Troubleshooting Guide ================================================================================ In this section, you will find step-by-step instructions on resolving common issues that may arise in while using QKDLite solution. The sub-sections are categorised according to components in the QKDLite solution that are the likely root cause of the issue. Receive "Error [3] in QKD connectivity" error message when creating a new key -------------------------------------------------------------------------------- **Symptom** During key creation operation, you received the following error from the QKDLite Utility in the console .. code-block:: text +--------------------------+ | QKD2HSM utility by pQCee | | | | Copyright (c) pQCee | | info@pqcee.com | +--------------------------+ Error [3] in QKD connectivity ./QKD2HSM executed with rc = 1 **Likely Cause** This error means that QKDLite Utility was unable to connect to the IP address of the supplied QKD KME. There are several possible causes and we can use the ``-debug`` flag for ``QKD2HSM`` to gather more information to identify the root cause. Broken link to custom quantum-safe libcurl library ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Diagnosis** Perform a create key operation with the debug flag, similar to the example below .. code-block:: bash ./QKD2HSM c \ -slot 0 \ -keyID "MyKey" \ -password "abc123" \ -kme "https://1.2.3.4" \ -remote "SAE_B" \ -debug If you see a line mentioning about "failed setting curves list" (shown below), this means the link to the custom quantum-safe libcurl library has been broken. .. code-block:: text +--------------------------+ | QKD2HSM utility by pQCee | | | | Copyright (c) pQCee | | info@pqcee.com | +--------------------------+ GET_KEY URL is [https://1.2.3.4/api/v1/keys/SAE_B/enc_keys?number=1&size=256] * Trying 1.2.3.4:443... * Connected to 1.2.3.4 (1.2.3.4) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * failed setting curves list: 'mlkem768:x25519' * Closing connection 0 error curl_easy_perform Couldn't use specified SSL cipher Error [3] in QKD connectivity ./QKD2HSM executed with rc = 1 **Solution** To fix the link to the custom quantum-safe libcurl library, execute the commands .. code:: bash cd /lib/x86_64-linux-gnu sudo ln -fs /opt/oqssa/lib/libcurl.so.4.8.0 libcurl.so.4 **Verification** Perform a create key operation again without the debug flag .. code-block:: bash ./QKD2HSM c \ -slot 0 \ -keyID "MyKey" \ -password "abc123" \ -kme "https://1.2.3.4" \ -remote "SAE_B" Your create key operation should execute successfully now. Quantum-safe TLS Proxy service is down ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. note:: This solution applies if you deploy the pQCee Quantum-safe TLS Proxy in front of your quantum KME. **Diagnosis** Perform a create key operation with the debug flag, similar to the example below .. code-block:: bash ./QKD2HSM c \ -slot 0 \ -keyID "MyKey" \ -password "abc123" \ -kme "https://1.2.3.4" \ -remote "SAE_B" \ -debug If you see a line mentioning about "Connection refused" (shown below), this means the container for the quantum-safe TLS proxy container may have stopped running. .. code-block:: text +--------------------------+ | QKD2HSM utility by pQCee | | | | Copyright (c) pQCee | | info@pqcee.com | +--------------------------+ GET_KEY URL is [https://1.2.3.4/api/v1/keys/SAE_B/enc_keys?number=1&size=256] * Trying 1.2.3.4:443... * connect to 1.2.3.4 port 443 from 192.168.1.100 port 44386 failed: Connection refused * Failed to connect to 1.2.3.4 port 443 after 1 ms: Could not connect to server * closing connection #0 error curl_easy_perform Could not connect to server Error [3] in QKD connectivity ./QKD2HSM executed with rc = 1 **Solution** You need to restart the Docker container for the quantum-safe TLS proxy. Follow the steps described below #. Login (via SSH) to the VM running the container for the quantum-safe TLS proxy. #. Check to make sure your Docker image is located in the root of your user home directory. For this example, we will use ``oqs-nginx-a`` as the filename of the image. #. Attempt to restart the Docker image. .. code-block:: console sudo docker run \ --detach \ --restart always \ --name oqs-nginx-a \ -p 443:443 oqs-nginx-a #. If you receive an error similar to the one below, please delete the container first and attempt restart of the Docker image again. .. code-block:: text docker: Error response from daemon: Conflict. The container name "/oqs-nginx-a" is already in use by container "some-hexadecimal-container-id". You have to remove (or rename) that container to be able to reuse that name. #. Delete existing container. .. code-block:: console sudo docker container rm "some-hexadecimal-container-id" #. Restart the Docker image using the earlier ``docker run`` command. **Verification** #. Check that the Quantum-safe TLS Proxy container is running. .. code-block:: bash sudo docker ps -a #. Get the ```` of the VM hosting the Docker image for the quantum-safe TLS proxy. .. code-block:: bash hostname -i #. Verify that the quantum-safe TLS proxy is working as expected by executing the following command from your QKDLite node. .. code-block:: bash curl -k https:// --curves mlkem768 A successful connection will return a HTML homepage reply to the console. #. Verify that your key creation operation now works as per normal. .. code-block:: bash ./QKD2HSM c \ -slot 0 \ -keyID "MyKey" \ -password "abc123" \ -kme "https://" \ -remote "SAE_B"