Error: `error reading X.509 potentially-encrypted key file: Decryption has failed.`

[tmciver]

When trying to run install.sh in the docs directory, I get the following error:

error reading X.509 potentially-encrypted key file: Decryption has failed.

Do I need to decrypt a key somewhere? My familiarity with PKI is limited.

[namedgraph]

Hi. I think I'm experiencing the same on Ubuntu (on Windows). Somehow the owner.p12.pem certificate generated within the LDH container cannot be decrypted by the host Ubuntu OpenSSL (or its different version). Would that match what you're experiencing? I haven't pinned down the exact cause yet.

My workaround is to re-generate the owner.p12.pem from owner.p12 on the host, i.e. on Ubuntu in my case. Since you launch the CLI scripts from the host, OpenSSL decrypts the key because it was also generated on the host. I have little bash script (I run it from the LDH root folder):

#!/bin/bash

pushd . > /dev/null && cd certs
openssl pkcs12 -in "owner.p12" -out "owner.p12.pem"
popd > /dev/null

[tmciver]

I tried regenerating owner.p12.pem on the host but it did not resolve the issue. I'm not sure I did it right though. The above script asks for both an "Import Password" and a "PEM pass phrase" for which I entered the same password that I configured LDH with for each of them. Is that correct?

[namedgraph]

Yes that's what I do. Did you restart the service afterwards?

Could you send me the log of the shell scripts?

[namedgraph]

@tmciver could you provide some more info about this issue?

[tmciver]

@namedgraph sorry for going silent - busy as usual. I hadn't originally restarted the services but I tried that to no avail. I also tried regenerating owner.p12.pem again - no luck.

When I run the script, I get:

$ export SCRIPT_ROOT=~/workspace/linkeddata/linked-data-hub/scripts/; ./install.sh https://localhost:4443/ ../../../linked-data-hub/certs/owner.p12.pem <my-password>
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs

### Making the app public

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 4443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 513 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 potentially-encrypted key file: Decryption has failed.
* Closing connection 0
curl: (35) error reading X.509 potentially-encrypted key file: Decryption has failed.
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs

### Creating authorizations

~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs

### Creating authorization for https://localhost:4443/reference/dataspace/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 4443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 513 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 potentially-encrypted key file: Decryption has failed.
* Closing connection 0
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs

### Creating authorization for https://localhost:4443/reference/administration/
^C

I just Ctrl-C after a couple of errors. I hope that helps.

[namedgraph]

Hmm... What OS are you on?

I can think of two things:

• is the cert file really at that relative path? Try cat ../../../linked-data-hub/certs/owner.p12.pem
• is this some kind of cert encoding mismatch? E.g.
  • https://serverfault.com/questions/1000501/getting-error-in-curl-commandcurl-35-error-reading-x-509-potentially-encrypt
  • https://stackoverflow.com/questions/16624704/unable-to-set-private-key-file-cert-pem-type-pem

[tmciver]

I looked into this a bit more to no avail. Yes, the file is really at that path. I tried

• using a different password
• changing cert file permissions
• regenerating the pem file (again)

I also tried separating the certificate from the key per the serverfault.com link you gave above and then issuing the following curl command

curl -v --cert cert.pem --cert-type PEM --key key.pem --key-type PEM --pass password https://localhost:4443

but it gave a similar error:

curl: (35) error reading X.509 potentially-encrypted key file: Error while reading file.

I'm at a loss . . .

[tmciver]

I also verified the key and certificate match per the instructions here.

[namedgraph]

@tmciver can we try to see if it's not an environment issue? What's the OS and its version and the output of curl -V?

[tmciver]

I'm running this on Ubuntu 16.04 (old, I know. I should probably just upgrade and see if that resolves it.)

$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

[tmciver]

I tried the install script mentioned above in a fresh Ubuntu 20.04 VM and it worked! I think we can chalk this up to an old version of . . . something. Thanks for the help with this @namedgraph!

[namedgraph]

Awesome! Without regenerating the client.p12.pem or anything?

[tmciver]

Correct, I did not have to regenerate the cert files.