PFX from Letsencrypt, keystore password incorrect

I am currently evaluating SSL and Lets Encrypt with ignition running as Edge within a docker container. A separate container is responsible for running certbot and converting the Lets encrypt certificates to pkcs12 format .

openssl pkcs12 -export -out ssl.pfx -inkey privkey.pem -in fullchain.pem -name ignition -passout pass:ignition

Based on my understanding so far, as long as keystore password is set to 'ignition' without the quotes, and placed in /usr/local/bin/ignition/data/local/ssl.pfx i should be able to enable SSL on a fresh installation and load the keystore.automatically during statup, or by running $IGNITION/ --reloadks

However, i am getting some issues within JVM,
| jvm 1 | 2023/01/17 18:41:47 | keystore password was incorrect

Password is verified on 3rd party device, and also bt testing import into a Windows Computer

I've found that if you're getting that error (versus something indicating wrong keystore format), it typically is truly an invalid keystore password. Out of curiosity, what do you get from the following (where forum-68689 is replaced with the name of your target container)?

docker exec -it forum-68689 sh -c "ls -la data/local/ && ls -la webserver/ && keytool -list -storepass ignition -keystore data/local/ssl.pfx"

From one of my test benches (where I have a test CA and I generate PKCS12 keystores for Ignition), it looks like the following:

total 28
drwxr-xr-x 1 root root 4096 Jan 17 16:55 .
drwxr-xr-x 1 root root 4096 Jan 17 16:56 ..
drwxr-xr-x 4 root root 4096 Jan 17 16:55 auth-tokens
-rw-r--r-- 1 root root 3199 Jan 17 16:55 metro-keystore
-rw-r--r-- 1 root root 6382 Jan 17 16:53 ssl.pfx
total 44
drwxr-xr-x 1 root root  4096 Jan 12 10:48 .
drwxr-xr-x 1 root root  4096 Jan 17 16:55 ..
lrwxrwxrwx 1 root root    42 Jan 12 10:48 csr.pfx -> /usr/local/bin/ignition/data/local/csr.pfx
lrwxrwxrwx 1 root root    49 Jan 12 10:48 metro-keystore -> /usr/local/bin/ignition/data/local/metro-keystore
lrwxrwxrwx 1 root root    42 Jan 12 10:48 ssl.pfx -> /usr/local/bin/ignition/data/local/ssl.pfx
drwxr-xr-x 4 root root  4096 Jan 12 10:47 webapps
-rw-r--r-- 1 root root 25232 Jan 12 10:45 webdefault.xml
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

ignition, Jan 17, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): BF:78:08:01:36:2D:6B:3D:90:F9:17:C2:F7:C3:28:71:F7:5B:FA:45:FB:31:DD:79:AC:67:C4:BC:30:52:C3:95

<ignition> #2 of 2 uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.

I might acutally hit a bug in jdk and compability with openssl

OpenSSL 3.0.x defaults to PBKDF2 with HmacSHA256 for PKCS12 (which earlier OpenSSL didn't) and in some Java versions the standard provider mishandles this scheme, causing it to fail to decrypt the encrypted key and cert.

Openssl 3.0 with flag -legacy works, and the pcks12 imports fine in the ignition container. But i am not able to create a bundle with openssl 1.x that successfully can be imported in the ignition container.

I`ll work around it for now with a custom certbot container based on ubuntu 22.04 and use the -legacy flag rather than official certbot/certbot image or by placing this inside the ignition image.