Home 
username password  
Welcome, Guest.
Your IP: 100.28.231.85
2024-11-04 23:52:07 
 Public Support
 letsencrypt pfx raises exception
Bottom
 
Total posts: 14
 Author letsencrypt pfx raises exception
Bryn Lewis

2024-02-21 09:08:08
Registered user
I have a web server built with delphi xe8 and realthinclient components.

I use streamsecII components to manage the slsl/tls connections.

create a pfx from a fullchain and privkey pem created with letsencrypt (certbot).

Load the pfx into a TsmSimpleTLSInternalServer:

smSimpleTLSInternalServer1.ImportFromPFX(path+'ServerLE.pfx',PW);

//this causes an exception:
smSimpleTLSInternalServer1.TLSSetupServer

However, I get this exception:  'smSimpleTLSInternalServer1StreamSecII.TLSSetupServer: All signatures schemes are disabled.'.

-This process has been working in multiple projects on different servers, but its failing on a particular server. The certbot installation has been upgraded to latest version.

-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISA8dtPP0M01IdcZqXzp2V3fqUMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDAyMjEwODAyNThaFw0yNDA1MjEwODAyNTdaMCExHzAdBgNVBAMT
FnRlc3QtcHNzLmFoYWRzcy5jb20uYXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC6glxj0lyaj6VSnQw8Jy3jA17CXGHMJIlLSr6ijL91AMcCuPo4hsf1
Xrm506Ujbfu8JGXW5BgU105FJPRWDjeqLlANExdOMnWqzhu27VM6uQeFLGMh3STH
6/UKweaiu+5vy5koJNPwwsUS1M06eBb2sCzQLqkHXkysjX2fxEDwLcC0Lprwjioe
5nnhf6cutDLKA87cOgnESdJsQSYpVhAVKjClaEPxkixOspuA29LKgV5+CCTKqk2V
Rz4woWQIIprZnXAcpv+hZPj+5XFHtRYSpPfFmJlvhv7mgbcN/mjCoPlO6ecnTCDB
WL5lJLzTndEfiw8HCQXTqZf7WkIyH8n1AgMBAAGjggIXMIICEzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFLa0EkIWFAmu4oAHr9BW1//LEiORMB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMCEGA1UdEQQaMBiCFnRlc3QtcHNzLmFoYWRzcy5jb20uYXUwEwYD
VR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgBIsONr
2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY3K52JzAAAEAwBHMEUCIQDs
0gU7pwSqjXPKPyG1C/kJsls0UeM2EGPSy2B0ikRlOwIgSmfkqBYw05Tf01hhOxNL
Q3XW09HrxhsJ4Pv6s52wReIAdQA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv
4frUFwAAAY3K52RoAAAEAwBGMEQCIEtsp1CVoeEpxYn/w47aUpJhHc7gxreGw731
fCRmnWJXAiBDhDKnW9wQUbrqPg3mlDayJX6AwvkVvGQOKXWP4jlbPDANBgkqhkiG
9w0BAQsFAAOCAQEAOXEezKSUcDbwGoXcJ4Z5WP0+/lXIHttUZjes0nweV+1fd0Mw
1yau2rgN0/T3wMo/78EYUB9o1UIDzKItt+4tS5CphvSJxtmFiAn11M4sh/TPqK7r
f92Sy0agXt1fdh8/scIy6/XCVo8zw6mQDb67SzHgMtvDVte8BwtT4iArcNQHzEko
1Gozp3yO6iKcLZfjDLECgOVDe9FbY3jcqcaq+9FseEQ87PUurleFt33yPMouuW3C
Ya1+9QuDEMPlHuNGcDmOUTs6b7QgudGVSelOPm0FDyANz+cN/rDspe/CpQMSnSrs
tflg8qO5bjH2fSvd9giAEa+Vp3R/hw+nJEKUtg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
Henrick Wibell Hellström

2024-02-21 11:14:56
Registered user
The exception 'smSimpleTLSInternalServer1StreamSecII.TLSSetupServer: All signatures schemes are disabled.'indicates that the component doesn't have any valid server certificate with a corresponding private key. If you get this exception for only one specific pfx file, but usually not for all other pfx files, it typically means one of four things:

1. The current date might fall outside the notBefore and notAfter dates of the validity field of the server certificate. Often this could be because the certificate is expired, but since you are located in Australia, it might be worth mentioning that incorrect handling of the offset from GMT parameter might lead to the same effect in the first few hours after the certificate was issued.

