I found a solution for "error finding server identity keys" 1. Looking at debug output showed the certificates were being searched for in /usr/local/share/snmp/tls
2. By supplying a file path [snmp] localCert /usr/local/share/snmp/tls/certs/snmpd.crt I was doing nothing other than supplying the same thing again - It needed to be the fingerprint. Which I only had in my comments. 3. Debug also showed that the default port was 10161 not 1161 which I had found in the Ubuntu man pages. Although this was not the reason for "error finding server identity keys". Here is a set of instructions for a successful configuration of SNMP over TLS/TCP that users may find useful. SNMP v3 Using TLS over TCP - Instructions for testing localhost connection client/server on 127.0.0.1 using Linux Subsystem for Windows, VM, or single native-linux machine to confirm successful configuration/operation of secure SNMP communication which may be mandatory on some networks. This uses only a basic snmpd.conf configuration, with no accompanying snmp.conf file, together with the most basic of command line client requests. Only available for Unix based platforms like Linux (no Windows unless running VM or WSL) When you have compiled source code with OpenSSL support (not covered here) you should be able to verify your build like: In my case: $ net-snmp-config --version 5.9.4 $ net-snmp-config --config-options '--with-security-modules=tsm' '--with-transports=TLSTCP,DTLSUDP' '--with-mib-modules=tsm-mib' Create your own certificate authority certificate & use it to sign your server/client certificates using net-snmp-cert utility supplied by net-snmp. Steps: certificate authority certificate & key > certificate signing requests for snmpd & manager > signing of snmpd & manager certificates. net-snmp-cert genca -I -n ca.snmp.dev CA Generated: ca-certs/ca.snmp.dev.crt private/ca.snmp.dev.key ~/.snmp$ net-snmp-cert gencsr -I -t snmpd -n snmp.dev Certificate Signing Request Generated: newcerts/snmpd.csr private/snmpd.key ~/.snmp$ net-snmp-cert gencsr -I -t manager -n danderson Certificate Signing Request Generated: newcerts/manager.csr private/manager.key :~/.snmp$ net-snmp-cert signcsr -I --with-ca ca.snmp.dev --csr snmpd Signed Certificate Signing Request: newcerts/snmpd.csr with CA: ca-certs/ca.snmp.dev.crt private/ca.snmp.dev.key Generated Certificate: newcerts/snmpd.crt ~/.snmp$ net-snmp-cert signcsr -I --with-ca ca.snmp.dev --csr manager Signed Certificate Signing Request: newcerts/manager.csr with CA: ca-certs/ca.snmp.dev.crt private/ca.snmp.dev.key Generated Certificate: newcerts/manager.crt Copy tls directory with certificates to default file location /usr/local/share/snmp Server/Client fingerprints (manager/peer) manager = 4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 snmpd = 70:3E:91:F9:2D:E9:16:05:F8:6F:D0:A3:BD:85:1D:CC:45:7D:56:2D Config file snmpd.conf - minimum lines required Step 1: Testing the server snmpd with just these two lines agentaddress tlstcp:127.0.0.1:10161 [snmp] localCert 70:3E:91:F9:2D:E9:16:05:F8:6F:D0:A3:BD:85:1D:CC:45:7D:56:2D Start Server with TLS Debug sudo /usr/local/sbin/snmpd -f -Lo -Dtls -C -c snmpd.conf Output registered debug token tls, 1 tlstcp: registering TLS constructor tlstcp: listening on tlstcp port 127.0.0.1:10161 NET-SNMP version 5.9.4 Step 2: Add manager details into snmpd.conf in order to use the TLS connection certSecName 10 4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 --sn danderson rwuser -s tsm danderson auth rwuser danderson auth system syscontact david@xxxxxxxxxx # Add in some information we will transfer from server to client Start snmpd server in a Linux terminal in the same directory as snmpd.conf Run the following in another terminal from any directory (no snmp.conf file yet) With debugging -D of tls optional e.g. -Dtls sudo snmpget -v 3 --defSecurityModel=tsm -u manager \ -l authPriv -T localCert=4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 \ -T peerCert=70:3E:91:F9:2D:E9:16:05:F8:6F:D0:A3:BD:85:1D:CC:45:7D:56:2D -Dtls \ tlstcp:127.0.0.1:10161 sysContact.0 Result NMPv2-MIB::sysContact.0 = STRING: david@xxxxxxxxxxx Not much output. In this