FS#73618 - The HTTPs/wss of nhiicc server fails to start

Attached to Project: Arch Linux
Opened by Jian-Hong Pan (starnight) - Friday, 04 February 2022, 09:23 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 05 February 2022, 09:23 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To No-one
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The nhiicc service installed by nhiicc package keeps showing the error:

mLNHIICC[6737]: 140048003425856:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46

Then, the HTTPs/wss server fails to start, until the NHI root cert is trusted manually.
The NHI root cert is installed as /usr/share/NHIICC/cert/ca.crt by the package.

Additional info:
* package version(s): nhiicc 1:20210824.02-1
* config and/or log files etc.
```
● nhiicc.service - 台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card)
Loaded: loaded (/usr/lib/systemd/system/nhiicc.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2022-02-04 12:17:40 CST; 33s ago
Main PID: 6737 (mLNHIICC)
Tasks: 3 (limit: 18882)
Memory: 6.5M
CPU: 120ms
CGroup: /system.slice/nhiicc.service
└─6737 /usr/bin/mLNHIICC

Feb 04 12:18:03 starnight mLNHIICC[6737]: 140048011818560:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:03 starnight mLNHIICC[6737]: 140048003425856:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:04 starnight mLNHIICC[6737]: 140047995033152:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:06 starnight mLNHIICC[6737]: 140047986640448:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:07 starnight mLNHIICC[6737]: 140047978247744:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:08 starnight mLNHIICC[6737]: 140047969855040:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:08 starnight mLNHIICC[6737]: 140047961462336:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:08 starnight mLNHIICC[6737]: 140047953069632:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:11 starnight mLNHIICC[6737]: 140047944676928:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
Feb 04 12:18:12 starnight mLNHIICC[6737]: 140047936284224:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46
```

Steps to reproduce:
1. start pcscd service: `systemctl start pcscd`
2. start nhiicc service:`systemctl start nhiicc`
3. check nhiicc service's status: `systemctl status nhiicc`
This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 05 February 2022, 09:23 GMT
Reason for closing:  Not a bug
Additional comments about closing:  AUR packages are not supported
Comment by Jian-Hong Pan (starnight) - Friday, 04 February 2022, 09:25 GMT
Here is the proposed patch to fix this issue.

This patch trusts the self generated NHI root CA cert when post_install and removes the trust when pre_remove.
Also, adds the p11-kit as the dependency for the trust command.
   0001-install-Trust-NHI-root-C... (2.4 KiB)
Comment by Jian-Hong Pan (starnight) - Friday, 04 February 2022, 10:11 GMT
I got the NHI root CA idea by checking upstream's "Install" script. After trust NHI root CA's cert, nhiicc service works fine. And, the HTTPs/wss server can be connected.
Comment by Chih-Hsuan Yen (yan12125) - Saturday, 05 February 2022, 03:10 GMT
Thanks for the notice and useful information. However, this bug tracker is not for AUR packages, thus closing.

Regarding the issue itself - I saw you also left comments on https://aur.archlinux.org/packages/nhiicc. That's the correct way to propose patches for AUR packages. I will have a look soon.
Comment by Jian-Hong Pan (starnight) - Saturday, 05 February 2022, 04:12 GMT
Sure! Thanks!
But I do not see the close button, or ...

Loading...