Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to sign with estonian eID card #1281

Closed
flokli opened this issue Aug 14, 2024 · 4 comments
Closed

Unable to sign with estonian eID card #1281

flokli opened this issue Aug 14, 2024 · 4 comments

Comments

@flokli
Copy link

flokli commented Aug 14, 2024
edited
Loading

Hey!

I've been getting reports by a user using the latest version of qdigidoc4 and libdigidocpp, and singing with their ID card to fail: NixOS/nixpkgs#334397. SmartID signing also seems to be broken, was some certificate error in April, now is stumbling over a TSL XML signature error.

The logs seem to suggest the default TSA URL configured in libdigidocpp to be unreachable:

image

Failed to connect to host: 'dd-at.ria.ee:80'

There's also traces of this URL being changed in libdigidocpp, however, not in a release yet.

I switched out libdigidoc to this commit and restoring config defaults. It picks up another URL, but still complains about wrong SSL certificates there:

image

I also tried with digidoc-tool, it complaints about being unable to parse TSL XML files:

❯ /nix/store/802v0dcr9b7vsb1l1vi18fc98l2b7bqj-libdigidocpp-unstable-2024-07-17-bin/bin/digidoc-tool create --file=CONTRIBUTING.md contributing.asice
Version
  digidoc-tool version: 3.18.0.0
  libdigidocpp version: 3.18.0.0
2024-08-14T07:39:11Z E [TSL.cpp:311] - TSL eu-lotl.xml signature is invalid
2024-08-14T07:39:12Z I [X509CertStore.cpp:63] - Loaded 0 certificates into TSL certificate store.
Available certificates:
  label: XXXX
Selected:
  label: XXXX
Please enter PIN for token 'XXXX' or <enter> to cancel: 
2024-08-14T07:39:16Z W [TSL.cpp:126] - Failed to parse TSL  /home/flokli/.digidocpp/tsl/EE.xml: /home/flokli/.digidocpp/tsl/EE.xml:1:2 error: invalid document structure
2024-08-14T07:39:16Z E [TSL.cpp:311] - TSL EE.xml signature is invalid
2024-08-14T07:39:16Z I [X509CertStore.cpp:63] - Loaded 58 certificates into TSL certificate store.
    Validation: OK

I'm not quite sure if this is a bug in libdigidoc, it needing a new release, and/or a configuration failure at RIA's side. But it's currently preventing end users from makign signatures with their ID card.

Maybe there's a way to bring back the old dd-at.ria.ee:80 endpoint until this all has been fixed and released.
This was referenced Aug 14, 2024
Closed
Closed
@kristelmerilain
Copy link
Contributor

This is fixed in the newest DigiDoc4 release.

@hellwolf
Copy link

hellwolf commented Nov 3, 2024

I am also having the same issue. @flokli, do you still have the same issue?

@hellwolf
Copy link

hellwolf commented Nov 3, 2024

@flokli actually, I just managed to do it following the information from : #1276

$ nix-shell -p openssl
nix-shell$ openssl s_client -showcerts -connect eid-dd.ria.ee:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > eid-ts.pem

Set time-stamp service to "https://eid-dd.ria.ee/ts" in settings, and add the certificate above.

@flokli
Copy link
Author

flokli commented Nov 3, 2024

Check NixOS/nixpkgs#334397. For some reason I don't have the issue (using NixOS unstable), but others seem to do.

I recall once having added the SSL certificate to the qdigidoc config, but since then the config should have been removed again multiple times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flokli @hellwolf @kristelmerilain