0

enter image description hereI wrote a golang program which mTLS certs

package main

import (
    "context"
    "fmt"
    "io"
    "log"

    "github.com/falcosecurity/client-go/pkg/api/outputs"
    "github.com/falcosecurity/client-go/pkg/client"
    "github.com/gogo/protobuf/jsonpb"
)

func main() {
    // Set up a connection to the server.
    c, err := client.NewForConfig(context.Background(), &client.Config{
        Hostname:   "localhost",
        Port:       5060,
        CertFile:   "/etc/falco/certs/client.crt",
        KeyFile:    "/etc/falco/certs/client.key",
        CARootFile: "/etc/falco/certs/ca.crt",
    })
}

I generated certificates using openssl in the location /etc/falco/certs. On running the program Iam getting this error.

2021/10/21 11:58:22 unable to connect: error loading the X.509 key pair: open /etc/falco/certs/client.key: permission denied
exit status 1

How to fix this?

Sathya
  • 69
  • 2
  • 8
  • *Permission denied* says that the key cannot be read. You need to make sure that the user running the application has actually the permissions to read both the file and also has rx permissions to all directories leading to this file. – Steffen Ullrich Oct 21 '21 at 07:13
  • How to do that? – Sathya Oct 21 '21 at 08:06
  • *"How to do that?"* - I'm not sure what exactly the problem is doing that. If you have basic knowledge of how UNIX file permissions work it should be easy. If you don't have this knowledge it might be best to get it. There are enough information on the internet about this, try for example https://kb.iu.edu/d/abdb – Steffen Ullrich Oct 21 '21 at 08:55

2 Answers2

0

Check the owner and permissions mask of the files in /etc/falco/certs. If the owner of those files do not match the same user that you are running your code as, you'll get a permission error. On most linux systems, the .key file needs to be set with a mode of 600 so if I had to guess which of those files is probably throwing your error it would be the client.key file. try running

chmod 640 on the key and 644 on the cert files, then make sure the user you're running code as owns those files or is at least in the group that the files belong to and see what happens.

Jim
  • 37
  • 6
  • My key files are openable it have some cross symbol on it – Sathya Oct 22 '21 at 03:13
  • So just to confirm, when you list the directory containing the key and cert files the permissions for the files look something like this? -rw-r--r-- ca.crt -rw-r--r-- client.crt -rw-r----- client.key – Jim Oct 22 '21 at 06:08
  • -rw-r----- 1 root root 3247 Oct 20 09:21 client.key -rw-r--r-- 1 root root 2017 Oct 20 09:19 ca.crt -rw-r--r-- 1 root root 1874 Oct 20 09:21 client.crt – Sathya Oct 23 '21 at 05:53
  • My permissions look like this... – Sathya Oct 25 '21 at 06:16
  • If you are not running your program as root, then you. will get the permission denied error on the .key file. Are you running it as user root? If not, then you will need to change the key file to be owned by the user you are running the program as. – Jim Oct 27 '21 at 22:55
0

Resolved this by running this commands and changing the permissions of the files:

sudo chmod o+r+w client.key
sudo chmod o+r+w ca.key
sudo chmod o+r+w server.key
Sathya
  • 69
  • 2
  • 8