Server-side SSL client certificate can't be loaded #6128
Comments
|
https://owncloud.org/changelog/desktop/#230
Related: #69 |
|
I just upgraded my ownCloud client to version 2.3.3 and noticed that SSL client certificate authentication is newly supported, great work thanks! Still I have a small issue, my PKCS#12 client certificate file which includes my private and public client keys has an export password but if I enter this export password into the "Client certificate:" input field of the desktop sync client, I get the error message: "Could not load certificate". Is it possible that the desktop sync client does not support PKCS#12 files which have an export password set? |
|
@hostingnuggets Client 2.4 (alpha1 has been released) use OAuth 2.0, and users can login in system web browser. Wouldn't this replace certificate handling in the client itself? Here you can find more information: |
|
@hostingnuggets You're pointing the dialog to your cert+key file and put the export password in the "Certificate password" field, but it can't load it? I'm a bit confused because I don't think there is a "Client certificate:" input field. |
ckamm
changed the title
|
@michaelstingl thank you for suggesting OAuth but I don't want to use OAuth for authentication. @ckamm below is screenshot from that input field with the error message. |
|
@hostingnuggets are you sure the |
|
Also does it have the correct permissions for the client to load it? |
|
@SamuAlfageme pretty sure yes, here is the exact command I used to create the p12 export file including both the key and cert:
Note here that I have used an export password and I think this is what confuses the desktop sync client. @guruz yes permissions are correct and I will try to run |
|
@hostingnuggets I'm pretty sure the export password should be fine - that's why the "Certificate password" field exists. In my tests I've typically used |
|
@hostingnuggets I've just set up a test instance with However, I found out that the "Could not load certificate" message is also displayed when the passphrase is incorrect. Could you double-check if the passphrase you're using for the certificate is the right one? Also, you can try to load the certificate in your browser and access your instance to see if that works out. (it could be expired, etc.) If it does, this issue might be a libopenssl-version-specific bug; which version is your client using? Thanks a bunch! |
|
Thanks to all of you for your hints and help. I am sorry finally I was typing my export password wrong and I can confirm @SamuAlfageme that if you type the password wrong you get the misleading error message Is it possible to delete the PKCS#12 client cert once the account is configured in the ownCloud client? I did a test where I rename my cert on the FS and ownCloud still works. So I assume here that my cert gets copied into ownCloud somewhere, is that correct? Can someone confirm that? |
|
@hostingnuggets I'm glad it works. Unfortunately we don't get more information from the upstream function ( Yes, it's safe to delete the file. The key will be stored in the platform keychain. |
"Could not load certificate" can very well just be a bad password.
|
@ckamm thanks for the precisions. Please do adapt the error description to also mention that it could be a password issue, this will avoid confusion. A thumbs up for you guys 👍 how you handled this case much better/faster/professional than Nextcloud would have (sorry Nextcloud!) |
The desktop sync client currently does not support web servers configured for requiring SSL client certificates. It would be a real plus in terms of security if the desktop sync client could also support SSL client certificates.
The text was updated successfully, but these errors were encountered: