[SRU]Can't select p12 secret key for TLS auth for 802.1X authentication

Hello Arcady,

Would you mind sharing the procedure you used to configure the network manually with wpa_supplicant?

Thank you.

Ervin

Hello Ervin,

Sure. Here are the steps I used to configure wired connection:
1. place your certificate, CA certificate and secret key files in some directory (in my case it is ~/.certs)
2. create file /etc/wpa_supplicant/wired.conf using sudo with the following content:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
network={
eapol_flags=0
key_mgmt=IEEE8021X
eap=TLS
identity="<username>@<domain>"
ca_cert="/home/<user>/.certs/<ca_cert>.pem"
client_cert="/home/<user>/.certs/<certificate>.crt"
private_key="/home/<user>/.certs/<private_key>.pem"
private_key_passwd="<password>"
}

3. test wpa_supplicant with the following commands:
sudo wpa_supplicant -c /etc/wpa_supplicant/wired.conf -i eth<N> -B -D wired
sudo dhclient eth<n>

If internet now works then proceed to the next step

4. add the following lines to file /etc/network/interfaces
auto eth<N>
iface eth<N> inet dhcp
    pre-up wpa_supplicant -c/etc/wpa_supplicant/wired.conf -ieth<N> -D wired -B > /var/log/ifup_wpa1.log 2> /var/log/ifup_wpa2.log

For wireless network wpa_supplicant config file should be like:

ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=0
        eapol_version=1
        ap_scan=1
        fast_reauth=1
network={
        ssid="<network_ssid>"
        scan_ssid=1
        key_mgmt=WPA-EAP
        proto=WPA2
        pairwise=CCMP
        group=CCMP
        eap=TLS
        identity="<username>@<domain>"
        ca_cert="/home/<user>/.certs/<ca_cert>.pem"
        client_cert="/home/<user>/.certs/<certificate>.crt"
        private_key="/home/<user>/.certs/<private_key>.pem"
        private_key_passwd="<password>"
        priority=1
        }

Arcady, thank you for your help! I succeeded to get it working.

Best Regards,

Ervin

same problem here, for a wifi eap-tls connection: I can't select the private key, the list is empty

Status changed to 'Confirmed' because the bug affects multiple users.

I can confirm this problem. The secret key wont show up in the file selector. The file format (.key, .pem or .p12) does not matter.

Another Problem is: When a ca-cert file is selected and a password is being typed in, the network create dialog crashes.

This bug prevents me from connecting to eduroam university wifi connection.

Hello Arkady,

the bug is located at the network-manager-applet package, because it is handling the TLS settings applet.

Here is a workaround to see all files in the file selector. This is not a complete fix.

1. Make sure you can download source packages. See more information here: http://askubuntu.com/questions/28372/how-do-i-get-and-modify-the-source-code-of-packages-installed-through-apt-get

2. Open commandline, create an empty folder and 'cd' to it.

3. Get the source code of the package:
apt-get source network-manager-gnome

4. Apply the patch attached to this comment, first download the patch file to current folder, then:
patch < file-selector-workaround.patch

5. Get build dependencies for this package:
sudo apt-get build-dep network-manager-gnome

6. Build package with workaround:
cd network-manager-applet-1.2.0
dpkg-buildpackage -rfakeroot -uc -b

7. Install modified package:
cd ..
sudo dpkg -i network-manager-gnome_1.2.0-0ubuntu0.16.04.1_amd64.deb

8. Reboot and now the file selector will show the key files for wifi and wired configuration.

The attachment "workaround patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Thank you for your bug report, indeed that's a bug and it has been reported/fixed upstream

n-m commit
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=9a37d1d970bf5bf1aab35468aabccb8cbfe2a39b

n-m-applet one
https://git.gnome.org/browse/network-manager-applet/commit/?h=nma-1-2&id=037c5721d89b20c46ecc53e05d9867fd4d969412

bug
https://bugzilla.gnome.org/show_bug.cgi?id=763578

Aron, can you make sure the fix is part of the next xenial SRU round?

That was fixed in https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu2

SRU is in the review queue as well

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I update network-manager-gnome to the latest version 1.2.0-0ubuntu0.16.04.2 from proposed repository. Now I can select only .p12 files, .pem files still not showing. Should I do something else?

i've tested the new version, but I can't select my private key either. it's a .key file in my case.

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hallo Adam,

thank you very much for your work!
I tested the new version, but the bug is still not solved.
However, I can select a key, but not with the ending PEM.

So, I think version 1.2.0-0ubuntu0.16.04.3 has to be fixed again.

