Username/Password Combination Unknown to the system

Hi,

We have setup a new server have just experienced the problem that the new server is up but admin cannot log in the MC Web Designer problem. I think the issue is similar to some existing topic here (e.g. Restore Admin Passwort, Connect mobile client to server) and I tried to run ./renew.sh and answer yes to the overwrite entry alias tomcat during the process. However, the admin login afterwards will eventually failed. I attach the deepstream log here:

AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null
INCOMING_CONNECTION | from undefined (35.223.76.74)
AUTH_ATTEMPT | 35.223.76.74: AREQ{"client-version":1,"user":"server","secret":"iiemfTborlbe34MzvOfhwdL6QQMUwXu7JEwQ302IXiSVWxiSi3RT1QjNpFluZJyJ","role":"server","intervention-password":"not required"}
AUTH_ERROR | http auth error: Error: certificate has expired
INVALID_AUTH_DATA | invalid authentication data
CLIENT_DISCONNECTED | null

It seems that the key files linked by the deepstream docker image are not updated? or what kind of log files should I provide for the investigation? Thank you very much.

Have you checked that all occurrences or , <port_tomcat>, <port_deepstream>, and <password_keystore> were correctly replaced in all configuration files?
When we came across the same problem that was the solution for us.

The problem this time seems to be caused by the expiration of Let’s Encrypt Root Certificate.
(Companies Face Issues as Let's Encrypt Root Certificate Expires)
As the deepstream involved is an old software it could not recognise the new root CA from Let’s Encrypt.

As a temp workaround, we changed to use zero ssl currently, prepared the corresponding cert files and seems it is working now. I think mobile coach will come up with a more long-term solution for us to handle this problem.

Hi there,

You are absolutely right. This was due to the expiry of the Root Cert that let’secnrypt was using. We couldn’t work on an automated certificate retrievel yet using ZeroSSL over the weekend when it happened, but for our ongoing studies we also resorted to using ZeroSSL for now and converting the certificates to the appropriate formats s.t. minimal changes had to be made in the config/docker-compose files.

Glad to hear you could fix it for your instance.

Cheers

Oh, yes.
I’m a bit lost. How can I convert the files from ZeroSSL to the appropriate format?
It’s clear to use the following for converting crt to pem:
openssl rsa -in KEY.key -text > privkey.pem
openssl x509 -inform PEM -in certificate.crt > cert.pem
openssl x509 -inform PEM -in ca_bundle.crt > chain.pem

But I’m wondering how to generate the fullchain.pem file or would it be sufficient to concatenate cert.pen and chain.pem?

For creating full chain, you first need root ca. You can get it here: USERTrust RSA Certification Authority - Root certificate.

wget http://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt should get the root cert and you can then change it into .pem format. Let’s call it ca_root.pem.

Then cat cert.pem chain.pem ca_root.pem >> fullchain.pem should create the file necessary.