Generated cert unsupported by openssl3 related applications #2606
Comments
|
Which version of win-acme were you using before? It seems like OpenSSL 3.0 doesn't like the default settings chosen by BouncyCastle for the PFX/PKCS12 archive, which is a legacy encryption algorithm. Recently I've been playing around with trying to upgrade this, but that caused failures on older versions of Windows. I guess we'll have to make it an optional setting to modernize the archive. |
|
It looks like it was 2.1.17.1065 |
|
In the next release there will be four possible configuration values for this:
|
Hi all,
My previous registrar decided to revoke API access, so I have spent the afternoon migrating all my domains and automation over to Cloudflare. I am pretty much completely done, but I have been running into issues getting win-acme to generate a valid cert. I had been up and running with no issues for about 3 years prior, so I'm not sure whats happening.
Steps taken: Deleted win-ace folder in P:/programdata
Upgraded to the latest version
Installed Cloudflare DNS plugins
Created a new cert (tried both ECS and RSA)
I am able to issue a PCKS cert file just fine, but when I attempt to validate it with openSSL, or use it in an app (plex), I am getting the following exceptions:
openssl: inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0)
Plex: Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] PKCS12_parse failed: error:0308010C:digital envelope routines::unsupported
Jun 02, 2024 19:16:52.262 [5968] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
All settings are default. I have tried a simple hostname, a wildcard, and a hostname with some SANs. The only cofig changes I made were to the notification settings (which is working).
`PS P:\Apps\winacme> .\wacs.exe --verbose
[DBUG] Logging at level Verbose
[VERB] Loaded validation plugin Cloudflare from P:\Apps\winacme\PKISharp.WACS.Plugins.ValidationPlugins.Cloudflare.dll
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Looking for settings.json in P:\Apps\winacme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Use existing log folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Use existing cache folder C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[DBUG] Found 1 secrets in secrets.json
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails True
[VERB] Arguments: --verbose
[VERB] ExePath: P:\Apps\winacme\wacs.exe
[VERB] ResourcePath: P:\Apps\winacme
[VERB] PluginPath: P:\Apps\winacme\
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.2.9.1701 (release, pluggable, standalone, 64-bit)
[INFO] Connecting to https://acme-v02.api.letsencrypt.org/...
[DBUG] [HTTP] Send GET to https://acme-v02.api.letsencrypt.org/directory
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"_amWaCqVSxU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
[INFO] Connection OK!
[DBUG] Running with administrator credentials
[DBUG] IIS not detected
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Renewal 1/1 -----------------------------------------------------------------
Id: G4m0MaK31ku6V7etQmSjPg
File: G4m0MaK31ku6V7etQmSjPg.renewal.json
Account: Default account
Auto-FriendlyName: [Manual] *.domain.net
.pfx password:
Expires: Unknown
Renewal due: 2024/7/28
Renewed: 2 times
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --host
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --cloudflareapitoken
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --ocsp-must-staple not present
[VERB] Flag --reuse-privatekey not present
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] Flag --keepexisting not present
[VERB] No value provided for --certificatestore
[VERB] No value provided for --acl-fullcontrol
[VERB] No value provided for --acl-read
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pemfilespath
[VERB] No value provided for --pempassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
[VERB] No value provided for --pfxfilepath
[VERB] No value provided for --pfxpassword
[VERB] Autofac: creating Target scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No W3SVC detected
[VERB] No FTPSVC detected
Command: wacs.exe --source manual --host *.domain.net,domain.net
--validation cloudflare --cloudflareapitoken
vault://json/cf_letsencrypt --store
certificatestore,pemfiles,pfxfile --pemfilespath
P:\Apps\certs --pempassword ******* --pfxfilepath
P:\Apps\certs --pfxpassword *******
Plugins -----------------------------------------------------------------
Source: Manual
- Description: Manual input
Validation: Cloudflare
- Description: Create verification records in Cloudflare DNS
Order: Single
- Description: Single certificate
Csr: RSA
- Description: RSA key
Store: CertificateStore
- Description: Windows Certificate Store (Local Computer)
Store: PemFiles
- Description: PEM encoded files (Apache, nginx, etc.)
Store: PfxFile
- Description: PFX archive
Installation: None
- Description: No (additional) installation steps
Orders -----------------------------------------------------------------
Order 1/1: main
History -----------------------------------------------------------------
History 3/3 -----------------------------------------------------------------
History 2/3 -----------------------------------------------------------------
History 1/3 -----------------------------------------------------------------
`
Any ideas? Thanks.
The text was updated successfully, but these errors were encountered: