Client: Server-side SSL client certificate can't be loaded

https://owncloud.org/changelog/desktop/#230

• SSL Client certificate support improved (Show UI, Store keys in keychain)

Related: https://github.com/owncloud/client/issues/69

I just upgraded my ownCloud client to version 2.3.3 and noticed that SSL client certificate authentication is newly supported, great work thanks!

Still I have a small issue, my PKCS#12 client certificate file which includes my private and public client keys has an export password but if I enter this export password into the "Client certificate:" input field of the desktop sync client, I get the error message: "Could not load certificate".

Is it possible that the desktop sync client does not support PKCS#12 files which have an export password set?

@hostingnuggets Client 2.4 (alpha1 has been released) use OAuth 2.0, and users can login in system web browser. Wouldn't this replace certificate handling in the client itself?

Here you can find more information:
https://owncloud.org/blog/introducing-oauth2-secure-authorization-flow/

@hostingnuggets You're pointing the dialog to your cert+key file and put the export password in the "Certificate password" field, but it can't load it? I'm a bit confused because I don't think there is a "Client certificate:" input field.

@michaelstingl thank you for suggesting OAuth but I don't want to use OAuth for authentication.

@ckamm below is screenshot from that input field with the error message.

@hostingnuggets are you sure the .p12 you're passing to the client contains both the certificate and the key? (i.e. fullchain)

Also does it have the correct permissions for the client to load it?
If you start the client with owncloud --logfile - is there anything?

@SamuAlfageme pretty sure yes, here is the exact command I used to create the p12 export file including both the key and cert:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Note here that I have used an export password and I think this is what confuses the desktop sync client.

@guruz yes permissions are correct and I will try to run owncloud with the logfile parameter you mentioned and get back to you this week.

@hostingnuggets I'm pretty sure the export password should be fine - that's why the "Certificate password" field exists. In my tests I've typically used -certfile ca.crt instead of -clcerts, not sure whether that makes the difference. I'll be up for testing tomorrow.

@hostingnuggets I've just set up a test instance with SSLVerifyClient require and generated a couple of certificate identities using the same openssl options you did. It worked out in both cases.

However, I found out that the "Could not load certificate" message is also displayed when the passphrase is incorrect. Could you double-check if the passphrase you're using for the certificate is the right one?

Also, you can try to load the certificate in your browser and access your instance to see if that works out. (it could be expired, etc.) If it does, this issue might be a libopenssl-version-specific bug; which version is your client using?

Thanks a bunch!

Thanks to all of you for your hints and help. I am sorry finally I was typing my export password wrong and I can confirm @SamuAlfageme that if you type the password wrong you get the misleading error message Could not load certificate.

Is it possible to delete the PKCS#12 client cert once the account is configured in the ownCloud client? I did a test where I rename my cert on the FS and ownCloud still works. So I assume here that my cert gets copied into ownCloud somewhere, is that correct? Can someone confirm that?

@hostingnuggets I'm glad it works. Unfortunately we don't get more information from the upstream function (QSslCertificate::importPkcs12) on failure. We could adjust to say "maybe bad password?" in the error description.

Yes, it's safe to delete the file. The key will be stored in the platform keychain.

@ckamm thanks for the precisions. Please do adapt the error description to also mention that it could be a password issue, this will avoid confusion.

A thumbs up for you guys :+1: how you handled this case much better/faster/professional than Nextcloud would have (sorry Nextcloud!)