|
Author | letsencrypt pfx raises exception |
Bryn Lewis 2024-02-21 09:08:08 Registered user |
I have a web server built with delphi xe8 and realthinclient components.
I use streamsecII components to manage the slsl/tls connections. create a pfx from a fullchain and privkey pem created with letsencrypt (certbot). Load the pfx into a TsmSimpleTLSInternalServer: smSimpleTLSInternalServer1.ImportFromPFX(path+'ServerLE.pfx',PW); //this causes an exception: smSimpleTLSInternalServer1.TLSSetupServer However, I get this exception: 'smSimpleTLSInternalServer1StreamSecII.TLSSetupServer: All signatures schemes are disabled.'. -This process has been working in multiple projects on different servers, but its failing on a particular server. The certbot installation has been upgraded to latest version. -----BEGIN CERTIFICATE----- MIIE+DCCA+CgAwIBAgISA8dtPP0M01IdcZqXzp2V3fqUMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yNDAyMjEwODAyNThaFw0yNDA1MjEwODAyNTdaMCExHzAdBgNVBAMT FnRlc3QtcHNzLmFoYWRzcy5jb20uYXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC6glxj0lyaj6VSnQw8Jy3jA17CXGHMJIlLSr6ijL91AMcCuPo4hsf1 Xrm506Ujbfu8JGXW5BgU105FJPRWDjeqLlANExdOMnWqzhu27VM6uQeFLGMh3STH 6/UKweaiu+5vy5koJNPwwsUS1M06eBb2sCzQLqkHXkysjX2fxEDwLcC0Lprwjioe 5nnhf6cutDLKA87cOgnESdJsQSYpVhAVKjClaEPxkixOspuA29LKgV5+CCTKqk2V Rz4woWQIIprZnXAcpv+hZPj+5XFHtRYSpPfFmJlvhv7mgbcN/mjCoPlO6ecnTCDB WL5lJLzTndEfiw8HCQXTqZf7WkIyH8n1AgMBAAGjggIXMIICEzAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC MAAwHQYDVR0OBBYEFLa0EkIWFAmu4oAHr9BW1//LEiORMB8GA1UdIwQYMBaAFBQu sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s ZW5jci5vcmcvMCEGA1UdEQQaMBiCFnRlc3QtcHNzLmFoYWRzcy5jb20uYXUwEwYD VR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgBIsONr 2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY3K52JzAAAEAwBHMEUCIQDs 0gU7pwSqjXPKPyG1C/kJsls0UeM2EGPSy2B0ikRlOwIgSmfkqBYw05Tf01hhOxNL Q3XW09HrxhsJ4Pv6s52wReIAdQA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv 4frUFwAAAY3K52RoAAAEAwBGMEQCIEtsp1CVoeEpxYn/w47aUpJhHc7gxreGw731 fCRmnWJXAiBDhDKnW9wQUbrqPg3mlDayJX6AwvkVvGQOKXWP4jlbPDANBgkqhkiG 9w0BAQsFAAOCAQEAOXEezKSUcDbwGoXcJ4Z5WP0+/lXIHttUZjes0nweV+1fd0Mw 1yau2rgN0/T3wMo/78EYUB9o1UIDzKItt+4tS5CphvSJxtmFiAn11M4sh/TPqK7r f92Sy0agXt1fdh8/scIy6/XCVo8zw6mQDb67SzHgMtvDVte8BwtT4iArcNQHzEko 1Gozp3yO6iKcLZfjDLECgOVDe9FbY3jcqcaq+9FseEQ87PUurleFt33yPMouuW3C Ya1+9QuDEMPlHuNGcDmOUTs6b7QgudGVSelOPm0FDyANz+cN/rDspe/CpQMSnSrs tflg8qO5bjH2fSvd9giAEa+Vp3R/hw+nJEKUtg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- |
Henrick Wibell Hellström 2024-02-21 11:14:56 Registered user |
The exception 'smSimpleTLSInternalServer1StreamSecII.TLSSetupServer: All signatures schemes are disabled.'indicates that the component doesn't have any valid server certificate with a corresponding private key. If you get this exception for only one specific pfx file, but usually not for all other pfx files, it typically means one of four things:
1. The current date might fall outside the notBefore and notAfter dates of the validity field of the server certificate. Often this could be because the certificate is expired, but since you are located in Australia, it might be worth mentioning that incorrect handling of the offset from GMT parameter might lead to the same effect in the first few hours after the certificate was issued. 2. The server certificate might be issued by a certificate authority that the component doesn't recognize. The easiest way to fix this is typically to load the corresponding root certificate. Please note that the CA certificate you pasted above is an intermediary CA certificate, and not a root certificate. If you load the certificate at run time, you could use the OnCertNotTrusted event to probe for this eventuality. 