OpenSSL 3 breaks PKCS12 tmp file generation
Opened this issue · 3 comments
satmandu commented
This section no longer generates a working certificate with openssl 3.x, as the password gets mangled:
if [[ -f ${SIGNED_CRT} ]]; then
openssl pkcs12 -export \
-in "${CHAIN_FILE}" \
-in "${SIGNED_CRT}" \
-inkey "${PRIV_KEY}" \
-out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
-name "${ALIAS}"
else
openssl pkcs12 -export \
-in "${CHAIN_FILE}" \
-inkey "${PRIV_KEY}" \
-out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
-name "${ALIAS}"
fi
Giving this issue:
Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.ruliTepb76 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.ruliTepb76 to /var/lib/unifi/keystore...
keytool error: java.io.IOException: keystore password was incorrect
The solution for openssl 3 is to add a check for openssl 3 and do this:
# Check for OpenSSL 3.x
OPENSSL_VERSION=$(openssl version -v | awk '{print $2}'| awk -F '.' '{print $1}')
if [[ "${OPENSSL_VERSION}" -ge '3' ]]; then
OPENSSL_LEGACY_FLAG='-legacy'
else
OPENSSL_LEGACY_FLAG=
fi
#If there is a signed crt we should include this in the export
if [[ -f ${SIGNED_CRT} ]]; then
openssl pkcs12 -export \
-in "${CHAIN_FILE}" \
-in "${SIGNED_CRT}" \
-inkey "${PRIV_KEY}" \
-out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
-name "${ALIAS}" \
${OPENSSL_LEGACY_FLAG}
else
openssl pkcs12 -export \
-in "${CHAIN_FILE}" \
-inkey "${PRIV_KEY}" \
-out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
-name "${ALIAS}" \
${OPENSSL_LEGACY_FLAG}
fi
Which gives this:
Exporting SSL certificate and key data into temporary PKCS12 file...
++ openssl version -v
++ awk '{print $2}'
++ awk -F . '{print $1}'
+ OPENSSL_VERSION=3
+ [[ 3 -ge 3 ]]
+ OPENSSL_LEGACY_FLAG=-legacy
+ [[ -f /etc/ssl/certs/hostname.example.com.crt ]]
+ openssl pkcs12 -export -in /etc/letsencrypt/live/hostname.com/fullchain.pem -inkey /etc/letsencrypt/live/hostname.com/privkey.pem -out /tmp/tmp.mnx3wlaSE5 -passout pass:aircontrolenterprise -name unifi -legacy
+ printf '\nRemoving previous certificate data from UniFi keystore...\n'
Removing previous certificate data from UniFi keystore...
+ keytool -delete -alias unifi -keystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise
+ printf '\nImporting SSL certificate into UniFi keystore...\n'
Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.mnx3wlaSE5 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.mnx3wlaSE5 to /var/lib/unifi/keystore...
+ printf '\nRemoving temporary files...\n'
nosebeggar commented
Damn son, I just spent 3 hours troubleshooting this and meant to post this. I wish I had looked up the issues earlier and found your solution.
dharrigan commented
Same. This has bit me in the rear end. Just discovered this fix there now!
gctwnl commented
The current version people download doesn't have this fix. Is there still maintenance on this script or is everybody on their own now? Because I would like to make this script work when the controller is run inside a docker container.