Bad certificate

Hello Stephane,

Would it be possible for you to send us your full logs at support@devolutions.net ?

Which version of the server and client are you currently using?

Best regards,

I am send the Wayk Now logs. Don't know where the server logs are located.

PS Version 7.0.2
Cmdlet Version 2020.2.1
Docker Version 19.03.12
custom_installer
Docker images
Den Server Image devolutions/den-server:2.4.0-buster
Den Picky Image devolutions/picky:4.5.0-buster
Den Lucid Image devolutions/den-lucid:3.7.2-buster
Traefik Image library/traefik:1.7
Mongo Image library/mongo:4.2-bionic

Linux Ubuntu 18.04.4 LTS
Den Version 3

Hello

Something is amiss with the certificate chain on your Den server - one thing that stands out is the CN in the error message you see:

CN=92fca3bf-d885-4305-9715-f405f475da86

Normally, the common name on the certificate should match the hostname you're using (which seems to be in the form waykserver.yourdomain.ca).

Can you send us the complete certificate chain you have configured (excluding the private key)? You can send that by PM or to support@devolutions.net. We'd also like to know the actual domain you are using to expose your Den server.

Thanks and kind regards,

Files sent.
You should know: wayk server started with another domain but we wiped the mongodb data and started fresh, with the help of Maxime I think last week.

cert was imported that way:

Import-WaykDenCertificate -CertificateFile /home/user/ssl/my.crt -PrivateKeyFile /home/user/ssl/generated-private-key.txt

turns out certificate was messed up and I got help for doing it correctly again.

Also, I was using Brave Browser and some errors came from that. Using Chrome everything runs fine.

Thanks a lot !

brave is pretty "fun" on devolutions websites, probably due to their SSO and all kinda sites being on different domains which even are on different TLDs (making this imo also confusing to users as that makes it harder to know what is and isnt official) which then obviously are being seen as trackers.

like for example the wayk dashboard sits on dashboard.wayk.net, the account is on account.devolutions.COM, and the forum is on forum.devolutions.NET, why they do this is beyond me and expecially with 3rd party cookies getting out of favor for obvious privacy reasons does not make this all a lot easier.

Hello,

The forum is definitely not involved in any of our products. As for our Devolutions Account it’s the first service that we felt was deserving of going on the .com

Apart from a minor nuisance in whitelisting, what negative effects does it have on your day to day workflows?

Best Regards,

gladly not much although you have to be kinda quick with whitelisting on the other domains like dashboard.wayk.net etc as you get quickly thrown to the logout page if the block is on.

Hi

im now having this problem where the webclient is saying invalid certificate,
however i sadly lost our waykden server (own stupid fault), so had to start a fresh,

invalid certificate 'CN=d87b775d-dc48-417d-93e3-d5e540a52464': CA chain 
error: authority key id doesn't match (expected: [184, 157, 128, 223, 
214, 87, 155, 232, 234, 135, 121, 197, 19, 65, 173, 165, 209, 71, 85, 
152, 75, 177, 41, 17, 37, 1, 136, 200, 101, 58, 134, 101], got: [54, 88,
 240, 49, 156, 69, 138, 181, 237, 98, 202, 146, 58, 127, 217, 60, 149, 
161, 202, 247, 165, 241, 92, 238, 185, 160, 174, 223, 143, 150, 77, 82])

i have imported the certificate using Import-WaykDenCertificate -CertificateFile fullchain.cer -PrivateKeyFile remote.myhost.com.key

the fullchain.cer/remote.myhost.com.key are generated via acme.sh command line,
and works fine in browser (i have traefik running infront to connect wss 443 to the port 4000 internally)
and even works fine with the apps on mac, windows, ios but just wont work on the webclient?

am i doing something wrong or have i forgot something?

Regards

Simon

Hey Simon

Can you try to reset the local storage for the Web UI in your browser? (i.e. delete data for the website). If you can let us know which browser you're using we can give more specific instructions.

Sorry for the inconvenience,

Hey Simon

Can you try to reset the local storage for the Web UI in your browser? (i.e. delete data for the website). If you can let us know which browser you're using we can give more specific instructions.

Sorry for the inconvenience,

Hi,

bingo that worked!

i went into firefox development tools, removed all cookies, and the local storage and fixed the problem :)

however i have spotted the den_certificate and den_privatekey listed in the local storage!!!
surely this isnt secure!!!???


Regards

Simon

Hi Simon,

Yes, there is indeed a peer certificate and its private key in the local storage, but this is expected, and not a security issue at all. In Den V3, one major change we did was to switch to long peer ids internally, in UUID format (such as de504326-5e3a-4d22-a807-a441b347011b). Each peer (client or server) can be granted such an id, along with the right to request a certificate corresponding to their assigned id (in this example, de504326-5e3a-4d22-a807-a441b347011b becomes the certificate common name).

This certificate is then used by peers to sign peer-to-peer requests and responses that can be validated using the Wayk Den built-in certificate authority. Signing requests requires the private key which you can see in the local storage, but this key is never shared, it remains in local storage. If you delete it from local storage, you will simply be granted a new id, and the wayk client will request a new certificate for the new id.

Now the important part is that this certificate is not used for authentication in itself: you still need to be logged in with your user account, and operations remain authorized with that user identity. Where it gets particularly useful is that one can sign a request with its peer certificate alongside its current OAuth user token, proving to Wayk Den that it is logged under a specific user AND that it is also a given peer id (de504326-5e3a-4d22-a807-a441b347011b).

This is used on session creation, where the client requests a session token from Wayk Den. This token is signed by Wayk Den, but also contains the source and destination ids for the given session. When the Wayk server sees the session token, it can know that Wayk Den authorized a session coming from de504326-5e3a-4d22-a807-a441b347011b to itself, but it also can validate that the request truly originates from de504326-5e3a-4d22-a807-a441b347011b by validating the signature of the request.

This may look overly complicated, but in the end this mechanism made it possible to correctly validate peer-to-peer signatures and remove the requirement for the fully connected WebSocket transport from Wayk clients. Since each request can be independently signed and validated, we don't need to maintain a form of authenticated connection. This is the kind of solution that made the web client possible without sacrificing security, far from it.

Best regards,

Hi,
oh wow thats good news thank you!
i was worried it was the den-servers cert and key!
Regards
Simon