Issue setting mandos up (best clue "Bad certificate: Verify failed")

Teddy Hogeborn teddy at recompile.se
Tue May 15 23:34:49 CEST 2018 

Marc Fargas <marc at marcfargas.com> writes:

> It is my second time setting up Mandos and I'm facing a misterious
> issue (misterious because logs give no clue).
>
> This time my mandos server is a Raspberry Pi 2 B, raspbian.
>
> The setup is quite simple:
> - On the server I install mandos package, then I add to client.conf the
> entry as provided by the client's mandos-keygen. I have two client entries.
> - On the client I call mandos-keygen --name somename -p; then take the
> output and put it on client.conf

Does it work if you generate keys using the same name as the output of
"hostname --fqdn" (or without providing the --name option at all) to
mandos-keygen?  Just to rule out anything weird.

> Now, as per README.Debian.gz I test the setup prior to reboot and I only
> get:
> On the server:  "WARNING: Bad certificate: Verify failed"
> On the client: no output at all.

Yes, by reading the logs, I can deduce that the Mandos server calls the
function gnutls_openpgp_crt_verify_self() with the certificate provided
by the client, and gets an error code from GnuTLS.  For some reason,
GnuTLS does not like the certificate.  I don't know exactly why that is.

You could try this (untested) patch to get a better error message from
the server:

=== modified file 'mandos'
--- mandos	2018-02-22 18:50:12 +0000
+++ mandos	2018-05-15 21:20:12 +0000
@@ -2364,8 +2364,9 @@
         gnutls.openpgp_crt_verify_self(crt, 0,
                                        ctypes.byref(crtverify))
         if crtverify.value != 0:
+            errorcode = crtverify.value
             gnutls.openpgp_crt_deinit(crt)
-            raise gnutls.CertificateSecurityError("Verify failed")
+            raise gnutls.CertificateSecurityError(code=errorcode)
         # New buffer for the fingerprint
         buf = ctypes.create_string_buffer(20)
         buf_len = ctypes.c_size_t()

> So I try with --debug on both sides, and now the client says:
> "Retrying in 10 seconds"

Since the Mandos server did not like the key, the Mandos server simply
closed the connection.  The Mandos client detected that it did not
receive any data at all, and waits 10 seconds before trying the connect
and handshake again.

> The certificate message is a Warning so it should not be too bad, though
> it's the only message I have ;(

It's a "warning" from the server's perspective, since the server is not
affected by it in its normal operation.  From the client's perspective,
the client believes that the server simply did not have the key for the
client, and retries indefinitely.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20180515/421d6d28/attachment.sig>

More information about the Mandos-Dev mailing list