I'm setting this report to verification-done, because the problem is fixed:

1. Previously, if you create a connection from the menu instead of connecting to an SSID that's listed in the discovered Wi-Fi, and select the encryption method, WPA/WPA2 Enterprise is inactive (listed but cannot be selected).
2. This is not presented the same way when connecting to a discovered SSID, but user is not able to connect any 802.1X connection because support for such type of encryption is inactive.
3. After installing the update, creation of 802.1X connections are possible. <-- So the bug is fixed.
4. Some of the keys or certs could not be selected due to the reason of the file's extension name, like .key file, but this is not a problem this fix targets to.

Aron Xu, if you read original issue description you will find that the problem is you can't select certificate file because file chooser (list of files) is empty. It is absolutely not related to inactive "WPA/WPA2 Enterprise" option. And this issue exists for wired connection also.

I checked latest package 1.2.0-0ubuntu0.16.04.3 and problem still exists. It is impossible to select .pem secret key file for TLS auth type.

@arkann1985,

That's another issue, but true they looks very similar. Without the current update, if you are connecting to a discovered SSID then the properties can show-up but you aren't able to select any certificate/key file, if it's not discovered by manually added then the encryption type is not able to be selected.

The problem you can reproduce is which extension is shown in the list... Would you mind to open another report?

Of course I can open another report but STR of current report shows:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wired connection
4. Go to 802.1x tab
5. Check the Use 802.1X checkbox
6. Choose TLS
7. Click on Secret key button
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

So it is not related to WIFI only or discovered or not discovered network. Exactly this STR is still reproduced. Step 8 still failed. Are you sure that I should open new report? I will created it with exactly same STR.

Probably not exactly the same steps to reproduce if you want to be precise - the original was saying nothing is listed, that was led by 802.1X support is missing unexpectedly, but now some of the file types can be selected - namely .p12 keys and .pem certs...

I can select only .p12 files. .pem files is not listed. Ok, I'll create new report.

This bug was fixed in the package network-manager-applet - 1.2.0-0ubuntu0.16.04.3

---------------
network-manager-applet (1.2.0-0ubuntu0.16.04.3) xenial; urgency=medium

  * debian/patches/apple-set-out_icon_name-for-WWAN-connections-for-ind.patch:
    use available gsm-3g-* icons so that the icon for mobile is different than
    that used for wifi; to avoid confusing people. (LP: #1571574)

network-manager-applet (1.2.0-0ubuntu0.16.04.2) xenial; urgency=medium

  * cherry-pick upstream patches from post 1.2.2:
    - wireless-security-fix-failed-assertion-in-default_fi.patch:
      Fix TLS cert authentication (LP: #1575614)
    - wireless-security-return-error-on-eap_method_validat.patch:
      Return error on eap_method_validate_filepicker() failure
    - applet-remove-assert-s_con-from-applet_get_active_vp.patch
      Remove the assert which lead to many false assertions (LP: #1578962)
    - apple-set-out_icon_name-for-WWAN-connections-for-ind.patch
      WWAN icon should appear when the connection is activated (LP: #1571574)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 01 Jun 2016 15:15:49 -0400

The verification of the Stable Release Update for network-manager-applet has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Added to Trello: https://trello.com/c/dp1OgB1e/14-bug-1575614-sru-can-t-select-secret-key-for-tls-auth-for-802-1x-authentication

Still can't select private key for new Ethernet Connection -> 802.1x Security:
Authentication TLS

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

Still not working here either, same problem:

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

Confirm. Not working. Here is another opened report: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1592717. Don't know why it is not listed in duplicates of this bug.

my experience differs from 1592717 in that no files of any type (der/pem/p12/key) are visible in the "choose your private key" file navigator window.

this matches the original symptoms of this bug.

iv tried all key file types/formats but still cannot see the key file in the browser to select it for the wireless profile.

Hello Arkady, or anyone else affected,

Accepted network-manager into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Still can't select my private key. Only .p12 files are listed in file selector. However .pem files also exists in this folder. See attached screenshot.

Attached another one screenshot with ls output.

@arkann1985, it does work for me when selecting the certificate, can you describe more about how did you reproduce the problem?

@happyaron, the STR is exactly like in bag description. I have a folder ".certs" in my home dir. In this folder I have some files. The extension of this files are: ".pem", ".crt" and ".p12".

Installed version of network-manager is: 1.2.2-0ubuntu0.16.04.1

I try to configure TLS for my wired connectino. I go through original STR, press "Secret key" button, in file chooser window I navigate to ".certs" folder and there is only ".p12" file is listed. Files with ".pem" extension are not listed and I'm unable to select my private key. The name of my private key file is "key.pem".

I'm ready to help with testing asap.

