Username/Password Combination Unknown to the system

redcomethk · October 4, 2021, 3:44am

Hi,

We have setup a new server have just experienced the problem that the new server is up but admin cannot log in the MC Web Designer problem. I think the issue is similar to some existing topic here (e.g. Restore Admin Passwort, Connect mobile client to server) and I tried to run ./renew.sh and answer yes to the overwrite entry alias tomcat during the process. However, the admin login afterwards will eventually failed. I attach the deepstream log here:

AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null

It seems that the key files linked by the deepstream docker image are not updated? or what kind of log files should I provide for the investigation? Thank you very much.

naetherm · October 4, 2021, 7:14am

Have you checked that all occurrences or , <port_tomcat>, <port_deepstream>, and <password_keystore> were correctly replaced in all configuration files?
When we came across the same problem that was the solution for us.

redcomethk · October 4, 2021, 9:26am

The problem this time seems to be caused by the expiration of Let’s Encrypt Root Certificate.
(Companies Face Issues as Let's Encrypt Root Certificate Expires)
As the deepstream involved is an old software it could not recognise the new root CA from Let’s Encrypt.

As a temp workaround, we changed to use zero ssl currently, prepared the corresponding cert files and seems it is working now. I think mobile coach will come up with a more long-term solution for us to handle this problem.

fabischn · October 4, 2021, 3:47pm

Hi there,

You are absolutely right. This was due to the expiry of the Root Cert that let’secnrypt was using. We couldn’t work on an automated certificate retrievel yet using ZeroSSL over the weekend when it happened, but for our ongoing studies we also resorted to using ZeroSSL for now and converting the certificates to the appropriate formats s.t. minimal changes had to be made in the config/docker-compose files.

Glad to hear you could fix it for your instance.

Cheers

naetherm · October 6, 2021, 6:20am

Oh, yes.
I’m a bit lost. How can I convert the files from ZeroSSL to the appropriate format?
It’s clear to use the following for converting crt to pem:
openssl rsa -in KEY.key -text > privkey.pem
openssl x509 -inform PEM -in certificate.crt > cert.pem
openssl x509 -inform PEM -in ca_bundle.crt > chain.pem

But I’m wondering how to generate the fullchain.pem file or would it be sufficient to concatenate cert.pen and chain.pem?

prabhu · October 11, 2021, 9:27am

For creating full chain, you first need root ca. You can get it here: USERTrust RSA Certification Authority - Root certificate.

wget http://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt should get the root cert and you can then change it into .pem format. Let’s call it ca_root.pem.

Then cat cert.pem chain.pem ca_root.pem >> fullchain.pem should create the file necessary.

mhirsch · December 9, 2021, 2:54pm

I was struggling with the same problem (DST Root CA X3 expired error in deepstream) and @prabhu pointed me to the patch in the docker-compose.yml: mobilecoach / mobilecoach-server / commit / 236a0906f404 — Bitbucket

Thank you!

redcomethk · December 10, 2021, 2:33pm

@prabhu Any chance that this to be merged into the main branch first?

redcomethk · December 11, 2021, 5:04pm

Have you been successful connecting to the intervention from the mobile by using this method? I tried when setting up a new server and can login its web designer ui. I created an intervention inside but then still cannot connect the mobile app to this new server. I tried to export this intervention and import it in another working server (with the previous zero ssl method), the intervention can be connected. I tried to use zero ssl method for this new server and then the intervention can be connected.