rnurgaliyev / kmip-server-dsm Goto Github PK

deleted
I am sorry, it was unclear it is in the state directory.

Hi there, even though I have mediocre skills only, I was ably to run this yesterday in less then ten minutes, it worked ike a charm, no quirks nothing, just worked. Now I dont have to worry if my Snyology box gets stolen :-) . Great job - thank you.

Hi,

I am turning crazy. I tested this deployment with Synology's first beta 7.2 and it was working like a charm.
No I installed two Synologies with 7.2 RC (7.2-64551) and two instances of kmip-server I have following behaviour:

• kmip server deployment working
• paring with kmip client working
• enabling kmip server in global settings
  => successful connected, all status green

But after reboot, I get critical warning that volume could not be decrypted, while kmip server still shows green / connected.
When I try to manual initiate the decrypt, I have to upload the recovery key.

I had a look into kmip-server's logfile:

• when I initially connect => only positive log results
• when I try "check connection" => only positive log results
• but after reboot of Synology client: no log file entry,.. just nothing

Seems that Synology has a bug in the RC firmware version, that no request is sent to kmip-server?
When using local key vault, the automatic decryption is working. Can somebody confirm this maybe? Do you have the same problem?

When following the instructions, with the latest DSM (DSM 7.2-64570 Update 3) I get the following error in the server log, after setting everything up and sharing the proper cert/key files as outlined in the README:

kmip.server.session.00000002 - ERROR - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

Any thoughts as to what the issue could be?

The documentation notes that:

Shortly after starting container for the first time, some SSL keys and certificates will be generated in the certs directory. You will need to copy these files to put them into your NAS:
client.key
client.crt
ca.crt

When running the container, three files are generated in the certs directory, but instead of getting the above three files (two .crt files and a .key), the container generates three different files (two .key files and a .crt):

~/kmip-server-dsm/certs# ls
ca.crt  ca.key  server.key

Since DSM asks for a one key and two certificates, this output does not appear to work for DSM.

EDIT: Nevermind, I realized a misconfiguration was causing the container to loop and it was not generating the right documents. Sorry about that!

First, I wanted to thank you for sharing this repository!

My scenario - I have a primary Synology NAS that will be encrypted, as well as a smaller secondary Synology NAS used for backups, that I would also like encrypted.

My question - Is there a way to have multiple IPs / multiple certificates?

I'm trying to run this as a docker container on a QNAP NAS, and I keep getting this error:

/ # cat /var/log/pykmip/server.log
2023-11-21 19:39:40,259 - kmip.server.config - INFO - Loading server configuration settings from: /etc/pykmip/server.conf
2023-11-21 19:39:40,324 - kmip.server.monitor - INFO - Starting up the operation policy file monitor.
2023-11-21 19:39:40,372 - kmip.server - INFO - Starting server socket handler.
2023-11-21 19:39:40,382 - kmip.server - INFO - Server successfully bound socket handler to 0.0.0.0:5696
2023-11-21 19:39:40,383 - kmip.server - INFO - Starting connection service...
2023-11-21 19:39:41,331 - kmip.server.monitor - INFO - Loading policies for file: /etc/pykmip/policy/policy.json
2023-11-21 19:39:41,333 - kmip.server.monitor - INFO - Loading policy: synology
2023-11-21 19:40:02,751 - kmip.server - INFO - Receiving incoming connection from: 192.168.0.223:44782
2023-11-21 19:40:02,751 - kmip.server - INFO - Dedicating session 00000001 to 192.168.0.223:44782
2023-11-21 19:40:02,752 - kmip.server.session.00000001 - INFO - Starting session: 00000001
2023-11-21 19:40:02,761 - kmip.server.session.00000001 - INFO - Failure running TLS handshake
2023-11-21 19:40:02,761 - kmip.server.session.00000001 - ERROR - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/kmip/services/server/session.py", line 102, in run
    self._connection.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1375, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
2023-11-21 19:40:02,765 - kmip.server.session.00000001 - INFO - Stopping session: 00000001

I verified that it can see the certs inside the container:

/ # ls -al /var/lib/certs
total 44
drwxr-xr-x    2 1000     users         4096 Nov 21 19:32 .
drwxr-xr-x    1 root     root          4096 Nov 21 19:31 ..
-rw-r--r--    1 root     root          1354 Nov 21 19:32 ca.crt
-rw-r--r--    1 root     root          1704 Nov 21 19:32 ca.key
-rw-r--r--    1 root     root            41 Nov 21 19:32 ca.srl
-rw-r--r--    1 root     root          1403 Nov 21 19:32 client.crt
-rw-r--r--    1 root     root          1106 Nov 21 19:32 client.csr
-rw-r--r--    1 root     root          1704 Nov 21 19:32 client.key
-rw-r--r--    1 root     root          1403 Nov 21 19:32 server.crt
-rw-r--r--    1 root     root          1106 Nov 21 19:32 server.csr
-rw-r--r--    1 root     root          1704 Nov 21 19:32 server.key
/ #

I thought maybe it was because the IP inside the docker container was 10.0.something instead of my NAS's IP (192.168.0.2), so I tried adding --network="host" to run-container.sh but it didn't help.

Any tips on how to continue troubleshooting?

How would one write a docker-compose.yml for this? I intend to manage it through Portainer as a stack, pasting the docker-compose.yml into Portainer's stack editor.