@arkann1985, I wonder what's the version of your network-manager-gnome package?

@happyaron, network-manager-gnome version: 1.2.0-0ubuntu0.16.04.3
I installed only network-manager package from proposed.

Arkady, please update to network-manager-gnome 1.2.0-0ubuntu0.16.04.4 (in xenial-updates since 2016-09-06) and try to verify this bug again.

If you can't update using Software Updater, use the terminal:
sudo apt update
sudo apt full-upgrade

As a workaround, you can drag and drop your private key directly from Files (Nautilus)

Amr Ibrahim, updated all available packages from proposed repository. My network-manager-gnome version is now 1.2.0-0ubuntu0.16.04.4. Still can't select private key.

Fedor, the provided workaround seems to be working. But there is strange message appears that says that my private key is not protected by password. But it is not true, my key is protected. And entered private key password works well. Workaround works well for wired and wifi connections.

@all, I'm amending this SRU to only .p12 files for which is confirmed working to allow the fix land in -updates, and opened Bug #1627903 for follow-ups of other types key files.

This bug was fixed in the package network-manager - 1.2.2-0ubuntu0.16.04.1

---------------
network-manager (1.2.2-0ubuntu0.16.04.1) xenial; urgency=medium

  * Rebase to upstream 1.2.2 release, patches: (LP: #1589557)
    - dnsmasq-vpn-dns-filtering.patch: updated
    - nm-change-dnsmasq-parameters.diff: updated
    - 0001-dns-use-DBus-to-make-dnsmasq-nameserver-changes.patch: dropped
    - lp1574347-re-read-link-type-if-the-name-changed.diff: dropped
    - libnm-Check-self-still-NMManager-or-not.patch: (LP: #1582301)
    - libnm-don-t-require-initialized-out_encrypted-argume.patch:
      (LP: #1575614)

 -- Aron Xu <email address hidden> Sat, 04 Jun 2016 18:27:47 +0800

I installed fresh Ubuntu 16.04, with network manager 1.2.2-0ubuntu0.16.04.1 and can still repro the issue - none of my p12 encrypted keys are showing up in the list. After dragging and dropping the key as suggested, I get message about "Unencrypted private keys being insecure". Any additional workarounds?

Same for me for the same Ubuntu and NM version.

MK, you can just skip the message

The message pops up like 20 times. Real fun to "just skip them".

The bug still occures within my machine. Wlan can not connect to WPA2 Enterprise. I got lots of "Unencrypted private keys are not secure."- messages, though my private key is encrypted. Network-manager is version 1.2.2-0ubuntu0.16.04.1.

Fresh installed 16.04.1 with updates:
network-manager/xenial-proposed,now 1.2.4-0ubuntu0.16.04.01 amd64
network-manager-gnome/xenial-updates,now 1.2.0-0ubuntu0.16.04.4 amd64

I confirm the bug. I see an empty list when try to select private key file (privkey.pem) in 802.1x tab.
The above mentioned workaround with dran&drop from nautilus works with warning message about empty password (wrong).

Network-Manager Version 1.2.2-0ubuntu0.16.04.4
Linux Mint 18.1 based on Ubuntu 16.04

Same Problem.

*.key File is invisible in the gui....

Has there been any progress on this bug? The spurious "unencrypted keys" message persists even in network-manager-gnome 1.2.6-0ubuntu0.16.04.

Hi all

I just stumpled accross the very same issue
At the moment i run network manager version:
network-manager-gnome 1.2.6-0ubuntu0.16.04.4

so it should be fixed -> but I was unable to select my key..

I exported the key following and old HowTo to get wlan running in a linux pc as the company is running windows domains with wpa2 enterprise ..

pfx=my_exported_cert.pfx

        openssl pkcs12 -in $pfx -out cacert.pem -cacerts -nokeys
        openssl pkcs12 -in $pfx -out cert.pem -clcerts -nokeys
        openssl pkcs12 -in $pfx -out key.pem -nocerts

that generated all files required -> prior to that I had to request a new cert with exportable private keys on a windows pc ..

key resulting key.pem was:
file key.pem
key.pem: ASCII text

with header of:
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: le-Auth_Ses_ClientUser_KNAPPD-0485e131-adac-48b4-bd80-417a8495e1f3
Key Attributes
    X509v3 Key Usage: 80
-----BEGIN ENCRYPTED PRIVATE KEY-----

And I think that was the issue with this key:

After converting the key to RSA format it worked for me and network manager detected it !.

openssl rsa -in key.pem -out secure.key.key
file secure.key.key
secure.key.key: PEM RSA private key

And now i an running my WPA2 enterprise WLAN :)

regards
Chewie