Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server won't start when TLS configuration uses "WindowsLocalMachine" store #6018

Closed
wooti opened this issue Oct 18, 2024 · 5 comments · Fixed by #6019
Closed

Server won't start when TLS configuration uses "WindowsLocalMachine" store #6018

wooti opened this issue Oct 18, 2024 · 5 comments · Fixed by #6019
Labels
defect Suspected defect such as a bug or regression

Comments

@wooti
Copy link

wooti commented Oct 18, 2024

Observed behavior

I am using a certificate from the Windows Certificate Store (see also) in my TLS configuration. The certificate is stored in the Windows Local Machine certificate store.

port: 3333
http_port: 4444
tls: {
  cert_store: "WindowsLocalMachine"
  cert_match_by: "Subject"
  cert_match: "TestCertificate"
  verify: true
  timeout: 2
}
jetstream: enabled
jetstream: {
  max_memory_store: 1G
  max_file_store: 100G
}

The server refuses to start, with the following error:

nats-server: nats-streaming.conf:3:1: unable to open certificate store or store not available

Expected behavior

The server should load the specified certificate from the Local Machine store, and start successfully.

Server and client version

nats-server: v2.10.22

Host environment

Windows 10, AMD64

Steps to reproduce

This problem goes away if I use the WindowsCurrentUser store, or if I run nats-server.exe in admin mode. Unfortunately corporate policy does not allow either of these workarounds.

Note: This does not seem to be a permissions issue, as there are other applications running in the same (non-administrative) context which can access the Local Machine certificate store. It seems to be an issue with the way NATS attempts access.
@wooti wooti added the defect Suspected defect such as a bug or regression label Oct 18, 2024
@neilalexander
Copy link
Member

Can you please try commit 14351d1 from the neil/certstorero branch and let me know if that fixes the problem?

@wooti
Copy link
Author

wooti commented Oct 18, 2024

I don't have a development environment configured - is there a place I grab a binary for this change?

@neilalexander
Copy link
Member

neilalexander commented Oct 18, 2024
edited
Loading

Yep, try this: https://binaries.nats.dev/binary/github.com/nats-io/nats-server/v2?os=windows&arch=amd64&version= 14351d1

It should spit out an .exe file for that commit after a brief wait, but you might need to rename the file to pop the .exe on the end.

@wooti
Copy link
Author

wooti commented Oct 18, 2024
edited
Loading

Amazing, thank you. I can confirm it starts successfully now ☺

@neilalexander neilalexander mentioned this issue Oct 18, 2024
Merged
@neilalexander
Copy link
Member

Thanks for confirming, have raised the PR!

derekcollison added a commit that referenced this issue Oct 18, 2024
@derekcollison
Windows: Set CERT_STORE_READONLY_FLAG when opening cert stores (#6019)
9de7c4f 
This should allow access to `CERT_SYSTEM_STORE_LOCAL_MACHINE` from
non-admin users.

Fixes #6018.

Signed-off-by: Neil Twigg <neil@nats.io>
neilalexander added a commit that referenced this issue Oct 29, 2024
@neilalexander
Windows: Set CERT_STORE_READONLY_FLAG when opening cert stores
61f276f 
This should allow access to `CERT_SYSTEM_STORE_LOCAL_MACHINE` from non-admin users.

Fixes #6018.

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Suspected defect such as a bug or regression
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Windows: Set CERT_STORE_READONLY_FLAG when opening cert stores nats-io/nats-server
2 participants
@neilalexander @wooti