Certificate Error during enrol process

RM_CS · 11 November 2021 20:29

Trying to use enclave on a Linux system, and see the following error upon enrollment attempt. It appears to be a remote certificate error, but I wanted to check to see if perhaps something on my end is causing the issue?

[ls-demo  3:19 pm] ~ # enclave enrol
Enter enrolment key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Generating new private key              ... OK (256 bit)
Signing authority                       ... OK (cn=Enclave Networks Primary Intermediate G1)
Requesting certificate from issuer      ... Failed. (endpoint=https://api.enclave.io/authority/enrol)

The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

alistair-enclave · 12 November 2021 09:58

Hi,

This may be a local problem validating our API server’s LetsEncrypt-issued certificate. Can I ask you to check that:

The local system clock is correct
You have the latest ca-certificates installed (on a debian installation, run sudo apt update ca-certificates)

An existing LetsEncrypt root certificate did expire a little while ago, so it’s possible that is related.

Thanks,

Alistair

RM_CS · 12 November 2021 14:46

This pointed me in the right direction, thanks! I’m running a really old version of Debian (jessie), and even though I was updating CA certs, apparently it was checking an expired cert first, and not seeing the proper root cert for connection. Once I removed that expired cert it was able to enroll.

In case anyone else runs into this super-specific use case, here’s some more detail: Client on Debian 9 erroneously reports expired certificate for letsencrypt-issued domain - Server Fault

alistair-enclave · 12 November 2021 14:49

Thanks for the interesting extra context on this issue! Glad you managed to get things working.

Alistair