KDM creator certificate magically changed ->error reading DKDM

Anything and everything to do with DCP-o-matic.
G470
Posts: 4
Joined: Tue Oct 26, 2021 11:13 am

KDM creator certificate magically changed ->error reading DKDM

Post by G470 »

Hi@all,
hope somebody can help me out solving this issue.
I´m running this great piece of software (KDM creator) on a ubuntu server.

I generated the leaf certificate to create some DKDM keys,
for a couple of month it worked perfect. All DKDM files were usable for the kdm creation tool
but suddenly it stopped working.

After some testing I found out that the leaf certificate changed, but the config.xml file seems to be untouched.

For nearly 4 month everything worked fine. No updates on the server or the software.
The timestamp of the config.xml file is untouched.

Is there any kind of automated certificate regeneration?

Best regards
G470
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: KDM creator certificate magically changed ->error reading DKDM

Post by carl »

Hello,

There shouldn't be any certificate regeneration except in one case if you have an old version (with buggy certificate creation) then install a new one it will ask you if you want to make some new certificates.

What error do you get when you try to use a "bad" DKDM?
G470
Posts: 4
Joined: Tue Oct 26, 2021 11:13 am

Re: KDM creator certificate magically changed ->error reading DKDM

Post by G470 »

Hi Carl thx for your reply,
when I try to import the previously working DKDM files via gui, I get the error message 'Could not decrypt...' (which makes sense as the decryption certificate changed).

I have a ubuntu server where V 2.16.08 of the kdm creation tool is running.
I´m generating the cinemas.xml via php script so all cinemas, screens and certificates are updated every few minutes from our database.
We generated some DKDM files and they worked for a few month.

As I´m not touching the gui and all kdm files are generated via the commandline
I´m pretty sure that nobody clicked the button to regenerated the certificates.

Sometimes I get bad certificates for the cinema screens, so I thought maybe a error in the cinema.xml triggered a regeneration when the gui was started. Is this possible?

Best regards G470
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: KDM creator certificate magically changed ->error reading DKDM

Post by carl »

Ah - that's a good point - that might be possible... I'll look into that. There should be some backups of the config.xml next to it (config.xml.1, config.xml.2 and so on) so you should be able to recover from those, if you need to?
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: KDM creator certificate magically changed ->error reading DKDM

Post by Carsten »

That said - if you actually use encryption and DKMs, you definitely take care to create your own backups.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: KDM creator certificate magically changed ->error reading DKDM

Post by carl »

You're right - an error in cinemas.xml is enough to make DoM re-write config.xml with current versions. I fixed that in my local copy so it should be better in 2.16.25.