Portal upgrade to 5.4.1.3 fails on tssg certificates
search cancel

Portal upgrade to 5.4.1.3 fails on tssg certificates

book

Article ID: 440691

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

Portal upgrade to 5.4.1.3 fails on tssg certificates with "Failed to extract certificate from certs/tssg.p12. Password may be incorrect or file may be corrupted."

When running portal.sh  to start portal we get 

Database connectivity check passed: <databasehost>:3306 is reachable.
INFO: Custom URLs disabled (PORTAL_CUSTOM_URLS_ENABLED=false), skipping certificate processing
INFO: Removing existing custom domain secrets
-----------Converting from existing certs/tssg.p12
Converting existing tssg.p12 to other required formats for tssg
Extracting certificate to certs/tssg.crt
-----------Converting from existing certs/tssg.p12
Converting existing tssg.p12 to other required formats for tssg
Extracting private key to certs/tssg.key
-----------Converting from existing certs/tssg.p12
Converting existing tssg.p12 to other required formats for tssg
Generating PEM format to certs/tssg.pem
-----------Converting from existing certs/tssg.p12
pass is  OTM2NDRiZDQ2Mzk0OWU5NWQy
Converting existing tssg.p12 to other required formats for tssg
Generating PKCS8 format to certs/tssg.p8
Please fix the following errors:
   -    Failed to extract certificate from certs/tssg.p12. Password may be incorrect or file may be corrupted.
   -    Failed to extract private key from certs/tssg.p12. Password may be incorrect or file may be corrupted.
   -    Failed to generate PEM format from certs/tssg.p12. Password may be incorrect or file may be corrupted.
   -    Failed to generate PKCS8 format from certs/tssg.key. Password may be incorrect or file may be corrupted.

After that we have a empty tssg.key tssg.pem and tssg.crt the tssg.p12 file is still there . 

Deleting the tssg.p12 works as a workaround but after that all the proxy needs to be updated with the new certficate.

 

Cause

When running the openssl command from the portal.sh script on the command prompt you get the following error .

openssl pkcs12 -in tssg.p12 -clcerts -nokeys -out "tssg.crt"
Enter Import Password:
Error outputting keys and certificates
803B5C54B07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Resolution

This tells you that the tssg.p12  file has been encrypted with an unsupported encryption algorithm (RC2-40-CBC). That algorithm is now considered legacy and insecure and openssl does not support it by default .

The algorithm is still available in the openssl  legacy provider.  adding "-legacy" to your openssl  command line command would resolve the issue .

Add the -legacy option to the openssl statements in the portal.sh script in the "function convert_from_p12"

if ! openssl pkcs12 -in "${key_name}.p12" -legacy -clcerts -nokeys -out "${key_name}.crt" \
-passin pass:"$pass" 2>/dev/null; then

Do this for the tssg.crt , tssg.key and tssg.pem ! not for the tssg.p8 statement 

The other solution is to delete the current tssg,.p12 and let portal create a new certifcate for tssg , after this also the proxy gateway needs to be updated with the new cert .

 
Powered by Wolken Software