I am currently evaluating SSL and Let
s Encrypt with ignition running as Edge within a docker container. A separate container is responsible for running certbot and converting the Lets encrypt certificates to pkcs12 format .
openssl pkcs12 -export -out ssl.pfx -inkey privkey.pem -in fullchain.pem -name ignition -passout pass:ignition
Based on my understanding so far, as long as keystore password is set to 'ignition' without the quotes, and placed in /usr/local/bin/ignition/data/local/ssl.pfx i should be able to enable SSL on a fresh installation and load the keystore.automatically during statup, or by running $IGNITION/gwcmd.sh --reloadks
However, i am getting some issues within JVM,
| jvm 1 | 2023/01/17 18:41:47 | java.io.IOException: keystore password was incorrect
Password is verified on 3rd party device, and also bt testing import into a Windows Computer
I've found that if you're getting that error (versus something indicating wrong keystore format), it typically is truly an invalid keystore password. Out of curiosity, what do you get from the following (where
forum-68689 is replaced with the name of your target container)?
docker exec -it forum-68689 sh -c "ls -la data/local/ && ls -la webserver/ && keytool -list -storepass ignition -keystore data/local/ssl.pfx"
From one of my test benches (where I have a test CA and I generate PKCS12 keystores for Ignition), it looks like the following:
drwxr-xr-x 1 root root 4096 Jan 17 16:55 .
drwxr-xr-x 1 root root 4096 Jan 17 16:56 ..
drwxr-xr-x 4 root root 4096 Jan 17 16:55 auth-tokens
-rw-r--r-- 1 root root 3199 Jan 17 16:55 metro-keystore
-rw-r--r-- 1 root root 6382 Jan 17 16:53 ssl.pfx
drwxr-xr-x 1 root root 4096 Jan 12 10:48 .
drwxr-xr-x 1 root root 4096 Jan 17 16:55 ..
lrwxrwxrwx 1 root root 42 Jan 12 10:48 csr.pfx -> /usr/local/bin/ignition/data/local/csr.pfx
lrwxrwxrwx 1 root root 49 Jan 12 10:48 metro-keystore -> /usr/local/bin/ignition/data/local/metro-keystore
lrwxrwxrwx 1 root root 42 Jan 12 10:48 ssl.pfx -> /usr/local/bin/ignition/data/local/ssl.pfx
drwxr-xr-x 4 root root 4096 Jan 12 10:47 webapps
-rw-r--r-- 1 root root 25232 Jan 12 10:45 webdefault.xml
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
ignition, Jan 17, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): BF:78:08:01:36:2D:6B:3D:90:F9:17:C2:F7:C3:28:71:F7:5B:FA:45:FB:31:DD:79:AC:67:C4:BC:30:52:C3:95
<ignition> #2 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
I might acutally hit a bug in jdk and compability with openssl
OpenSSL 3.0.x defaults to PBKDF2 with HmacSHA256 for PKCS12 (which earlier OpenSSL didn't) and in some Java versions the standard provider mishandles this scheme, causing it to fail to decrypt the encrypted key and cert.
Openssl 3.0 with flag -legacy works, and the pcks12 imports fine in the ignition container. But i am not able to create a bundle with openssl 1.x that successfully can be imported in the ignition container.
I`ll work around it for now with a custom certbot container based on ubuntu 22.04 and use the -legacy flag rather than official certbot/certbot image or by placing this inside the ignition image.