ios
ios copied to clipboard
owntracks
MQTT with client certificate: Outdated docs
Background: I run my own mosquitto server with a self-generated CA, and a client certificate on the iPhone. After I had to update certs because the old ones expired, I can no longer get it to work, even though I followed the same procedure as before. Specifically, the error I am getting is incorrect file or passphrase when I try importing the .otrp file.
The doc page TLS client → iOS is clearly out of date. It makes reference to the button Use Custom Security Policy, which does not exist anymore. And yet, it states
Note: on iOS self-signed certificates require Custom Security Policy to be set.
Failing that, what is the current procedure for getting the setup I want to work? And what, exactly, are the types of errors that will lead to the incorrect file or passphrase message?
In case it matters, I run OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022). Generated keys are 2048 bit RSA, reused from earlier. The generated certs work just fine with mosquitto_sub and mosquitto_pub. It's just the owntracks app that won't behave. And yes, I have remembered to install the new CA cert on the phone.
What is the validity period of your self-signed CA certificate? Apple's rules became quite tight on this.
What is the validity period of your self-signed CA certificate?
820 days. And 365 days for the server and client certs. But actually, that page is about server certificates, not CA ones. (I might have gotten away with 820 days for all of them, perhaps even more for the CA.)
PS. I answered this an hour or more ago, but the answer seems to have been lost. Did github lose it, or did I do something wrong? This time, I am keeping a copy.
Failing that, what is the current procedure for getting the setup I want to work? And what, exactly, are the types of errors that will lead to the incorrect file or passphrase message?
The instructions are still valid:
- create a .p12 file
- rename it to .otrp
- transfer it to the iPhone and open it with the OwnTracks app
- then select the file in the TLS subscreen
- enter the passphrase
The error message appears if the file is not correct or the passphrase does not match the .p12's password.
Okay. I generated it with
openssl pkcs12 -export -in client.crt -inkey client.key -name 'some text' -out client.otrp
(avoiding the renaming step) giving an empty password when prompted, and installed it following the instructions. So when the error message appears, it must mean that something is wrong either with client.crt or client.key? Although those files work fine with mosquitto_sub and mosquitto_pub.
So if I understand you correctly, this error message would not occur as a result of, say, the server cert not being up to par, or any problem with the CA cert? That narrows down the search for the cause a bit. But it still leaves me scratching my head.
Hmm, if I can believe my notes, it worked with an empty password last time I updated the certs. But never mind, I tried with a nonempty password, and got the same result.
I realized that I should give a more accurate account of the events: When I send the .otrp file to owntracks, it reports that it processed it successfully. I suppose that just means it stored it. The error occurs when I try to configure the file and set the import password: The exact message TLS Client Certificate / incorrect file or passphrase.
But yet, if I run openssl pkcs12 -info -in client.otrp -noenc and give it the import password when prompted, it prints out everything, not indicating any problem with the file. I can also see that the embedded certificate and private key are identitcal.
But wait, there is more: I see that owntracks is actually trying to connect to the server. From mosquitto.log (IP address elided):
20220811_100548: New connection from ⟨ip⟩ on port 8883.
20220811_100548: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
20220811_100548: Socket error on client <unknown>, disconnecting.
I take this as meaning that client.otrp was correct after all, but it is the certificate chain that is somehow wrong. Which would mean the error message from owntracks has been leading me astray?
I have double-checked that the CA certificate stored in my phone has the same serial number and start/end dates as the certificate used to sign the client and server cert, as well as the CA certificate actually used by the MQTT server.
Perhaps I am running afoul of some other Apple requirement, but so far I have no idea which one.
Not sure what you did with regards to the .otrp file or passphrase. Both are only relevant for client certificates. If your app does not present a client certificate you'll find something like this in mosquitto's log:
1660215342: OpenSSL Error[0]: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
The error
20220811_100548: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
appears if you installed the ca certificate in iOS but did not activate it in "Settings/About/Certificat Trust Settings"
if you installed the ca certificate in iOS but did not activate it in "Settings/About/Certificat Trust Settings"
Ooh, I had missed that step somehow. (It is Settings→General→About⇒Certificate Trust Settings, by the way.)
But I am not out of the woods yet: My problem remains, with the same symptoms on the phone, but now the server complains “peer did not return a certificate”.
Not sure what you did with regards to the .otrp file or passphrase
As I said earlier, I did
openssl pkcs12 -export -in client.crt -inkey client.key -name 'some text' -out client.otrp
Got prompted for a passphrase, entered it twice. Then I sent client.otrp to the phone by AirDrop, and sent it to the OwnTracks app, which processed it. Then, in the app, I went into Settings, left everything untouched except entered the server hostname and UserID, turned off Authentication, then went into the Proto 4 / TLS info screen, selected the imported .otrp file, and entered the same passphrase I had given to openssl pkcs12 before. This is when it started complaining.
In case it is of any help, I am attaching the resulting config as exported from the app. I only changed the servername for privacy.
I have searched for the place in the code where the error message I encounter is emitted. I found only this one place.
If I understand this correctly, this only happens if the app is unable to exctract the client certificate from the p12 file, though it is possible that the code called to do the extraction is doing some extra sanity check. But it should be unrelated to anything happening on the network, or so I imagine.
Am I right about that? (Please bear with me: I am totally unfamiliar with Objective-C.)
The function used is https://developer.apple.com/documentation/security/1396915-secpkcs12import
Please do me a favour, rename the "client.otrp" to another name e.g. "other.otrp" and repeat the step. I am just guessing if the overwrite of the old file with the new content didn't work.
OK, tried the rename trick to no avail. I had the same thought earlier, so it's not the first time I tried it. Also, on earlier attempts, I even went so far as to uninstalling and reinstalling the app. That should certainly blow away any old cruft.
FYI, I have given up on getting to the bottom of why I can't import certificates anymore. While owntracks has been very useful to me for a couple years, it is now much less important to me than it has been, and it's just not worth the time and effort to try to keep it running anymore. So I uninstalled OwnTracks from my phone, and also withdrew from the testflight version.
Close this ticket or keep it open as you see fit; the documentation issue still bears some looking into, I think. But I am outta here (for now – maybe I'll come back later).
In any case, thank you for writing and maintaining owntracks. It is a great gift to the world.
I'd like to add my bits of information and my solution on this topic, as I encountered this aswell:
Creating a PKCS12 container via openssl on my Ubuntu machine lead to the very same issue with Owntracks stating invalid file. After lots of tries I sent the container as a .p12 file to my iPhone and tried to import it as a generic identity profile. This made iOS throw an error, that the entered password was invalid, no matter what I entered.
After a long search I found https://developer.apple.com/forums/thread/697030 which made me try to create the pkcs12 on my mac and voila it works.
I assume the structural changes in PKCS12 mentioned in that thread are the issue. I have no deep enough knowledge of PKCS12 to tell what the difference is and when it was introduced.
For me creating the PKCS 12 on mac with openssl LibreSSL 2.8.3 worked, but creating it with openSSL 3.0.2 did not work. I found no time yet to test out older OpenSSL versions on Linux.
