iPhone: "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect. #14558

larryqiann · 2022-12-03T00:09:02Z

Describe the bug

A clear and concise description of what the bug is.

When Algo is deployed on aUbuntu 20.04 server successfully with no errors, the IKEv2 profile on iOS cannot be installed and provides the error "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect.

To Reproduce

Steps to reproduce the behavior:

Install Algo as mentioned in the documentation
Copy the provisioning profile to the iPhone and install it
There is no password prompt, and the error shows up.

Expected behavior

A clear and concise description of what you expected to happen.

That the profile can be installed correctly

Additional context

Add any other context about the problem here.

The profiles for Wireguard work correctly.
The version of iOS is 16.0.3 (20A392)

Full log

PUT THE OUTPUT HERE

PLAY [localhost] ***********************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ***************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] *******************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking
change in future.

TASK [Ensure the requirements installed] ***********************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] ******************************************************************************
ok: [localhost] => (item=ansible==6.1.0)

TASK [Just get the list from default pip] **********************************************************************************
ok: [localhost]

TASK [Verify Python meets Algo VPN requirements] ***************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] **************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] **********************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
  
Enter the number of your desired provider
:
12^M
TASK [Cloud prompt] ********************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ****************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
n^M
TASK [Cellular On Demand prompt] *******************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
n^M
TASK [Wi-Fi On Demand prompt] **********************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
y^M
TASK [Retain the PKI prompt] ***********************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
y^M
TASK [DNS adblocking prompt] ***********************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
y^M
TASK [SSH tunneling prompt] ************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ****************************************************************************************
ok: [localhost]

PLAY [Provision the server] ************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Fedora Linux 37 (Workstation Edition) (Virtualized: microsoft)
Created from git clone. Last commit: 651f949 Update cloud-hetzner.md (#14450)
Python 3.11.0
Runtime variables:
    algo_provider "local"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "True"
    algo_ssh_tunneling "True"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] **********************************************************************************
changed: [localhost]

TASK [Install the requirements] ********************************************************************************************
changed: [localhost]

TASK [Include a provisioning role] *****************************************************************************************
[local : pause]
https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...:
^M
TASK [local : pause] *******************************************************************************************************
ok: [localhost] => (item=https://trailofbits.github.io/algo/deploy-to-ubuntu.html

Local installation might break your server. Use at your own risk.

Proceed? Press ENTER to continue or CTRL+C and A to abort...)
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:

TASK [local : pause] *******************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***********************************************************************************************
ok: [localhost]
[local : pause]
What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]
:
ubuntu^M
TASK [local : pause] *******************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***********************************************************************************************
ok: [localhost]
[local : pause]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)

:
^M
TASK [local : pause] *******************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ***********************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ****************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] ********************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *************************************************************************************
ok: [localhost]

TASK [debug] ***************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": 
}

TASK [Wait 600 seconds for target connection to become reachable/usable] ***************************************************
ok: [localhost -> ] => (item=)

PLAY [Configure the server and install required software] ******************************************************************

TASK [Ensure the config directory exists] **********************************************************************************
changed: [ -> localhost]

TASK [Dump the ssh config] *************************************************************************************************
changed: [ -> localhost]

TASK [common : Check the system] *******************************************************************************************
ok: []

TASK [common : include_tasks] **********************************************************************************************
included: /home/user/al1/algo/roles/common/tasks/ubuntu.yml for 

TASK [common : Gather facts] ***********************************************************************************************
ok: []

TASK [common : Install unattended-upgrades] ********************************************************************************
ok: []

TASK [common : Configure unattended-upgrades] ******************************************************************************
changed: []

TASK [common : Periodic upgrades configured] *******************************************************************************
changed: []

TASK [common : Disable MOTD on login and SSHD] *****************************************************************************
changed: [] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
changed: [] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
[WARNING]: Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues
when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually

TASK [common : Ensure fallback resolvers are set] **************************************************************************
changed: []
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [common : Loopback for services configured] ***************************************************************************
changed: []

TASK [common : systemd services enabled and started] ***********************************************************************
ok: [] => (item=systemd-networkd)
ok: [] => (item=systemd-resolved)

RUNNING HANDLER [common : restart systemd-networkd] ************************************************************************
changed: []

RUNNING HANDLER [common : restart systemd-resolved] ************************************************************************
changed: []

TASK [common : Check apparmor support] *************************************************************************************
ok: []

TASK [common : Set fact if apparmor enabled] *******************************************************************************
ok: []

TASK [common : Define facts] ***********************************************************************************************
ok: []

TASK [common : Set facts] **************************************************************************************************
ok: []

