Unable to install Client Certificate in iOS 17.1.1

[ratsputin]

Setting up OwnTracks v16.4.3 from scratch in iOS 17.1.1 for MQTT using Booklet instructions fails with

TLS Client Certificate incorrect file or passphrase.

$ ./generate-CA.sh client brett-owntracks
....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.....+...+...+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+...+..+......+.......+......+...............+......+........+................+.....+..............................+.+...+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+..+.......+.....+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+...+............+...+.....+.+...+............+.....+.........+......+.+..+.......+...+......+.....+.+....................+.+..+.+..............+............+.........+............+...............+.............+..+....+......+............+...+..+............+.+..+...............+...+..........+.................+...+....+...........+....+...+...+.....+.........+...+......+..........+.....+.+...+..+........................+.........................+.....+.....................+....+..........................+...+...+.......+....................+.......+...+..................+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Created CA certificate in ./ca.crt
subject=
    commonName                = An MQTT broker
    organizationName          = OwnTracks.org
    organizationalUnitName    = generate-CA
    emailAddress              = nobody@example.net
Warning: the CA key is not encrypted; store it safely!
--- Creating client key and signing request
--- Creating and signing client certificate
Certificate request self-signature ok
subject=CN = brett-owntracks
$ openssl pkcs12 -export -in brett-owntracks.crt -inkey brett-owntracks.key -name "Brett's certificate/key" -out brett-owntracks.otrp
Enter Export Password:
Verifying - Enter Export Password:

Importing the brett-owntracks.otrp into OwnTracks, then entering the password entered above results in an "incorrect file or passphrase" error. I've received the same results with client certificates generated from other platforms as well.

[ckrey]

Which version of openssl do you use?

openssl version

Could you try with an openssl version 1.1.x?

[ratsputin]

On the machine where I ran the test (Ubuntu):

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

On my firewall where I normally manage my certificates (FreeBSD):

OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Let me find somewhere that I can back down to the older version and test. I'll circle back when I do. Thank you.

[ckrey]

I can recreate your issue: .p12 (.otrp) files build with openssl 3.x.x cannot be opened using Apple's SecPKCS12Import function

https://github.com/openssl/openssl/issues/19871

[ratsputin]

Interesting. So if I do the following step (from the docs):

openssl pkcs12 \
  -export \
  -in jjolie.crt \
  -inkey jjolie.key \
  -name "Jane's certificate/key" \
  -out jjolie.p12

On a machine with OpenSSL 1.1.1 it should work, irrespective of the version that issued the certificate (the crt and key files) in the first place?

[ckrey]

Yes, according to this, it is just the pkcs12 bit that is icompatible:

https://github.com/owntracks/ios/issues/752#issuecomment-1820803401

SecPKCS12Import is not compatible with the default openssl pkcs12 encoding algorithm in openssl@3. Downgrade to openssl@1.1.

[ratsputin]

Excellent! That's a perfect workaround, as I just realized that one of my main machines still has OpenSSL 1.1.1w installed. Let me give that a shot. Thank you for your assistance. I'll let you know if it works later today (I'm in the US).

[ratsputin]

Using a certificate generated under OpenSSL v3.0.2, I was able to generate the PKCS#12 .otrp file using openssl on a machine with OpenSSL v1.1.1w and import it into OwnTracks on iOS successfully. Thank you for the assistance!

[jameskitt616]

You can get it working with using the -legacy -certpbe pbeWithSHA1And40BitRC2-CBC parameters with the openssl pkcs12 -export command with the OpenSSL 3.x.x Version.