S/MIME funktioniert nicht im Webmail - S/MIME does not work in webmail

patricksimon

Hallo,

ich nutze die Community Edition von Grommunio (grommunio Web:
3.13.17.gd7033b8de-lp156.263.1
Gromox:
2.46.33.g7566fd6) und kann hier mein S/MIME Zertifikat nicht hinzufügen. Jedes mal beim Klick auf Hochladen kommt die Meldung "Unable to decrypt certificate". Das Zertifikat ist aber in Ordnung und funktioniert. In Outlook kann ich es ganz normal importieren und nutzen. Hat jemand eine Idee wie ich das Zertifikat sonst noch importieren kann?

Danke und Grüße
Patrick

Hello,

I'm using the Community Edition of Grommunio (grommunio Web:
3.13.17.gd7033b8de-lp156.263.1
Gromox:
2.46.33.g7566fd6) and can't add my S/MIME certificate. Every time I click Upload, I get the message "Unable to decrypt certificate." However, the certificate is fine and works. I can import and use it normally in Outlook. Does anyone have any ideas how else I can import the certificate?

Kind Regards
Patrick

ckd

I can confirm this. Unable to upload PFX file with the correct password on supported/official repository. Unable to decrypt certificate.

ckd

Problem still persists on the Grommunio appliance with the latest updates.
i+ | grommunio-web | package | 3.13.15.g313588ae2-lp156.45.4

andreaslang

Hi,

where does the certificate come from? I am able to upload my PKCS#12 certificate issued by Actalis to grommunio-web without any error.

Did you try to repack the certificate with openssl?

Cheers, Andreas

ckd

andreaslang
any update on this?

ckd

GlobalSign GCC R6 SMIME CA 2023

Yes, I already tried doing that. The problem persists with error message "Unable to decrypt certificate".

In Kopano WebApp or any other groupware it works without any problems.

andreaslang

ckd

Hi,

sorry no, as I'm still out of the office for the rest of the week. Just to advance it somewhat, are you able to provide such a certificate for debugging purposes?

ckd

andreaslang
No problem. I will get in touch with you next week. Enjoy your hols. 🙂

ckd

andreaslang
Are you still here so I could get in touch with you tomorrow?

I have Debian 13 machine here with the latest Grommunio (supported) installed where the problem can be reproduced still. The SMIME certificate can be imported into Kleopatra without any problems.

andreaslang

ckd

Hi,

yes, I'm around, however this week is quite busy for me (not that the others aren't, but this one is even more).

ckd

Apparently it doesn't like the certificate chain of the CA. While Kopano / Outlook explicitly requires the full chain, Grommunio webapp expects a single certificate only. Similar to Kopano, I actually expected that it would require the full chain + key pair. The error message "Unable to decrypt the certificate" is really misleading.

purchased.pfx = the file you got from your CA
full.pem = contains both, public and private key
privkey.pem = contains the private key only
cert.pem = contains the public key only
grommunio.pem = pkcs12 file for webapp

Extract the public and private key:
#openssl pkcs12 -in purchased.pfx -nocerts -nodes -out full.pem

Get the private key:
#openssl rsa -in full.pem -out private.pem

Get the public key:
#openssl rsa -in full.pem -pubout -out cert.pem

Create a new pkcs12 file:
#openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out grommunio.pfx

ckd

There are still some bugs with the SMIME plugin. When sending an encrypted or signed mail the following happens:

And it keeps creating / displaying the same public certificate over and over again:

andreaslang

Hi @ckd ,

thanks for sharing this, however the Actalis S/Mime certificate I got also contain "Actalis Client Authentication CA G3" and "Actalis Authentication Root CA" and all I did was to upload the PKCS#12 file into grommunio-web. There might be some differences between debian and Suse and the respective PHP versions though.

The issue with the email bodies sounds the same as reported at https://github.com/grommunio/grommunio-web/issues/39.

I also noticed that the public certificates appear over and over, I'll look into it.

ckd

andreaslang
Yeah, I am using the Debian 13 (supported) repository.

ckd

andreaslang

Any ETA when a fix will be available? Currently you cannot send any signed mails through Webmail without triggering the bug I described above.

hugh

debian-trixie-13.2-arm64
gromox-3.1.236.gaf55087-1+81.1-arm64
grommunio-web-3.15.70.geb5c85bd7-1+358.1-noarch
I have no issues at all with importing certificates in G-Web, neither selfcreated ones nor from "Actalis"

andreaslang

ckd

Hi,

sorry, but at the moment I'm not able to provide any ETA for the fix.

nafetsreuab

Mein S/MIME-Zertifikat wurde mit altem RC2-40-CBC-Verfahren verschlüsselt. Das ist mit OpenSSL 3 standardmäßig deaktiviert (legacy). Ich konnte mein Zertifikat umschlüsseln und es dann auch importieren:

openssl pkcs12 -legacy -in cert.p12 -nodes -passin pass:KENNWORT |openssl pkcs12 -export -out neu.p12 -passout pass:KENNWORT

Vergleiche vorher/nachher:

$ openssl pkcs12 -legacy -info -in cert.p12 -noout
MAC: sha1, Iteration 102400
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200

$ openssl pkcs12 -legacy -info -in neu.p12 -noout
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256