TASK [common : Set IPv6 support as a fact] *********************************************************************************
ok: []

TASK [common : Check size of MTU] ******************************************************************************************
ok: []

TASK [common : Set OS specific facts] **************************************************************************************
ok: []

TASK [common : Install tools] **********************************************************************************************
changed: []

TASK [common : include_tasks] **********************************************************************************************
included: /home/user/al1/algo/roles/common/tasks/iptables.yml for 
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [common : Iptables configured] ****************************************************************************************
changed: [] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Sysctl tuning] **********************************************************************************************
changed: [] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
changed: [] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})

RUNNING HANDLER [common : restart iptables] ********************************************************************************
changed: []

TASK [dns : Include tasks for Ubuntu] **************************************************************************************
included: /home/user/al1/algo/roles/dns/tasks/ubuntu.yml for 

TASK [dns : Install dnscrypt-proxy] ****************************************************************************************
changed: []

TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] *********************************************************
changed: []

TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ***********************************************************
ok: []

TASK [dns : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***********************************************
changed: []

TASK [dns : Ubuntu | Add custom requirements to successfully start the unit] ***********************************************
changed: []

TASK [dns : dnscrypt-proxy ip-blacklist configured] ************************************************************************
changed: []
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [dns : dnscrypt-proxy configured] *************************************************************************************
changed: []

TASK [dns : Adblock script created] ****************************************************************************************
changed: []

TASK [dns : Adblock script added to cron] **********************************************************************************
changed: []

TASK [dns : Update adblock hosts] ******************************************************************************************
ok: []
[WARNING]: flush_handlers task does not support when conditional

RUNNING HANDLER [dns : restart dnscrypt-proxy] *****************************************************************************
changed: []

TASK [dns : dnscrypt-proxy enabled and started] ****************************************************************************
ok: []

TASK [wireguard : Ensure the required directories exist] *******************************************************************
changed: [ -> localhost] => (item=configs//wireguard//.pki//preshared)
changed: [ -> localhost] => (item=configs//wireguard//.pki//private)
changed: [ -> localhost] => (item=configs//wireguard//.pki//public)
changed: [ -> localhost] => (item=configs//wireguard//apple/ios)
changed: [ -> localhost] => (item=configs//wireguard//apple/macos)

TASK [wireguard : Include tasks for Ubuntu] ********************************************************************************
included: /home/user/al1/algo/roles/wireguard/tasks/ubuntu.yml for 

TASK [wireguard : WireGuard installed] *************************************************************************************
changed: []

TASK [wireguard : Set OS specific facts] ***********************************************************************************
ok: []

TASK [wireguard : Generate private keys] ***********************************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)
changed: [] => (item=)

TASK [wireguard : Save private keys] ***************************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [wireguard : Touch the lock file] *************************************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)
changed: [] => (item=)

TASK [wireguard : Generate preshared keys] *********************************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)
changed: [] => (item=)

TASK [wireguard : Save preshared keys] *************************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [wireguard : Touch the preshared lock file] ***************************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)
changed: [] => (item=)

TASK [wireguard : Generate public keys] ************************************************************************************
ok: [] => (item=phone)
ok: [] => (item=laptop)
ok: [] => (item=desktop)
ok: [] => (item=)

TASK [wireguard : Save public keys] ****************************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [wireguard : WireGuard user list updated] *****************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [wireguard : set_fact] ************************************************************************************************
ok: [ -> localhost]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard users config generated] ************************************************************************
changed: [ -> localhost] => (item=[0, 'phone'])
changed: [ -> localhost] => (item=[1, 'laptop'])
changed: [ -> localhost] => (item=[2, 'desktop'])

TASK [wireguard : include_tasks] *******************************************************************************************
included: /home/user/al1/algo/roles/wireguard/tasks/mobileconfig.yml for  => (item=ios)
included: /home/user/al1/algo/roles/wireguard/tasks/mobileconfig.yml for  => (item=macos)
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard apple mobileconfig generated] ******************************************************************
changed: [ -> localhost] => (item=[0, 'phone'])
changed: [ -> localhost] => (item=[1, 'laptop'])
changed: [ -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard apple mobileconfig generated] ******************************************************************
changed: [ -> localhost] => (item=[0, 'phone'])
changed: [ -> localhost] => (item=[1, 'laptop'])
changed: [ -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : Generate QR codes] ***************************************************************************************
ok: [ -> localhost] => (item=[0, 'phone'])
ok: [ -> localhost] => (item=[1, 'laptop'])
ok: [ -> localhost] => (item=[2, 'desktop'])
[DEPRECATION WARNING]: Use 'ansible.utils.ipv4' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipv6' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [wireguard : WireGuard configured] ************************************************************************************
changed: []