2. The server certificate might be issued by a certificate authority that the component doesn't recognize. The easiest way to fix this is typically to load the corresponding root certificate. Please note that the CA certificate you pasted above is an intermediary CA certificate, and not a root certificate. If you load the certificate at run time, you could use the OnCertNotTrusted event to probe for this eventuality.

3. Sometimes the certificate might contain unrecognized features. That doesn't appear to be the case here, but some issues of this kind might be detected if you implement the OnCertNotAccepted event.

4. Sometimes there might be an issue with the private key, such as an formatting error or an unsupported feature. You didn't include the private key, so I couldn't test for this. (You could also send me a pfx file through a private channel, but please make sure to include the passphrase. Otherwise I will be unable to open it.)

Since this a Let's Encrypt certificate, I presume you have already generated a new certificate for the affected host. Do I understand correctly that the issue only affected the particular certificate you have posted here, but not the new one you generated for the same host? In case the issue persists, does the private key stay the same across certificates? If yes, is there a way to make sure a new private key is generated?
Bryn Lewis

2024-02-21 12:29:50
Registered user
1. seems unlikely because certbot is run on the same server (but I'll try in 24 hours)

2. Yes, OnCertNotTrusted is triggered on importfrompfx

I tried this:

smSimpleTLSInternalServer1.LoadRootCertsFromFile(global.APP_PATH+'root.pem');

-with the root below, but same result.

3. I will try this

4. I will send the privkey direct

I have removed LE and certbot and regnerated certificates on the host, with the same result. But anyway, certbot creates a new private key by default.

root:
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
Henrick Wibell Hellström

2024-02-21 20:29:31
Registered user
I did a rudimentary test with the PFX you sent privately. I did not get any exception. Please go through the check list above. In worst case, things such as unrelated memory leaks or buffer overwrites elsewhere in your code might affect the performance of these methods.


var
  lPWd: iSecretKey;
begin
  if OpenDialog1.Execute then begin
    lPWd := TSecretKey.CreateBMPStr('replaced for privacy reasons',4);
    SimpleTLSInternalServer1.ImportFromPFX(OpenDialog1.FileName,lPwd);
    SimpleTLSInternalServer1.MyCertList.Add;
    if SimpleTLSInternalServer1.MyCertList.Count = 0 then
      Memo1.Text := 'No private cert'
    else begin
      if SimpleTLSInternalServer1.PublicKeyAlgorithms = [] then
        raise Exception.Create('Error Message');
      SimpleTLSInternalServer1.TLSSetupServer;
    end;
  end;
end;
Henrick Wibell Hellström

2024-02-22 06:33:59
Registered user
Another thing, which I suppose you are already aware of, but in case you aren't: After importing a PFX the component will trigger an internal HandleCipherSuitesChange event, and disable any TLSOptions that start with KeyAgreement or DigitialSignature that aren't compatible with the key type of the private key that was just imported. This might affect your testing, unless you restart your program before attempting to import a new certificate, or make sure to set all TLSOptions in run time code, before calling TLSSetupServer the next time.
Bryn Lewis

2024-02-22 07:36:41
Registered user
That code raises and exception for me. I am using strsecII220. I tried to upgrade but I couldn't add the new version - I got an 'package already present' error. I will have to investigate further.
Henrick Wibell Hellström

2024-02-22 09:10:13
Registered user
The lib suffix 220 indicates Delphi XE8. You are likely to at least have some release of StrSecII v2.3, since there were no StrSecII220.dpk files in the last release of StrSecII v2.2.

