Re: [apache/incubator-teaclave] Certificate Errors on deployment (Issue #725)

[Mario López]

So I changed `LogLevel` to `debug` in 
`/opt/intel/sgx-dcap-pccs/config/default.json`:

```
{
"HTTPS_PORT" : 8082,
"hosts" : "0.0.0.0",
"uri": "https://api.trustedservices.intel.com/sgx/certification/v3/";,
...
"LogLevel" : "debug",
```

Now once I restart pccs service, I run `sudo -E ./teaclave_sgx_tool attestation 
--url https://localhost:8082 --algorithm sgx_ecdsa` to test atttestation. 
Output is the following:

```
[ERROR teaclave_sgx_tool_enclave] Failed to attest: invalid peer certificate: 
Other(UnsupportedCertVersion)          
[2024-01-03T10:35:40Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point 
OK. App Received Buf: [123, 34, 69, 
114, 114, 34, 58, 34, 83, 101, 114, 118, 105, 99, 101, 69, 114, 114, 111, 114, 
34, 125]                                  
[2024-01-03T10:35:40Z DEBUG teaclave_binder::binder] Dropping TeeBinder, start 
finalize().                           
[2024-01-03T10:35:40Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 
1002, 4 bytes                           
[TRACE teaclave_sgx_tool_enclave] tee receive cmd: 1002, input_buf = [110, 117, 
108, 108]                            
[DEBUG teaclave_sgx_tool_enclave] handle_invoke                                 
                                     
[DEBUG teaclave_service_enclave_utils] Enclave finalizing                       
                                     
[DEBUG teaclave_service_enclave_utils] g_peak_heap_used: 180224                 
                                     
[DEBUG teaclave_service_enclave_utils] g_peak_rsrv_mem_committed: 0             
                                    
[2024-01-03T10:35:40Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point 
OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]       
                                                                             
Error: ServiceError
```

PCCS show the following:

```
● pccs.service - Provisioning Certificate Caching Service (PCCS)
     Loaded: loaded (/lib/systemd/system/pccs.service; enabled; vendor preset: 
enabled)
     Active: active (running) since Wed 2024-01-03 10:40:22 UTC; 2min 0s ago
       Docs: 
https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
   Main PID: 96704 (node)
      Tasks: 11 (limit: 38387)
     Memory: 68.4M
     CGroup: /system.slice/pccs.service
             └─96704 /usr/bin/node -r esm 
/opt/intel/sgx-dcap-pccs/pccs_server.js

ene 03 10:40:22 teaclave-vm systemd[1]: Started Provisioning Certificate 
Caching Service (PCCS).
ene 03 10:40:22 teaclave-vm node[96704]: Wed, 03 Jan 2024 10:40:22 GMT morgan 
deprecated default format: use combined format at 
node_modules/esm/esm.js:1:278827
ene 03 10:40:25 teaclave-vm node[96704]: 2024-01-03 10:40:25.129 [info]: HTTPS 
Server is running on: https://localhost:8082
```

Although log doesn't show more info  I must pointing at the right service, 
because if I change pccs cert to a v3 cert, error changes as I said to `[ERROR 
teaclave_sgx_tool_enclave] Failed to attest: invalid peer certificate: 
UnknownIssuer` 

In fact, command `curl -v -k -G 
"https://localhost:8082/sgx/certification/v3/rootcacrl"` returns what it should,





-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/725#issuecomment-1875172959
You are receiving this because you are subscribed to this thread.

Message ID: <apache/incubator-teaclave/issues/725/1875172...@github.com>