rnurgaliyev / kmip-server-dsm Goto Github PK
View Code? Open in Web Editor NEWKMIP Server for Synology DSM
License: MIT License
KMIP Server for Synology DSM
License: MIT License
When following the instructions, with the latest DSM (DSM 7.2-64570 Update 3) I get the following error in the server log, after setting everything up and sharing the proper cert/key files as outlined in the README:
kmip.server.session.00000002 - ERROR - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
Any thoughts as to what the issue could be?
deleted
I am sorry, it was unclear it is in the state directory.
I'm trying to run this as a docker container on a QNAP NAS, and I keep getting this error:
/ # cat /var/log/pykmip/server.log
2023-11-21 19:39:40,259 - kmip.server.config - INFO - Loading server configuration settings from: /etc/pykmip/server.conf
2023-11-21 19:39:40,324 - kmip.server.monitor - INFO - Starting up the operation policy file monitor.
2023-11-21 19:39:40,372 - kmip.server - INFO - Starting server socket handler.
2023-11-21 19:39:40,382 - kmip.server - INFO - Server successfully bound socket handler to 0.0.0.0:5696
2023-11-21 19:39:40,383 - kmip.server - INFO - Starting connection service...
2023-11-21 19:39:41,331 - kmip.server.monitor - INFO - Loading policies for file: /etc/pykmip/policy/policy.json
2023-11-21 19:39:41,333 - kmip.server.monitor - INFO - Loading policy: synology
2023-11-21 19:40:02,751 - kmip.server - INFO - Receiving incoming connection from: 192.168.0.223:44782
2023-11-21 19:40:02,751 - kmip.server - INFO - Dedicating session 00000001 to 192.168.0.223:44782
2023-11-21 19:40:02,752 - kmip.server.session.00000001 - INFO - Starting session: 00000001
2023-11-21 19:40:02,761 - kmip.server.session.00000001 - INFO - Failure running TLS handshake
2023-11-21 19:40:02,761 - kmip.server.session.00000001 - ERROR - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/kmip/services/server/session.py", line 102, in run
self._connection.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1375, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
2023-11-21 19:40:02,765 - kmip.server.session.00000001 - INFO - Stopping session: 00000001
I verified that it can see the certs inside the container:
/ # ls -al /var/lib/certs
total 44
drwxr-xr-x 2 1000 users 4096 Nov 21 19:32 .
drwxr-xr-x 1 root root 4096 Nov 21 19:31 ..
-rw-r--r-- 1 root root 1354 Nov 21 19:32 ca.crt
-rw-r--r-- 1 root root 1704 Nov 21 19:32 ca.key
-rw-r--r-- 1 root root 41 Nov 21 19:32 ca.srl
-rw-r--r-- 1 root root 1403 Nov 21 19:32 client.crt
-rw-r--r-- 1 root root 1106 Nov 21 19:32 client.csr
-rw-r--r-- 1 root root 1704 Nov 21 19:32 client.key
-rw-r--r-- 1 root root 1403 Nov 21 19:32 server.crt
-rw-r--r-- 1 root root 1106 Nov 21 19:32 server.csr
-rw-r--r-- 1 root root 1704 Nov 21 19:32 server.key
/ #
I thought maybe it was because the IP inside the docker container was 10.0.something instead of my NAS's IP (192.168.0.2), so I tried adding --network="host" to run-container.sh but it didn't help.
Any tips on how to continue troubleshooting?
How would one write a docker-compose.yml for this? I intend to manage it through Portainer as a stack, pasting the docker-compose.yml into Portainer's stack editor.
Hello,
first of all I would like to say thank you for your awesome work. Your DSM server is still working way better, than Synology's build in DSM server - aweseome!
Currently I use highmountaintea/kmip-server-dsm in my docker-compose, which is working fine. As I use watchtower to keep my images up-to-date, I try to avoid building my own images based on sources. Unfortunately, I miss now all our appreciated work for continuously updating this project.
I would like to kindly request, whether it is possible to provide your release-tags to dockerhub? That would be awesome!
Thank you very much!
The documentation notes that:
Shortly after starting container for the first time, some SSL keys and certificates will be generated in the certs directory. You will need to copy these files to put them into your NAS:
client.key
client.crt
ca.crt
When running the container, three files are generated in the certs
directory, but instead of getting the above three files (two .crt files and a .key), the container generates three different files (two .key files and a .crt):
~/kmip-server-dsm/certs# ls
ca.crt ca.key server.key
Since DSM asks for a one key and two certificates, this output does not appear to work for DSM.
EDIT: Nevermind, I realized a misconfiguration was causing the container to loop and it was not generating the right documents. Sorry about that!
Hi there, even though I have mediocre skills only, I was ably to run this yesterday in less then ten minutes, it worked ike a charm, no quirks nothing, just worked. Now I dont have to worry if my Snyology box gets stolen :-) . Great job - thank you.
Hi,
I am turning crazy. I tested this deployment with Synology's first beta 7.2 and it was working like a charm.
No I installed two Synologies with 7.2 RC (7.2-64551) and two instances of kmip-server I have following behaviour:
But after reboot, I get critical warning that volume could not be decrypted, while kmip server still shows green / connected.
When I try to manual initiate the decrypt, I have to upload the recovery key.
I had a look into kmip-server's logfile:
Seems that Synology has a bug in the RC firmware version, that no request is sent to kmip-server?
When using local key vault, the automatic decryption is working. Can somebody confirm this maybe? Do you have the same problem?
Hey,
thanks for a great project! I'm running into trouble following the steps though.
When trying to set the remote key client in the NAS, I'm getting "Cannot connect to server".
On the KMIP server side, I'm getting the following error (from /var/log/pykmip/server.log
):
2024-08-11 10:15:32,111 - kmip.server - INFO - Receiving incoming connection from: [...]
2024-08-11 10:15:32,112 - kmip.server - INFO - Dedicating session 00000013 to [...]
2024-08-11 10:15:32,114 - kmip.server.session.00000013 - INFO - Starting session: 00000013
2024-08-11 10:15:32,126 - kmip.server.session.00000013 - INFO - Failure running TLS handshake
2024-08-11 10:15:32,128 - kmip.server.session.00000013 - ERROR - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/kmip/services/server/session.py", line 102, in run
self._connection.do_handshake()
File "/usr/lib/python3.11/ssl.py", line 1382, in do_handshake
self._sslobj.do_handshake()
Any idea what the problem might be?
As per title.
Maybe pykmip (haven't checked) or synology cannot handle EC certs? Or any other reasons?
First, I wanted to thank you for sharing this repository!
My scenario - I have a primary Synology NAS that will be encrypted, as well as a smaller secondary Synology NAS used for backups, that I would also like encrypted.
My question - Is there a way to have multiple IPs / multiple certificates?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.