algo icon indicating copy to clipboard operation
algo copied to clipboard
verified publisher icon trailofbits

Step to generate .p12 files fails with "unknown option '-legacy'" in openssl pkcs12 call

Open DaveCole opened this issue 10 months ago • 3 comments

Describe the bug

In the near-last step to generate .p12 files, the following call fails: openssl pkcs12 -legacy -in certs/phone.crt -inkey private/phone.key -export -name phone -out private/phone.p12 -passout pass:\\"<redacted>\\"\\n

With the following error: unknown option '-legacy'

To Reproduce

Run on ./algo with default settings on Mac OS 15.2 Sequoia -> Digital Ocean

DaveCole avatar Feb 02 '25 21:02 DaveCole

I can't reproduce on 15.2

jackivanov avatar Feb 04 '25 02:02 jackivanov

Hmm. The only additional info I can think to provide was that this was on the Toronto server for Digital Ocean. Not sure it matters but I also updated locally to the most recent stable version of Python & PIP. I also tweaked the config to set unattended_reboot.enabled: true and changed the users to phone, laptop, and ipad

DaveCole avatar Feb 04 '25 18:02 DaveCole

Had the same issue. Seems that this is not related to the OS version but rather the openssl version. I guess in some cases it is not detected correctly, causing the extra -legacy param to appear.

WORKAROUND: simply removing two {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }} lines from roles/strongswan/tasks/openssl.yml did the trick.

demidovsky avatar Apr 02 '25 19:04 demidovsky

Hi @WantClue,

Thank you for reporting this OpenSSL compatibility issue. The error "unknown option '-legacy'" indicates you're using an older version of OpenSSL that doesn't support the -legacy flag.

This flag was added in OpenSSL 3.0 to maintain compatibility with legacy formats. Your system appears to have an older OpenSSL version.

To resolve this:

  1. Check your OpenSSL version: openssl version
  2. If it's older than 3.0, you have two options:
    • Update OpenSSL to version 3.0 or newer
    • Use an older version of Algo that's compatible with your OpenSSL version

For Ubuntu/Debian:

sudo apt update
sudo apt install openssl

For macOS with Homebrew:

brew update
brew upgrade openssl

Since this is an environment-specific OpenSSL version issue, I'm closing this. If you continue to have problems after updating OpenSSL, please open a new issue with your OpenSSL version details.

Thank you for using Algo!

dguido avatar Aug 03 '25 06:08 dguido