Description of problem:
After upgrading to Fedora 28, my private key can no longer be decrypted. This prevents the connection to the (open)VPN. To simplify things, I have tried to decrypt the certificate from the command line, which fails as well.
Version-Release number of selected component (if applicable):
Using a certificate previously generated for openvpn, I try:
openssl pkcs12 -export -in test.crt -inkey test.key -out test.p12
unable to load private key
140632796387136:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:569:
140632796387136:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
140632796387136:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
140632796387136:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:87:
That just looks like you provided wrong passphrase for decryption of the test.key.
Also did you use any non-ascii characters in the passphrase?
What Fedora did you upgrade from?
> That just looks like you provided wrong passphrase for decryption of the test.key.
(1) Being used for a VPN connection, the passphrase was stored and not changed during or after the upgrade. (2) When reproducing the problem with openssl, I tried several times and I strongly doubt that I failed every time.
> Also did you use any non-ascii characters in the passphrase?
Yes, but this has never been a problem
> What Fedora did you upgrade from?
BTW the error in the journal when trying to connect to the VPN is:
SIGUSR1[soft,private-key-password-failure] received, process restarting
As I cannot reproduce the problem, could you please try to somehow make it reproducible for me?
I would need a test key with a test passphrase created on Fedora 27 that cannot be loaded on Fedora 28.
I suppose you would not want to give up your key, can you recreate the problem with some test key?
I tried it the other way round and copied the private key to an F27 installation. I couldn't decrypt it there neither. So whatever happened during the upgrade, it is not a F28-specific decryption error. I'll close this for now and see what happens when i upgrade the next machine.