3. Sometimes the certificate might contain unrecognized features. That doesn't appear to be the case here, but some issues of this kind might be detected if you implement the OnCertNotAccepted event. 4. Sometimes there might be an issue with the private key, such as an formatting error or an unsupported feature. You didn't include the private key, so I couldn't test for this. (You could also send me a pfx file through a private channel, but please make sure to include the passphrase. Otherwise I will be unable to open it.) Since this a Let's Encrypt certificate, I presume you have already generated a new certificate for the affected host. Do I understand correctly that the issue only affected the particular certificate you have posted here, but not the new one you generated for the same host? In case the issue persists, does the private key stay the same across certificates? If yes, is there a way to make sure a new private key is generated? |
Bryn Lewis 2024-02-21 12:29:50 Registered user |
1. seems unlikely because certbot is run on the same server (but I'll try in 24 hours)
2. Yes, OnCertNotTrusted is triggered on importfrompfx I tried this: smSimpleTLSInternalServer1.LoadRootCertsFromFile(global.APP_PATH+'root.pem'); -with the root below, but same result. 3. I will try this 4. I will send the privkey direct I have removed LE and certbot and regnerated certificates on the host, with the same result. But anyway, certbot creates a new private key by default. root: -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- |
Henrick Wibell Hellström 2024-02-21 20:29:31 Registered user |
I did a rudimentary test with the PFX you sent privately. I did not get any exception. Please go through the check list above. In worst case, things such as unrelated memory leaks or buffer overwrites elsewhere in your code might affect the performance of these methods.
var lPWd: iSecretKey; begin if OpenDialog1.Execute then begin lPWd := TSecretKey.CreateBMPStr('replaced for privacy reasons',4); SimpleTLSInternalServer1.ImportFromPFX(OpenDialog1.FileName,lPwd); SimpleTLSInternalServer1.MyCertList.Add; if SimpleTLSInternalServer1.MyCertList.Count = 0 then Memo1.Text := 'No private cert' else begin if SimpleTLSInternalServer1.PublicKeyAlgorithms = [] then raise Exception.Create('Error Message'); SimpleTLSInternalServer1.TLSSetupServer; end; end; end; |
Henrick Wibell Hellström 2024-02-22 06:33:59 Registered user |
Another thing, which I suppose you are already aware of, but in case you aren't: After importing a PFX the component will trigger an internal HandleCipherSuitesChange event, and disable any TLSOptions that start with KeyAgreement or DigitialSignature that aren't compatible with the key type of the private key that was just imported. This might affect your testing, unless you restart your program before attempting to import a new certificate, or make sure to set all TLSOptions in run time code, before calling TLSSetupServer the next time.
|
Bryn Lewis 2024-02-22 07:36:41 Registered user |
That code raises and exception for me. I am using strsecII220. I tried to upgrade but I couldn't add the new version - I got an 'package already present' error. I will have to investigate further.
|
Henrick Wibell Hellström 2024-02-22 09:10:13 Registered user |
The lib suffix 220 indicates Delphi XE8. You are likely to at least have some release of StrSecII v2.3, since there were no StrSecII220.dpk files in the last release of StrSecII v2.2.
