How should I set up ra-tls-secret-prov in different machines?

[Zebartin]

I am trying ra-tls-secret-prov with gramine v1.2, with server on host machine and client on guest virtual machine. Both seem ok when running make check_dcap.

I edited src/secret_prov_client.c as follows, adding IP of host machine, 10.12.2.41, to SECRET_PROVISION_SERVERS.

if (!is_constructor) {
    /* secret provisioning was not run as part of initialization, run it now */
    ret = secret_provision_start("dummyserver:80;10.12.2.41:4433;localhost:4433;anotherdummy:4433",
    CA_CRT_PATH, &ctx);
    if (ret < 0) {
        fprintf(stderr, "[error] secret_provision_start() returned %d\n", ret);
        goto out;
    }
}

After I started server on host machine, I ran gramine-sgx ./secret_prov_client on the guest machine, but ended up with [error] secret_provision_start() returned -9984, which means 0x2700 X509 - Certificate verification failed, e.g. CRL, CA or signature check failed, and the server side seemed to receive nothing.

What should I do in order to work it through? Thank you for your guidance.

[dimakuv]

@Zebartin You can take a look at this: https://github.com/gramineproject/contrib/tree/master/Examples/aks-attestation#preparing-client-sgx-application-and-server-secret-provisioning-service-images

Basically, I think you didn't change the server certificate. For the certificate to be "trusted" by the client, the certificate must adhere to certain rules. One of these rules is that the certificate's "Common Name" (CN) field must match the DNS name of the machine on which it runs. (For example, the certificate on this very web page has a CN = github.com.)