PEM to PFX not being recognised

jaime.finat · July 22, 2024, 10:54am

Hello there! This is my first post, after some time digging for answers, I found nothing to solve my problem I hope this is not duplicated.

I have a local server with nginx as reverse proxy, NoIP DNS and Raiola DNS hosting my main domian targetting nginx with their corresponding subdomains.

On that machine, I've successfully deployed Jira and Confluence services, first in HTTP and then in HTTPS using nginx+certbot, it automatically configured these and worked like a charm.

After that, I wanted to set up a UVCS (previously known as PlasticSCM) and configure a certificate for it. Unfortunately, it only allows PFX format, so I needed to convert it using the full-chain certificate and the private key + a password. It worked seamlessly, but when I restart the server for it to take the certificate, it outputs an error.

In the beginning I thought it was related to UVCS, but reading the error, I found similar errors related to OpenSSL, so my guess here is UVCS is only outputting an error from the stderr and adding it to the server startup log. So maybe there is something in the command I'm running to convert the *.pem cert and private key into pfx which is messing things up.

This is also a related link to the UVCS documentation on auto-generated certificates (which is not what I want, but using a let's encrypt one):

Any tip is welcomed and thank you very much for your support!
Following the required information.
Cheers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: plastic.rapture-games.com

I ran this command: sudo openssl pkcs12 -export -out ssl-certificate.pfx -in fullchain.pem -inkey privkey.pem -name "plastic.rapture-games.com" -passout pass:"XXXXXX"

It produced this output: Error importing certificate '/opt/plasticscm5/server/ssl-certificate.pfx': error:10080002:BIO routines::system lib,

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: Raiola

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): CPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

webprofusion · July 22, 2024, 11:29am

Check that the plastic scm (service user) has read permission on the pfx file, and also I assume you had to set the PFX password somewhere in your plastic scm config.

Also test your pfx using openssl but watch out for "legacy" and "modern" PFX settings, these are differences in the keybag algorithm etc and can affect compatibility, openssl 3 uses the modern algorithms by default and you could run into issues with that on some systems.

Osiris · July 22, 2024, 11:31am

If everything else fails: is it perhaps also possible to put Plastic SCM behind a reverse proxy? Or is direct access required?

jaime.finat · July 22, 2024, 12:33pm

Thank you very much for your prompt response!

Yep, the permission is correct.
You are right, the password has to be set in the "network.conf" file, in this case encrypted to avoid it being in plain text using the CLI instruction (cm crypt "yourpassword") and then copied into the conf file and restart the server service daemon.

Regarding the generated PFX, I can see the following information:

openssl pkcs12 -info -in /opt/plasticscm5/server/ssl-certificate.pfx
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: 79 5E 53 93 45 F6 A0 75 78 18 77 71 F3 0E B8 02 E5 72 8A 7F
    friendlyName: plastic.rapture-games.com
subject=CN = plastic.rapture-games.com
issuer=C = US, O = Let's Encrypt, CN = R11
[...]

What I was checking in this case is to ensure the key was 4096 long (not sure why the Iteration says 2048, maybe it is not related....), with RSA, since this is what I understood from the Plastic website. Also I found that the most important thing to configure when issuing certificates (self-signed) is the CN to match the domain being addressed by the users from the outside (also from the description of the website) and I'd swear mine is correct (plastic.rapture-games.com).

The last instruction I used to generate the certificate has been:
sudo certbot certonly --standalone -d plastic.rapture-games.com --key-type rsa --rsa-key-size 4096

Then, since the installation was not automated to ensure I'm taking every required step, I configured nginx sites-available and enabled by my own with the following:

server {
    listen 80;
    server_name plastic.rapture-games.com;

    # Redirect all HTTP requests to HTTPS
     return 301 https://$host$request_uri;
}

# HTTPS Server Block
server {
    listen 443 ssl;
    server_name plastic.rapture-games.com;
    ssl_certificate /etc/letsencrypt/live/plastic.rapture-games.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/plastic.rapture-games.com-0001/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:8088;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Then I created the symlink to the enabled sites:
sudo ln -s /etc/nginx/sites-available/plastic /etc/nginx/sites-enabled/

And finally converted the format to PFX with this instruction:
sudo openssl pkcs12 -export -out ssl-certificate.pfx -in /etc/letsencrypt/live/plastic.rapture-games.com-0001/fullchain.pem -inkey /etc/letsencrypt/live/plastic.rapture-games.com-0001/privkey.pem -name "plastic.rapture-games.com" -passout pass:"MYPASSWORD"

Still not working, but I wanted to check it with you in case something of my intentions "verbose" description does not match with the instructions I'm adding

webprofusion · July 23, 2024, 1:08am

@jaime.finat thanks, that all looks good to me. The error from Plastic SCM is a little generic so I think it would be best for you to raise this with their support, perhaps they have a way to enable debug logging.

Your PFX is using the modern algorithms and maybe you could try the -legacy option to see if that will improve compatibility. I note that the plasticscm certificate instructions talk about the cost of getting a certificate from a public CA, so although they look modern it's possible this stuff is slightly more dated than it first appears.

jaime.finat · July 23, 2024, 11:58am

Dear @webprofusion,

I got it working using the -legacy option when converting the format to PFX, you saved me, I was not aware of that possibility at all! Maybe in the future it will be fixed and this won't be necessary, but in the meantime...

Also @Osiris with the reverse proxy mention helped me to fix and remove the previous plastic.rapture-games.com, using rapture-games.ddns.net NoIP domain instead.

For the record, I'll add here the steps I followed if anyone finds it useful:

sudo certbot -d rapture-games.ddns.net --key-type rsa --rsa-key-size 4096
sudo openssl pkcs12 -export -out /home/rapture/ssl-certificate.pfx -in /etc/letsencrypt/live/rapture-games.ddns.net/fullchain.pem -inkey /etc/letsencrypt/live/rapture-games.ddns.net/privkey.pem -name "Rapture Games" -passout pass:"PASSWORD" -legacy
sudo mv ssl-certificate.pfx /opt/plasticscm5/server/
sudo chown plasticscm:plasticscm /opt/plasticscm5/server/ssl-certificate.pfx
sudo chmod 644 /opt/plasticscm5/server/ssl-certificate.pfx
cm crypt "PASSWORD"
sudo nano /opt/plasticscm5/server/network.conf
sudo systemctl restart plasticscm-server
sudo tail -100 /opt/plasticscm5/server/plastic.debug.log.XXXXXXXX.txt | grep "Error "

And also add an overriding configuration to convert and refresh the certificate to its proper version and location:

sudo nano /etc/systemd/system/snap.certbot.renew.service.d/override.conf
ExecStart=sudo /usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
ExecStart=sudo openssl pkcs12 -export -out /home/rapture/ssl-certificate.pfx -in /etc/letsencrypt/live/rapture-games.ddns.net/fullchain.pem -inkey /etc/letsencrypt/live/rapture-games.ddns.net/privkey.pem -name "rapture-games.ddns.net" -passout pass:"PASSWORD"
ExecStart=sudo mv /home/rapture/ssl-certificate.pfx /opt/plasticscm5/server/
ExecStart=sudo chown plasticscm:plasticscm /opt/plasticscm5/server/ssl-certificate.pfx
ExecStart=sudo chmod 644 /opt/plasticscm5/server/ssl-certificate.pfx

Check the permissions of the override file, since the password is in plan text and only administrators should have access to see that file's content.

Thank you very much to both of you guys for your kind support and time!
You rock!

system · August 22, 2024, 11:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.