connection error: invalid peer certificate: Other(OtherError(CaUsedAsEndEntity))

[tjayz]

Per readme.md:

          --no-strict-ssl
          Disables SSL/TLS certificate verification
          
          Useful with self-hosted mining solutions where the mining pool
          provides a self-signed certificate.
          However, adding the certificate to the system's trust store
          should be preferred.

Using self-signed cert and adding cert to system's trust store in either windows or linux machines I cannot bypass this message unless I use --no-strict-ssl.

Linux, added cert to /usr/local/share/ca-certificates/ then ran sudo update-ca-certificates, and verified its addition in following dialogue.
Windows, certutil -addstore -f -enterprise -user root certificate.crt, and verified addition to Trusted Root Certificate Authority.

Crt was created via openssl req -x509 -sha256 -days 999 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Googling the error messages shows rust language in other programs has issues like this but couldn't find solution. Has self signed cert been tested and working without --no-strict-ssl parameter? Steps to reproduce if so please, thanks.

[rigelminer]

I think this may be relevant https://users.rust-lang.org/t/error-webpkierror-causedasendentity/48162
So, in other words, you can't use CA certificates for your stratum directly. You need to issue a new certificate, sign it with your CA certificate and use that instead, while your CA certificate should be added to the trust store, which you've already done.

[tjayz]

While I am no expert, my research shows only a third party can issue a CA certificate, thus, it is impossible for self-signed certificate to work without using the --no-strict-ssl parameter then. Am I correct? If so, perhaps However, adding the certificate to the system's trust store should be preferred. that should be removed from the read me to avoid the confusion I am currently experiencing.

If relevant, I did not use the crt directly to the pool. Pool requires pfx which was generated openssl pkcs12 -export -out pool.pfx -inkey privatekey.key -in certificate.crt

[rigelminer]

only a third party can issue a CA certificate

No, you can generate it too. The author of the TLS library used in Rigel suggests this: rustls/rustls#124 (comment)

I can change the readme to mention that it's the CA certificate that needs to be added to the trust store.

[rigelminer]

I understand the frustration. I had to go through this myself a while ago. Unfortunately it's one of rustls' constraints.
One thing I could do is investigate an option for the user to be able to tell the miner which certificates to trust (in addition to the ones in the system trust store), e.g. rigel -a kawpow ... --trust-certificate /path/to/my/self-signed-cert.crt, and use some custom validation logic where the miner would ignore the fact it's an end-entity cert and not a CA one.

[tjayz]

Well technically it is not a rigel issue at all. While your redirect was not a solution for me it pointed me in the right direction and I found this: https://github.com/rustls/rustls/blob/main/test-ca/openssl.cnf

Adding those to my openssl.cnf, and creating crt like this openssl req -x509 -days 3650 -newkey rsa:4096 -keyout private.key -out cert.crt -config openssl.cnf -extensions v3_end then following it up with openssl pkcs12 -export -out pool.pfx -inkey private.key -in cert.crt I am able to drop --no-strict-ssl while mining from local host. However when I mine to my external ip I get "connection error: invalid peer certificate: NotValidForName " even though that ip is listed in the SANs.

So I am very close to solving I think. Will try more after sleep and post solution for others to follow. Will close since issue is not rigel.

[rigelminer]

Ok. As a workaround, you can come up with a domain name for your server, say my-cool-pool.com, add a record to /etc/hosts to make it resolve to the external IP address, issue a certificate against my-cool-pool.com, and connect via -o stratum+ssl://my-cool-pool.com:<port> - I think this should work too.

[tjayz]

Per the rustls test openssl.cnf linked above, alt_names, I just made DNS.1 mirror IP.1 with external ip and used local ip and localhost for the second alt, recreated crt/pfx using same commands listed above. Likewise following your suggestion, under etc/hosts, only 127.0.0.1 was listed so added external ip and local ip to the list. Updated ca-certificates and Trusted Root Certificate Authority and replaced nginx cert/key, restarted nginx and pool.... boom success.

I believe the root cause of the issue is an improper understanding/use of openssl.cnf. For people that regularly deal with certs this is probably a walk in the park. For those like myself who are taking it all in for the first time the learning curve is real. I am not quite sure how to simplify such in the readme, but openssl.cnf with SANs is definitely mandatory for success so perhaps a quick reference would save others some time.

[tjayz]

Wanted to simplify this further since my solution above has issues.

From here: https://github.com/rustls/rustls/tree/main/test-ca

Download build-a-pki.sh, crl-openssl.cnf, openssl.cnf.

Edit all 3 to replace desired domain names etc.

./build-a-pki.sh

Choose desired algo and enter folder. Install the ca.crt and inter.crt certs to:
linux cp name.crt to /usr/local/share/ca-certificates > sudo update-ca-certificates
Windows certutil -addstore -f -enterprise -user root name.crt

Create pfx openssl pkcs12 -export -out pool.pfx -inkey end.key -in end.crt and edit config.json or whatever to include to pool.

Restart rigel and pool and all should work well.