error reading X.509 key or certificate file

Question

I'm setting hawkBit server and swupdate with SSL/TLS enabled (HTTPS). The steps are:

1. Generate key

   # Generate self signed root CA cert: ca.crt and ca.key
   openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 3650
   # Input the info with CN is <domain>
   
   # Generate server cert to be signed: server.csr and server.key
   openssl req -nodes -newkey rsa:2048 -keyout server.key -days 1095 -out server.csr
   # Input the info with CN is <domain>
   
   # Sign the server csr: server.crt
   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1095 -out server.crt
   
   # Create pkcs12: server.p12
   openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
   # Enter Export Password:
   # Verifying - Enter Export Password:
   
   # import pkcs#12 to Java key store
   keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 \
       -destkeystore server.jks -deststoretype pkcs12 \
       -alias 1 -deststorepass <pass> -srcstorepass <pass>
   

2. Configure hawkBit

   hawkbit.artifact.url.protocols.download-http.protocol=https
   hawkbit.artifact.url.protocols.download-http.port=<port>
   security.require-ssl=true
   server.use-forward-headers=true 
   
   server.ssl.key-store=/home/huong/software-update-server/hawkbit/hawkbit-runtime/hawkbit-update-server/jks/self_signed.p12
   server.ssl.key-store-password=<pass>
   server.ssl.key-password=<pass>
   server.ssl.enabled=true
   server.ssl.protocol=TLS
   server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
   

   At this time, I'm able to access hawkBit with https on browser.

3. Configure swupdate

• Enable: CONFIG_CURL_SSL, CONFIG_DOWNLOAD_SSL, CONFIG_CHANNEL_CURL_SSL, and CONFIG_SURICATTA_SSL

• Run command: swupdate -v -k /etc/public.pem -f /suricatta.cfg -u ""

• suricatta.cfg with suricatta section:

  suricatta :
  {
      tenant      = "DEFAULT";
      id          = "dev01";
      confirm     = 0;
      url         = "https://<domain>:<port>";
      polldelay   = 20;
      nocheckcert = false;
      retry       = 4;
      retrywait   = 200;
      loglevel    = 10;
      userid      = 1000;
      groupid     = 1000;
      cafile      = "/ca.crt";
      sslkey      = "/server.key";
      sslcert     = "/server.crt";
      gatewaytoken    = "<getway_token>";
      /*
      targettoken     = "3bc13b476cb3962a0c63a5c92beacfh7";
      */
  };
  

The log shows the error:

[DEBUG] : SWUPDATE running :  [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
*   Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#0)
* found 1 certificates in /ca.crt
* ALPN, offering http/1.1
* error reading X.509 key or certificate file
* Closing connection 0
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (35): 'SSL connect error'

When running swupdate by the command: swupdate -v -k /etc/public.pem --ca-path="/chain.pem" -u '-t DEFAULT -u https://<domain>:<port> -i dev01 -g <getway_token>', with chain.pem is public key of server (archive by openssl rsa -in server.key -pubout -out chain.pem), or chain.pem is ca's public key or chain of the public key of ca and server, log shows the error:

[DEBUG] : SWUPDATE running :  [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
*   Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#1)
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 1
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (60): 'SSL peer certificate or SSH remote key was not OK'

Please don't tell me to use server.crt or server.p12 or ca.crt as --ca-path because it shows the error:

[ERROR] : SWUPDATE failed [0] ERROR corelib/swupdate_rsa_verify.c : load_pubkey : 52 : unable to load key filename /chain.pem
[ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c : swupdate_dgst_init : 135 : Error loading pub key from /chain.pem

and I think PEM_read_bio_PUBKEY can't get the public key from a certificate.

In hawkBit log, I don't found any weird log.

So please guide me to config swupdate to run with hawkBit with SSL/TLS enabled.

• Which certificate/key do I have to use on swupdate side?
• Should I use a config file instead of --ca-path argument?

Thanks in advance!