Allen Herrera added a comment - 2024-03-21 22:37 - edited I think I have a reproduction of this lack of verification of admin_ssl_cert , though let me know if a new ticket is required Error: Error: write EPROTO 139947547596672 :error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c: 70 : 139947547596672 :error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c: 504 : Reproduction: mkdir -p /mnt/certs cd /mnt/certs   # Generate CA Authority key openssl genrsa 2048 > ca-key.pem # Generate X509 cert for Authority key openssl req - new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"   # Generate server private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" # Generate X509 cert between Authority & server openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   # Generate client private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" # Generate X509 cert for client openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   chown -R maxscale:maxscale /mnt/certs   # Verify the client certificate openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem # Verify the server certificate openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem   maxctrl show maxscale | grep -i admin_ssl*   maxctrl create user mxadmin mxadminpassword --type=admin # maxctrl destroy user mxadmin maxctrl --user=mxadmin --password=mxadminpassword list servers   # works maxctrl alter maxscale admin_ssl_cert /mnt/certs/server-cert.pem maxctrl alter maxscale admin_ssl_key /mnt/certs/server-key.pem systemctl restart maxscale secure= "--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs/ca-cert.pem --tls-verify-server-cert=false" maxctrl $secure list servers maxctrl $secure show maxscale | grep -i admin_ssl*   # Now that we have first set of certs - time to replace/update with new ones mkdir -p /mnt/certs- new cd /mnt/certs- new   # Generate CA Authority key openssl genrsa 2048 > ca-key.pem # Generate X509 cert for Authority key openssl req - new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"   # Generate server private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1" ) # Generate X509 cert between Authority & server openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   # Generate client private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1" ) # Generate X509 cert for client openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   chown -R maxscale:maxscale /mnt/certs- new   # Verify the client certificate openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem # Verify the server certificate openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem maxctrl $secure show maxscale | grep -i admin_ssl*   maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs- new /server-cert.pem cat /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf   ################################################################## # FAILS HERE maxctrl $secure alter maxscale admin_ssl_key /mnt/certs- new /server-key.pem Error: write EPROTO 139947547596672 :error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c: 70 : 139947547596672 :error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c: 504 : # work around: vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf "/mnt/certs/server-key.pem" -> "/mnt/certs-new/server-key.pem" ; then systemctl restart maxscale   # Expectation - stop the alter? but then how to update both values maxctrl $secure reload tls   secure= "--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert=false" maxctrl $secure list servers maxctrl $secure show maxscale | grep -i admin_ssl* side error that could be more clear Error: socket hang up

markus makela added a comment - 2024-03-22 14:10 The solution to how to update both values is to use: maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem

markus makela added a comment - 2024-03-22 14:13 I filed MXS-5033 for the lack of compatibility testing between the certificates being configured for the REST-API. Any problems with the key should be reported by the alter command.