Truststore validation in ATAK

[jasonmhite]

First off, very cool project. Has been much easier to get set up with than some of the other TAK related projects and I'm having fun digging in.

That said, I'm struggling a bit with SSL and could use some guidance. I've tried just about everything, and I can successfully connect over SSL to goatak in ATAK. It connects and seems to be able to communicate, however it constantly nags me with this warning:

I've tried following the self-signed CA in the docs and also modifying it to use my own trusted CA installed on my devices. Both connect and are talking to goatak, I can even send data back and forth. But I can't get it to be happy with the truststore and make it stop with that annoying message pop up every time.

I will also note that I can't seem to get certificate enrollment to work despite setting up the external validation through a reverse proxy using a certificate I signed with my trusted CA (which is also trusted by the system running goatak).

[kdudkov]

didn't test self-signed certs for a while - may be it's a new validation in client. What version of ATAK do you use?

[jasonmhite]

I tried the self-signed setup you have in the documentation as well as generating them using my own valid CA that is installed on all devices, both give me the error.

ATAK version is the latest, 5.2.0.3. I haven't tried it on an older version, I probably could.

[rbalashevich]

@jasonmhite Hi! Modern ATAK / WinTAK app versions require the whole certificate trust chain including all the CAs. Plus you need the client certificate narrowly for goatak_server to establish your connection. Regarding LetsEncrypt: a truststore containing both intermediate (i.e. R11) and root (X1) is mandatory. Java / OpenJDK keytool may be your fellow (the more powerful tool than openssl in this particular case):

openssl crl2pkcs7 -nocrl -certfile /etc/letsencrypt/live/whatsaround.live/fullchain.pem | openssl pkcs7 -print_certs -noout

curl -O https://letsencrypt.org/certs/isrgrootx1.pem
awk 'BEGIN{c=0}/BEGIN CERT/{c++}c==2' /etc/letsencrypt/live/whatsaround.live/fullchain.pem > r11.pem
openssl x509 -in isrgrootx1.pem -out isrgrootx1.der -outform DER
openssl x509 -in r11.pem -out r11.der -outform DER

keytool -importcert -alias letsencrypt-r11 -file r11.der \
  -keystore truststore.jks -storetype JKS -storepass yourpass -noprompt

keytool -importcert -alias isrg-root -file isrgrootx1.der \
  -keystore truststore.jks -storetype JKS -storepass yourpass -noprompt

keytool -importkeystore \
  -srckeystore truststore.jks -srcstoretype JKS -srcstorepass yourpass \
  -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass yourpass 

By the end, with keytool -list -keystore truststore.p12 -storetype PKCS12 -storepass yourpass you should see the 'two-CA sandwich truststore'. Import .p12 file into the app and try to establish a connection. Remember: goatak_server 's client cert is also expected! Good luck.