 2020.2.0. We can see that after failing to properly load the certificate, it tried renewing it, which fails because it can't prove that it has the previous certificate for the given unique id.
In normal circumstances (aside from the user manually deleting his certificate or private key), this should not happen. We've added code for the next release to automatically reset the unique id and request a certificate for that new unique id in cases where it fails to obtain the matching certificate. Unique ids should not be changed, but at the same time we can't allow anybody to claim ownership without proof (here the private key got corrupted somehow, so that proof is lost), so this should be a reasonable middle ground to make things work.
I would still like to try and investigate what caused your private key to fail loading, and see if we can prevent this error in the future. To fix the problem for now, I will show you how to manually reset your unique id, and then ask you to send your certificate + private key files by email for the old unique id. In this case specifically, sending the private key for the old unique id is not security problem, as you are switching to a new unique id and will therefore get a new certificate + private key.
Start by zipping the files contained in %ProgramData%\Wayk\server\den\wayk.net, as shown in this screenshot:
You can then stop your Wayk Now service (net stop wayknowservice or Start-Service wayknowservice) and delete the %ProgramData%\Wayk\server\.unique:
You can restart the service to have a new id generated (net start wayknowservice or Start-Service wayknowservice).
Please send the certificate + private key files for the old id to wayk@devolutions.net and we'll at least confirm if the private key doesn't match the certificate like the error in the log says.
Best regards,
Marc-André Moreau
unattended_unique_id.PNG
unattended_server_files.PNG
I am on windows and I just ran the keys through xca and apparently the uniqueid key does match the csr but not the cert.
also there is a second folder "C:\ProgramData\Wayk\den\wayk.net", which also has the keys inside, and the key for the cert is not inside, but the same one as in the den folder, the one for the csr.
also in here there are apparently extra cert/key files for a 6 digit id.
the keys for the 6 digits seem to match the cert though.
also interesting are the permissions for both keys. the uniqueid key has read access by all users (inherited) and the 6 digit key is restricted to admins and System.
not sure whether PEM files have anm internal checksum or whatever to prevent basic corruption, but the key loaded into xca just fine.
did something change in the keys when chaing to 2020.2.0? because you mention the key being upgraded.
I'll be copying off the keys and sending them over.
You can then stop your Wayk Now service (net stop wayknowservice or Start-Service wayknowservice) and delete the %ProgramData%\Wayk\server\.unique:
I'll just use the task manager :-)
it worked. seems like I have a new ID and can connect again
Hi,
The private key is likely a valid one, but the error from the log happens if you have a certificate for which the public key does not match the private key. This means you should be able to decode that private key as a valid private key, but it probably isn't the good one. I just want to make sure that they really don't match.
The Wayk Now 2020.2.0 installer checks for old file paths and moves some certificates and keys to new locations, it is possible that it failed to copy the private key correctly at that time. One of the biggest changes we've made with 2020.2.0 is the usage of the new Den V3 protocol that uses UUID (the unique ids) as the primary identifier in certificates as opposed to the 6-digit short IDs from the Den V2 protocol. The 6-digit IDs still exist, but they are now aliases owned by a given UUID, where the certificate is used as proof of ownership of a UUID.
In Den V2, only the unattended service had such a UUID-like certificate, which is why they're getting "upgraded" for usage in Den V3. You will likely have a few other files lying around from Den V2 in those directories, but don't bother about them too much.
Best regards,
Marc-André Moreau