The best way to install a newer release, is to first remove the design time DStrSecII220 package, followed by the StrSecII220 package, using the Component|Install Packages dialog in the IDE. If you have also installed any CertMgr package or any Indy package (DSsTLSIndy10D22 and SsTLSIndy10D22) those should also be removed (before removing StrSecII220) and reinstalled. ...but, it should be noted, you really only have to reinstalled the packages in the IDE if there have been any changes to published component properties (and there probably haven't), or if you compile with run time packages. The important thing is that you compile your own projects with updated source code. |
Bryn Lewis 2024-02-23 04:52:01 Registered user |
I've tried the above code you provided, using StrSecIV220, with the same results I had before.
After loading the pfx, this is true: smSimpleTLSInternalServer1.PublicKeyAlgorithms = [] smSimpleTLSInternalServer1.TLSSetupServer; //raises an exception I can't get the code to work on any pem files created with certbot, on multiple servers, despite having done this for at least 3-4 years before now. I've also tried creating the pfx with openssl, with the same result. It is working on purchased pfx files. |
Henrick Wibell Hellström 2024-02-23 07:51:06 Registered user |
If you have recompiled your project, with the source code of the latest release of StrSecII (archive ST_2.3.1.278.zip), and still get that error, with a pfx file identical to the one you sent to me, then there has to be a problem with how you set the Options properties, implement the events, or something else related to how you use the components. Do you think you could put together a small project that just imports the PFX and results in the errors you describe? This is just to find whatever small detail causes the issue on your side.
|
Henrick Wibell Hellström 2024-02-23 09:05:06 Registered user |
BTW, ST 4.0 OTOH, currently does have an issue with Let's Encrypt certificates, since they do not use a standard method for generating the SubjectKeyIdentifier extension. This will be addressed in the next release of ST 4.0, but has not been an issue in ST 2.x for many years.
|
Bryn Lewis 2024-02-25 23:34:39 Registered user |
I have been using ST4 in projects, with LE, for a while without issue. I don't understand why a problem has suddenly arisen, as the only change is generating new certificates - which makes me think LE/certbot is doing something different.
Are there any workarounds for the problem with the SubjectKeyIdentifier extension, or when will the fix for ST4 be available? |
Henrick Wibell Hellström 2024-02-26 09:47:57 Registered user |
I guess LE/Certbot must have changed the method for generating the value of the SubjectKeyIdentifier extension of the certificate. Relevant parts of ST 4.0 have relied on certificates to use the method that is endorsed in the PKIX RFC 5280. Most CAs do use this method, and it is not impossible that the LE/Certbot combo has used it in the past, but changed recently. There is a simple work around, and it has long been implemented in ST 2.x, but unfortunately it is less efficient, so I have avoided adding it to ST 4.0.
If you make sure you have the latest ST 4.0 source code, I will upload an update shortly. |
Bryn Lewis 2024-02-26 11:22:47 Registered user |
Things have now got worse - I may have broken something in my Delphi component setup.
On a production server I am loading a purchased ssl cert and it is loading OK and it is serving GET requests fine. However, it is not allowing POST requests. I didn't pick this up in dev because I have an exception on the security alerts for localhost. This is for StrSecIV220 There may be 2 issues - the LE/certbot and the StrSecIV220 setup, but it is hard to separate them. |
Henrick Wibell Hellström 2024-02-26 12:29:19 Registered user |
Do you mean the trial dcu/bpl/dcp files? They are not meant to be used indefinitely in production environments. If you are using those, uninstall them and use the licensed source code for ST 4.0 instead. If you are building your project with run time packages, use packages you compile yourself and deploy them to the same folder as the exe. Let your installer emit a warning if it discovers other copies of the same package on the path.
|