Generate a "more modern" p12 certificate

[Kocal]

Hi!

Since Node.js 18 and maybe Node.js 17 too, it is not possible to use the Symfony CLI certificate for the Webpack (Encore) dev-server, as documented, due to the following error:

$ make assets.dev-server

**************************************************
 Enabling Node.js corepack features...
**************************************************

npm uninstall -g pnpm

up to date in 31ms
npm install -g corepack

changed 1 package in 79ms
corepack enable
corepack prepare
Preparing pnpm@7.29.1...

**************************************************
 Finished!
**************************************************

pnpm run dev-server

> @ dev-server /Users/halliaume/workspace/international-website
> TAILWIND_MODE=watch concurrently -n frontend,amp "$npm_execpath run encore dev-server --config-name frontend --port 23000 " "$npm_execpath run encore dev-server --config-name amp  --port 23001 "

[frontend]
[frontend] > @ encore /Users/halliaume/workspace/international-website
[frontend] > encore "dev-server" "--config-name" "frontend" "--port" "23000"
[frontend]
[amp]
[amp] > @ encore /Users/halliaume/workspace/international-website
[amp] > encore "dev-server" "--config-name" "amp" "--port" "23001"
[amp]
[frontend] Running webpack-dev-server ...
[amp] Running webpack-dev-server ...
[amp]
[frontend]
[amp] <i> [webpack-dev-server] SSL certificate: /Users/halliaume/workspace/international-website/node_modules/.cache/webpack-dev-server/server.pem
[frontend] <i> [webpack-dev-server] SSL certificate: /Users/halliaume/workspace/international-website/node_modules/.cache/webpack-dev-server/server.pem
[frontend] [webpack-cli] Error: unsupported
[frontend]     at configSecureContext (node:internal/tls/secure-context:279:15)
[frontend]     at Object.createSecureContext (node:_tls_common:117:3)
[frontend]     at Server.setSecureContext (node:_tls_wrap:1354:27)
[frontend]     at Server (node:_tls_wrap:1218:8)
[frontend]     at new Server (node:https:74:3)
[frontend]     at Object.createServer (node:https:112:10)
[frontend]     at Server.createServer (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:2443:57)
[frontend]     at Server.initialize (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:1820:10)
[frontend]     at Server.start (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:3251:16)
[frontend]     at async Command.<anonymous> (/Users/halliaume/workspace/international-website/node_modules/.pnpm/@webpack-cli+serve@2.0.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/@webpack-cli/serve/lib/index.js:159:21)
[amp] [webpack-cli] Error: unsupported
[amp]     at configSecureContext (node:internal/tls/secure-context:279:15)
[amp]     at Object.createSecureContext (node:_tls_common:117:3)
[amp]     at Server.setSecureContext (node:_tls_wrap:1354:27)
[amp]     at Server (node:_tls_wrap:1218:8)
[amp]     at new Server (node:https:74:3)
[amp]     at Object.createServer (node:https:112:10)
[amp]     at Server.createServer (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:2443:57)
[amp]     at Server.initialize (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:1820:10)
[amp]     at Server.start (/Users/halliaume/workspace/international-website/node_modules/.pnpm/webpack-dev-server@4.11.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/webpack-dev-server/lib/Server.js:3251:16)
[amp]     at async Command.<anonymous> (/Users/halliaume/workspace/international-website/node_modules/.pnpm/@webpack-cli+serve@2.0.1_fb7mrl2klm6f4z637cevkjqm2a/node_modules/@webpack-cli/serve/lib/index.js:159:21)
[amp]  ELIFECYCLE  Command failed with exit code 2.
[frontend]  ELIFECYCLE  Command failed with exit code 2.
[amp] /Users/halliaume/.cache/node/corepack/pnpm/7.29.1/bin/pnpm.cjs run encore dev-server --config-name amp  --port 23001  exited with code 1
[frontend] /Users/halliaume/.cache/node/corepack/pnpm/7.29.1/bin/pnpm.cjs run encore dev-server --config-name frontend --port 23000  exited with code 1
 ELIFECYCLE  Command failed with exit code 1.
make: *** [assets.dev-server] Error 1

Given then issue nodejs/node#40672 and the solution nodejs/node#40672 (comment), it looks like the .p12 generated by symfony-cli/cert is "too old".

This is what openssl pkcs12 -info -in ~/.symfony5/certs/default.p12 outputs:

Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
40015D0A02000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

As workaround, we should decrypt and re-encrypt in a more modern way:

$ openssl pkcs12 -in ~/.symfony5/certs/default.p12 -nodes -legacy -out ~/.symfony5/certs/default.decrypted.p12
$ openssl pkcs12 -in ~/.symfony5/certs/default.decrypted.p12 -export -out  ~/.symfony5/certs/default.modern.p12

And then, this is what openssl pkcs12 -info -in ~/.symfony5/certs/default.modern.p12 outputs:

openssl pkcs12 -info -in ~/.symfony5/certs/default.modern.p12
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: AD 16 0D E8 E5 D5 65 AF 11 EC B8 72 E1 BF 08 FE 87 DC 42 E1
subject=O = Symfony dev cert, OU = halliaume@Q10R41CM65.local (Hugo Alliaume), CN = localhost
issuer=O = Symfony dev CA, OU = halliaume@Q10R41CM65.local (Hugo Alliaume), CN = Symfony halliaume@Q10R41CM65.local (Hugo Alliaume)
[...]

