Skip to main content
Question

tls: failed to verify certificate: x509: certificate specifies an incompatible key usage

P

I am trying to connect to an S3 storage with a self signed certificate.

 

Installed root CA certificate following https://docs.kasten.io/latest/install/advanced.html#install-root-ca-in-veeam-kasten-s-namespace

./k10tools debug ca-certificate

CA Certificate Checker:

  Fetching configmap which contains CA Certificate information : custom-ca-bundle-store

  Certificate exists in configmap  -  OK

  Found container aggregatedapis-svc to extract certificate

  Certificate exists in container at/etc/ssl/certs/custom-ca-bundle.pem

  Certificates matched successfully  -  OK

 

However, when trying to add a location I get:

GetBucketLocation: RequestError: send request failed caused by: Get "https://redacted:9000/veeam-kasten?location=": tls: failed to verify certificate: x509: certificate specifies an incompatible key usage

 

In the key usage of my self signed certificate I have:

X509v3 Extended Key Usage:

TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2

X509v3 Key Usage:

Digital Signature, Key Encipherment

 

What key usage does kasten expect so it would work? What key usage I am missing?

Chris.Childerhose
MicoolPaul
Geoff Burke
5 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MicoolPaul
    MicoolPaul
  • Geoff Burke
    Geoff Burke
  • ashanpro
    ashanpro
  • Madi.Cristil
    Madi.Cristil

6 comments

MicoolPaul
Forum|alt.badge.img+23
  • MicoolPaul
  • 2358 comments
  • February 23, 2025

You’re missing client authentication. As you’re using TLS communication you’ll require both client & server authentication on your certificate 😊

Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
Chris.Childerhose
Tommy O'Shea
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Tommy O'Shea
    Tommy O'Shea
P
  • power22
  • Author
  • New Here
  • 4 comments
  • February 23, 2025

Thanks for your rapid reply!

 

It neither works with client authentication:

X509v3 Extended Key Usage:

  TLS Web Client Authentication, TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2

X509v3 Key Usage:

  Digital Signature, Non Repudiation, Key Encipherment

 

Could 1.3.6.1.5.5.8.2.2 be a problem, as it is IPSec IKE-Intermediate?

Chris.Childerhose
Tommy O'Shea
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Tommy O'Shea
    Tommy O'Shea
P
  • power22
  • Author
  • New Here
  • 4 comments
  • February 23, 2025

It works with a certificate generated with certgen following https://min.io/docs/minio/linux/operations/network-encryption.html#enabling-tls

 

This certificate has these usages:

Key Usages: Digital Signature, Key Encipherment, Certificate Signing
Extended Key Usages: Server Authentication

 

So I guess, the Extended Key Usage  Internet Key Exchange (IKE) 1.3.6.1.5.5.8.2.2 in my certificate breaks it.

 

Thank you guys!

Tommy O'Shea
1 person likes this
  • Tommy O'Shea
    Tommy O'Shea
P
  • power22
  • Author
  • New Here
  • 4 comments
  • February 23, 2025

Tested again.

 

The certgen certificate has:

Key Usages: Digital Signature, Key Encipherment, Certificate Signing
Extended Key Usages: Server Authentication

I guess, it has Certificate Signing as it is a CA certificate too.

 

My certificate has:

Key Usages: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication

 

But I get the same error.

 

Did somebody managed to create a CSR and sign it with a CA to create the certificate for an S3 storage and use it with Kasten and would share his openssl commands?

How can I troubleshoot this issue further?

Hagag
Forum|alt.badge.img+2
  • Hagag
  • Experienced User
  • 154 comments
  • February 24, 2025

Hi ​@power22  If you look at the Extended Key Usage of your server certificate, you will see that it only has "TLS Web Server Authentication".

I am not sure but I think your certificate should have "TLS Web Server Authentication" and “TLS Web Client Authentication” in the Extended Key Usage. X509v3 Extended Key Usage.


Also,  The presence of 1.3.6.1.5.5.8.2.2 (IPSec IKE Intermediate) might be causing the issue, as it is not relevant for TLS communication.

for example the below should work

X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

Thanks,
Ahmed Hagag

P
  • power22
  • Author
  • New Here
  • 4 comments
  • February 24, 2025

Hi guys (@MicoolPaul, @Hagag)

 

I figured it out :-).

 

As it worked with the certgen certificate from minio, I created a new NIST P-256 CA with a new certificate.

Key Usages: Digital Signature, Key Encipherment

Extended Key Usages: Server Authentication

 

And now it works, it was never about the key usage, I think, the error message displayed by kasten is misleading.

 

I checked which TLS ciphers minio accepts: https://min.io/docs/minio/linux/operations/network-encryption.html#supported-tls-cipher-suites

 

I checked what I used in my first certificate which got me the error message displayed with incompatible key usage. My certificate had Signature Algorithm SHA-512 with RSA Encryption.

 

I guess this leads to a TLS cipher missmatch? So the correct error message would be: There is a TLS cipher mismatch instead of incompatible key usage?

Comment


Terms & Conditions