Closed tmciver closed 4 years ago
Hi. I think I'm experiencing the same on Ubuntu (on Windows). Somehow the owner.p12.pem
certificate generated within the LDH container cannot be decrypted by the host Ubuntu OpenSSL (or its different version). Would that match what you're experiencing? I haven't pinned down the exact cause yet.
My workaround is to re-generate the owner.p12.pem
from owner.p12
on the host, i.e. on Ubuntu in my case. Since you launch the CLI scripts from the host, OpenSSL decrypts the key because it was also generated on the host. I have little bash script (I run it from the LDH root folder):
#!/bin/bash
pushd . > /dev/null && cd certs
openssl pkcs12 -in "owner.p12" -out "owner.p12.pem"
popd > /dev/null
I tried regenerating owner.p12.pem
on the host but it did not resolve the issue. I'm not sure I did it right though. The above script asks for both an "Import Password" and a "PEM pass phrase" for which I entered the same password that I configured LDH with for each of them. Is that correct?
Yes that's what I do. Did you restart the service afterwards?
Could you send me the log of the shell scripts?
@tmciver could you provide some more info about this issue?
@namedgraph sorry for going silent - busy as usual. I hadn't originally restarted the services but I tried that to no avail. I also tried regenerating owner.p12.pem
again - no luck.
When I run the script, I get:
$ export SCRIPT_ROOT=~/workspace/linkeddata/linked-data-hub/scripts/; ./install.sh https://localhost:4443/ ../../../linked-data-hub/certs/owner.p12.pem <my-password>
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
### Making the app public
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 4443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 513 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 potentially-encrypted key file: Decryption has failed.
* Closing connection 0
curl: (35) error reading X.509 potentially-encrypted key file: Decryption has failed.
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
### Creating authorizations
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
### Creating authorization for https://localhost:4443/reference/dataspace/
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 4443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 513 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 potentially-encrypted key file: Decryption has failed.
* Closing connection 0
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs ~/workspace/linkeddata/linked-data-hub-apps/linkeddatahub/docs
### Creating authorization for https://localhost:4443/reference/administration/
^C
I just Ctrl-C
after a couple of errors. I hope that helps.
Hmm... What OS are you on?
I can think of two things:
cat ../../../linked-data-hub/certs/owner.p12.pem
I looked into this a bit more to no avail. Yes, the file is really at that path. I tried
I also tried separating the certificate from the key per the serverfault.com link you gave above and then issuing the following curl command
curl -v --cert cert.pem --cert-type PEM --key key.pem --key-type PEM --pass password https://localhost:4443
but it gave a similar error:
curl: (35) error reading X.509 potentially-encrypted key file: Error while reading file.
I'm at a loss . . .
I also verified the key and certificate match per the instructions here.
@tmciver can we try to see if it's not an environment issue? What's the OS and its version and the output of curl -V
?
I'm running this on Ubuntu 16.04 (old, I know. I should probably just upgrade and see if that resolves it.)
$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
I tried the install script mentioned above in a fresh Ubuntu 20.04 VM and it worked! I think we can chalk this up to an old version of . . . something. Thanks for the help with this @namedgraph!
Awesome! Without regenerating the client.p12.pem
or anything?
Correct, I did not have to regenerate the cert files.
When trying to run
install.sh
in thedocs
directory, I get the following error:Do I need to decrypt a key somewhere? My familiarity with PKI is limited.