Finally, when re-running the Webpack (Encore) dev-server, it's working again:

make assets.dev-server

**************************************************
 Enabling Node.js corepack features...
**************************************************

npm uninstall -g pnpm

up to date in 29ms
npm install -g corepack

changed 1 package in 867ms
corepack enable
corepack prepare
Preparing pnpm@7.29.1...

**************************************************
 Finished!
**************************************************

pnpm run dev-server

> @ dev-server /Users/halliaume/workspace/international-website
> TAILWIND_MODE=watch concurrently -n frontend,amp "$npm_execpath run encore dev-server --config-name frontend --port 23000 " "$npm_execpath run encore dev-server --config-name amp  --port 23001 "

[amp]
[amp] > @ encore /Users/halliaume/workspace/international-website
[amp] > encore "dev-server" "--config-name" "amp" "--port" "23001"
[amp]
[frontend]
[frontend] > @ encore /Users/halliaume/workspace/international-website
[frontend] > encore "dev-server" "--config-name" "frontend" "--port" "23000"
[frontend]
[frontend] Running webpack-dev-server ...
[frontend]
[amp] Running webpack-dev-server ...
[amp]
[frontend] <i> [webpack-dev-server] SSL certificate: /Users/halliaume/workspace/international-website/node_modules/.cache/webpack-dev-server/server.pem
[amp] <i> [webpack-dev-server] SSL certificate: /Users/halliaume/workspace/international-website/node_modules/.cache/webpack-dev-server/server.pem
[amp] <i> [webpack-dev-server] Project is running at:
[frontend] <i> [webpack-dev-server] Project is running at:
[frontend] <i> [webpack-dev-server] Loopback: https://localhost:23000/, https://[::1]:23000/
[frontend] <i> [webpack-dev-server] Content not from webpack is served from '/Users/halliaume/workspace/international-website/public' directory
[frontend] <i> [webpack-dev-server] 404s will fallback to '/index.html'
[amp] <i> [webpack-dev-server] Loopback: https://localhost:23001/, https://[::1]:23001/
[amp] <i> [webpack-dev-server] Content not from webpack is served from '/Users/halliaume/workspace/international-website/public' directory
[amp] <i> [webpack-dev-server] 404s will fallback to '/index.html'
[amp]  DONE  Compiled successfully in 2302ms15:45:10
[amp]
[amp] amp:
[amp]   Entrypoint amp [big] 816 KiB (256 KiB) = amp.css?v=9ee97d3c 211 KiB amp.js?v=9e9f50c5 605 KiB 2 auxiliary assets
[amp]   amp compiled successfully
[frontend]  DONE  Compiled successfully in 5981ms15:45:14
[frontend]
[frontend] frontend:
[frontend]   frontend compiled successfully

It looks like the software.sslmate.com/src/go-pkcs12 dependency is up-to-date, so maybe there is something to do on pkcs12.Encode.

[tucksaun]

That's intriguing... And not handy for you 😅

openssl pkcs12 -info -in ~/.symfony5/certs/default.p12 does not seem to have any problem working for me locally but also we might have different openssl versions (I don't have the legacy option for instance)...

OK so actually I found out that Node 17 moved to OpenSSL 3 which in turn moved so algorithms to a legacy provider (My guess would be RC2 specifically).
So the upstream library will need an update but I don't see any issue or PR at the moment so we might want to contribute upstream.
In the meantime it looks like starting Webpack with --openssl-legacy-provider should do the trick.

[tucksaun]

Also, I don't have a project setup with Webpack dev-server setup at the moment. Would you have a small reproducer available so that we can iterate on the issue?

[tucksaun]

For reference, OpenSSL moved from

40 bit RC2 encryption for certificates, triple DES encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC iteration count of 1.

to

[...] AES password based encryption (PBES2 with PBKDF2 and AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key derivation iteration count of PKCS12_DEFAULT_ITER (currently 2048), and MAC algorithm HMAC with SHA2-256.

[Kocal]

Also, I don't have a project setup with Webpack dev-server setup at the moment. Would you have a small reproducer available so that we can iterate on the issue?

Sure! You can take a look to https://github.com/Kocal/sf-webpack-encore-ssl

Thanks

[laurentbringer]

For me, a solution was to enable --openssl-legacy-provider

the -legacy flag in my openssl command was deleted (3.3.6)

i edited openSsl config file
./etc/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

and auto add flag
export NODE_OPTIONS=--openssl-legacy-provider

work fine for me

[stof]

@tucksaun is there any way to generate the certificate with a config that does not require the legacy provider ?

[tucksaun]

@stof wait for SSLMate/go-pkcs12#47 😄

[Kocal]

Thanks everyone! :)