The best way to install a newer release, is to first remove the design time DStrSecII220 package, followed by the StrSecII220 package, using the Component|Install Packages dialog in the IDE. If you have also installed any CertMgr package or any Indy package (DSsTLSIndy10D22 and SsTLSIndy10D22) those should also be removed (before removing StrSecII220) and reinstalled.

...but, it should be noted, you really only have to reinstalled the packages in the IDE if there have been any changes to published component properties (and there probably haven't), or if you compile with run time packages. The important thing is that you compile your own projects with updated source code.
Bryn Lewis

2024-02-23 04:52:01
Registered user
I've tried the above code you provided, using StrSecIV220, with the same results I had before.

After loading the pfx, this is true: smSimpleTLSInternalServer1.PublicKeyAlgorithms = []

smSimpleTLSInternalServer1.TLSSetupServer; //raises an exception

I can't get the code to work on any pem files created with certbot, on multiple servers, despite having done this for at least 3-4 years before now. I've also tried creating the pfx with openssl, with the same result.

It is working on purchased pfx files.
Henrick Wibell Hellström

2024-02-23 07:51:06
Registered user
If you have recompiled your project, with the source code of the latest release of StrSecII (archive ST_2.3.1.278.zip), and still get that error, with a pfx file identical to the one you sent to me, then there has to be a problem with how you set the Options properties, implement the events, or something else related to how you use the components. Do you think you could put together a small project that just imports the PFX and results in the errors you describe? This is just to find whatever small detail causes the issue on your side.
Henrick Wibell Hellström

2024-02-23 09:05:06
Registered user
BTW, ST 4.0 OTOH, currently does have an issue with Let's Encrypt certificates, since they do not use a standard method for generating the SubjectKeyIdentifier extension. This will be addressed in the next release of ST 4.0, but has not been an issue in ST 2.x for many years.
Bryn Lewis

2024-02-25 23:34:39
Registered user
I have been using ST4 in projects, with LE, for a while without issue. I don't understand why a problem has suddenly arisen, as the only change is generating new certificates - which makes me think LE/certbot is doing something different.

Are there any workarounds for the problem with the SubjectKeyIdentifier extension, or when will the fix for ST4 be available?
Henrick Wibell Hellström

2024-02-26 09:47:57
Registered user
I guess LE/Certbot must have changed the method for generating the value of the SubjectKeyIdentifier extension of the certificate. Relevant parts of ST 4.0 have relied on certificates to use the method that is endorsed in the PKIX RFC 5280. Most CAs do use this method, and it is not impossible that the LE/Certbot combo has used it in the past, but changed recently. There is a simple work around, and it has long been implemented in ST 2.x, but unfortunately it is less efficient, so I have avoided adding it to ST 4.0.

If you make sure you have the latest ST 4.0 source code, I will upload an update shortly.
Bryn Lewis

2024-02-26 11:22:47
Registered user
Things have now got worse - I may have broken something in my Delphi component setup.

On a production server I am loading a purchased ssl cert and it is loading OK and it is serving GET requests fine. However, it is not allowing POST requests.

I didn't pick this up in dev because I have an exception on the security alerts for localhost.

This is for StrSecIV220

There may be 2 issues - the LE/certbot and the StrSecIV220 setup, but it is hard to separate them.
Henrick Wibell Hellström

2024-02-26 12:29:19
Registered user
Do you mean the trial dcu/bpl/dcp files? They are not meant to be used indefinitely in production environments. If you are using those, uninstall them and use the licensed source code for ST 4.0 instead. If you are building your project with run time packages, use packages you compile yourself and deploy them to the same folder as the exe. Let your installer emit a warning if it discovers other copies of the same package on the path.
Top

:: Written with and Powered by the RealThinClient SDK and StreamSec Tools 4.0::
Copyright (c) Danijel Tkalcec, StreamSec HB