Comment 2 for bug 1912390

Revision history for this message
Graham Leggett (minfrin-y) wrote :

Net-snmp has an index of certs, typically /var/lib/net-snmp/cert-indexes (from memory).

Start with this directory empty - no files called 0, 1, 2, etc.

On first run of either client or server, with no index, all the certs are loaded correctly, and the index is populated. The loading of certs will cause CA certificates to be identified as CA certs, and correctly marked. Net-snmp will work exactly once.

On second and subsequent runs, with an index, none of the certs are loaded, just the index. Because the certificate types are not indexed, the query “give me matching CA certs” now returns zero CA certs, because the flag indicating the cert is a CA is now unpopulated. No CA certs loaded, connections fail with peer cert not trusted, suddenly after working once we now stop working.

Now a curve ball. You’re confused. You want to figure out what is going on. So you turn on debug. The debug causes the cert to be loaded so the cert can be dumped to the log. This has a side effect that in loading the cert, the CA flag is populated. Suddenly it works again. Stiff coffee all round.

So, to see the problem switch debug off, run net-snmp on a debugger instead. Run it once and see it work. Run it a second time and see it not work, peer cert is not trusted. This is because net-snmp looks up CA certs in index, finds zero, tells other side to go away.

The fix: modify the index to add a field for cert type.