case, just a line from snmpd.conf transferred from server to client. But it proves the SNMP over TLS/TCP has been successful. This should now work for more useful exercises using snmpget/snmpwalk etc. Debugging options (when things predictably don’t go to plan) Checking the server is listening Command: sudo netstat -tlnp | grep 10161 For checking the output for tls, certs information use -Dtls or -DCerts When things got tough I found -D9 useful See: https://net-snmp.sourceforge.io/wiki/index.php/Debug_tokens References that I found helpful Quick setup of SNMP v3 DTLS/TLS access in CentOS/RHEL 7 Linux - net-snmp <https://www.youtube.com/watch?v=BTEFwYbGJ-8> https://net-snmp.sourceforge.io/wiki/index.php/TUT:Using_TLS On Fri, Dec 13, 2024 at 11:09 AM David R Anderson <da...@mranderson.co.nz> wrote: > NET-SNMP version: 5.9.4 > net-snmp-config --config-options > '--with-security-modules=tsm' '--with-transports=TLSTCP,DTLSUDP' > '--with-mib-modules=tsm-mib' > > OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.4.0 22 Oct 2024) > > OS > Welcome to Ubuntu 24.04.1 LTS (GNU/Linux > 5.15.167.4-microsoft-standard-WSL2 x86_64) > > Relevant config lines snmpd.conf - No snmp.conf used > agentaddress tlstcp:1161 > > # certificate local defines the default X.509 public key to use as the > server's identity (man pgs Ubuntu snmpd.conf) > [snmp] localCert /usr/local/share/snmp/tls/certs/snmpd.crt > > # certificate common name danderson e.g CN = danderson > # /usr/local/share/snmp/tls/certs/manager.crt: SHA1 > Fingerprint=4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 > certSecName 10 4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 > --cn > > # SNMP v3 user. Security model -s > rwuser -s tsm danderson auth > > Output from snmpd using: sudo /usr/local/sbin/snmpd -f -Lo -Dcert -C -c > snmpd.conf > ---->snip<--- > cert:dump: ------------------------ End ---------------------- > cert:util:config: parsing 10 > 4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 --cn > cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint > 0x7ffd493e92d0 > cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint > 0x7ffd493e92d0 > cert:find:params: hint = > 4A:DB:1F:38:C8:59:E9:09:58:DF:CC:4A:5F:30:39:4A:53:FB:31:98 > cert:find:found: using cert manager.crt / > 4adb1f38c859e90958dfcc4a5f30394a53fb3198 for remote_peer(2) > (uses=identity+remote_peer (3)) > cert:find:found: using cert manager.crt / > 4adb1f38c859e90958dfcc4a5f30394a53fb3198 for remote_peer(2) > (uses=identity+remote_peer (3)) > cert:map:add: pri 10, fp 4adb1f38c859e90958dfcc4a5f30394a53fb3198 > cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil) > cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint > 0x5573fdf68c60 > cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint > 0x5573fdf68c60 > cert:find:params: hint = /usr/local/share/snmp/tls/certs/snmpd.crt > cert:find:params: looking for identity(1) in FILE(0x1), hint 0x5573fdf68c60 > cert:find:params: hint = /usr/local/share/snmp/tls/certs/snmpd.crt > error finding server identity keys > > I have tested the certificates/keys using: > sudo openssl s_server -cert /usr/local/share/snmp/tls/certs/snmpd.crt -key > /usr/local/share/snmp/tls/private/snmpd.key -CAfile > /usr/local/share/snmp/tls/ca-certs/ca.snmp.dev.crt -accept 1161 -tls1_2 > -www > > sudo openssl s_client -connect 127.0.0.1:1161 -tls1_2 -CAfile > /usr/local/share/snmp/tls/ca-certs/ca.snmp.dev.crt -cert > /usr/local/share/snmp/tls/certs/manager.crt -key > /usr/local/share/snmp/tls/private/manager.key > > All good with the certificates generated using *net-snmp-cert* > > This error appears a number of times in the net-snmp mailing list archives > - without any obvious explanation or fix. If this is a: "well you're not > running on a native Linux machine" problem then it would be really helpful > to have it fixed. Since Linux is being run more often than ever on Windows > machines. > > I have found the code references and could possibly recompile with > additional debug lines. But I was hoping someone may have an easier > solution. > > Regards > David Anderson > >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
