SSL --cert --key options

Can you be more specific about what you mean by "didn't work" and "didn't help"?

"belltown" wrote:
Can you be more specific about what you mean by "didn't work" and "didn't help"?

Basic request:

    http = CreateObject("roUrlTransfer")
    port = CreateObject("roMessagePort")
    http.SetUrl(url)
    http.SetMessagePort(port)
    http.SetRequest("POST")
    http.AddHeader("Content-Type", "application/json")
    http.AddHeader("X-Roku-Reserved-Dev-Id", "")
    http.SetCertificatesFile("pkg:/source/certificate.crt")
    http.InitClientCertificates()
    http.RetainBodyOnError(true)

while num_retries > 0
        if (http.AsyncPostFromString(""))
            event = wait(timeout, http.GetPort())
            if type(event) = "roUrlEvent"
                dd =  event.GetString()
                code = event.GetResponseCode()
.....

code = event.GetResponseCode() - "-60"
Something like "cURL error 60: SSL certificate problem: unable to get local issuer certificate" i think.

Applying

http.EnableHostVerification(false)

didn't change the response, "-60"

Applying

http.EnablePeerVerification(false)

changes the response into another error:
Code: 400 Bad Request
400 The SSL certificate error.

When working with certificates in PC browsers:
-60 means host not verified, i think.

1. Site Page opens


2. Browser didn't find host certificate and says "untrusted"


3. When we says "does not matter" (In pc "i undestand the risk, bla bla bla, continue anyway") and browser opens the site.


4. In next time, the server asks "where your private certificate?".


5. 
   
   
   
   • a. we install certificate and browser gave it to the server ---- site opens
   
   
   • b. certificate missed ---- server says 400 Bad request, you didn't have the certificate.

So, roku do not send certificates for some reasons...

The first thing I'd check is that the certificates file exists and is where you expect it to be. Break into the debugger and type:

Yes, it exists, reading function displays certificate content.

Then make sure it is formatted something like this:

Oh, i see, certificates should be joined in single file. But it doesn't help too.

my certificate.pem (documentation says that SetCertificatesFile (https://sdkdocs.roku.com/display/sdkdoc/roUrlTransfer) waits pem extension of file, however, i tried .crt too) content:

Private Certificate
===========================
-----BEGIN CERTIFICATE-----
{Private Certificate}
-----END CERTIFICATE-----

Private Certificate Key
===========================
-----BEGIN PRIVATE KEY-----
{Private Key}
-----END PRIVATE KEY-----

CA certificates
===========================
-----BEGIN CERTIFICATE-----
{Certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Certificate}
-----END CERTIFICATE-----

Server still returns 400 status code with Bad request (Didn't see certificate).
At that, if I separate this content by three file (cafile, certificate, private_key) and invoke (on PC) curl like i wrote above, it will be work:

curl https://service:port --cacert cafile.pem --cert certificate.crt --key private_key.key

Thanks, belltown, that you trying help me!

Are you trying to do server authentication or client authentication?

server authentication, i think. My server should ask (specially generated, private) certificate from roku. Only if it will be sent and passed, the server will allow to view responses.
like curl request:

curl https://service:port --cacert cafile.pem --cert certificate.crt --key private_key.key

Only if I add --cert and --key options, my server sends right response.

In this case, you'd also need to copy the Roku public key file (located in the SDK file: certificates\cacert.pem) to your server.

Yes, i read it in documentation. And not did this at this moment, I will try soon.

(I assume that's your file, private_key.key

No, no. Its important part, it's private key for the certificate. if I remove --key option from curl, it will be broken.

This curl command should work if your certificates' file and your server are set up correctly:

Only with client authentication it will work. In my case, cert and key needed.

"dreamer2057" wrote:

Are you trying to do server authentication or client authentication?

server authentication, i think. My server should ask (specially generated, private) certificate from roku. Only if it will be sent and passed, the server will allow to view responses.

That sounds like client authentication to me. That is when the server attempts to authenticate the client's credentials, which is what you seem to be describing.

In that case you need to call InitClientCertificates() in your Roku channel (which it looks like you're already doing), AND ensure that the Roku's Public Key is installed on your server (which you are not doing yet).

Also, you can't supply your own Private Key when using client authentication for a Roku, as you can do with your curl command. Instead, you must use the Roku's Public Key, and install that on your server. I believe Apache uses the SSLCACertificateFile directive for this along with SSLVerifyClient require.

Another thing that might help you is to call event.GetFailureReason() to get a more descriptive reason for the error.

That sounds like client authentication to me.

Yes, maybe. I mean server-side authentication 🙂

Instead, you must use the Roku's Public Key, and install that on your server

I'll discuss it with our system adminitrators in the near future, probably today.

Thanks, I will write about the results.

Ok, now it works. I add "RokuTV Certification Authority" certificate into the server.

So, the problem was in:

Also, you can't supply your own Private Key when using client authentication for a Roku, as you can do with your curl command.

I suppose to use personal certificate and private key. However, Roku's sertificate + private key + Pack ID in header + https request has enough security level to be quiet.


THANKS, belltown