TASK [wireguard : WireGuard enabled and started] ***************************************************************************
changed: []

RUNNING HANDLER [wireguard : restart wireguard] ****************************************************************************
changed: []

TASK [strongswan : include_tasks] ******************************************************************************************
included: /home/user/al1/algo/roles/strongswan/tasks/ubuntu.yml for 

TASK [strongswan : Set OS specific facts] **********************************************************************************
ok: []

TASK [strongswan : Ubuntu | Install strongSwan] ****************************************************************************
changed: []

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] ********************************************************
changed: []

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] *****************************************************************
ok: [] => (item=/usr/lib/ipsec/charon)
ok: [] => (item=/usr/lib/ipsec/lookip)
ok: [] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] *******************************************************************************
ok: [] => (item=apparmor)
ok: [] => (item=strongswan-starter)
ok: [] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] *******************************************
changed: []

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *********************************************
changed: []

TASK [strongswan : Ensure that the strongswan user exists] *****************************************************************
ok: []

TASK [strongswan : Install strongSwan] *************************************************************************************
ok: []

TASK [strongswan : Setup the config files from our templates] **************************************************************
changed: [] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
changed: [] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] *************************************************************************************
ok: []

TASK [strongswan : Disable unneeded plugins] *******************************************************************************
changed: [] => (item=mgf1)
changed: [] => (item=md5)
changed: [] => (item=xauth-generic)
changed: [] => (item=dnskey)
changed: [] => (item=rc2)
changed: [] => (item=resolve)
changed: [] => (item=sshkey)
changed: [] => (item=agent)
changed: [] => (item=attr)
changed: [] => (item=bypass-lan)
changed: [] => (item=eap-mschapv2)
changed: [] => (item=gmp)
changed: [] => (item=counters)
changed: [] => (item=xcbc)
changed: [] => (item=aesni)
changed: [] => (item=drbg)
changed: [] => (item=constraints)
changed: [] => (item=sha1)
changed: [] => (item=fips-prf)
changed: [] => (item=connmark)
changed: [] => (item=pkcs1)
changed: [] => (item=updown)

TASK [strongswan : Ensure that required plugins are enabled] ***************************************************************
changed: [] => (item=kernel-netlink)
changed: [] => (item=socket-default)
changed: [] => (item=gcm)
changed: [] => (item=revocation)
changed: [] => (item=pgp)
changed: [] => (item=pkcs12)
changed: [] => (item=nonce)
changed: [] => (item=openssl)
changed: [] => (item=stroke)
changed: [] => (item=pubkey)
changed: [] => (item=random)
changed: [] => (item=pkcs8)
changed: [] => (item=pem)
changed: [] => (item=sha2)
changed: [] => (item=hmac)
changed: [] => (item=aes)
changed: [] => (item=pkcs7)
changed: [] => (item=x509)

TASK [strongswan : debug] **************************************************************************************************
ok: [ -> localhost] => {
    "subjectAltName": "IP:"
}

TASK [strongswan : Ensure the pki directories exist] ***********************************************************************
changed: [ -> localhost] => (item=ecparams)
changed: [ -> localhost] => (item=certs)
changed: [ -> localhost] => (item=crl)
changed: [ -> localhost] => (item=newcerts)
changed: [ -> localhost] => (item=private)
changed: [ -> localhost] => (item=public)
changed: [ -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] ********************************************************************
changed: [ -> localhost] => (item=apple)
changed: [ -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] *********************************************************************************
changed: [ -> localhost] => (item=.rnd)
changed: [ -> localhost] => (item=private/.rnd)
changed: [ -> localhost] => (item=index.txt)
changed: [ -> localhost] => (item=index.txt.attr)
changed: [ -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] ********************************************************************
changed: [ -> localhost]

TASK [strongswan : Build the CA pair] **************************************************************************************
changed: [ -> localhost]

TASK [strongswan : Copy the CA certificate] ********************************************************************************
changed: [ -> localhost]

TASK [strongswan : Generate the serial number] *****************************************************************************
changed: [ -> localhost]

TASK [strongswan : Build the server pair] **********************************************************************************
changed: [ -> localhost]

TASK [strongswan : Build the client's pair] ********************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Build openssh public keys] ******************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12] *********************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12 with the CA cert included] *******************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Copy the p12 certificates] ******************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Get active users] ***************************************************************************************
changed: [ -> localhost]

TASK [strongswan : Copy the keys to the strongswan directory] **************************************************************
changed: [] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [] => (item={'src': 'certs/.crt', 'dest': 'certs/.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
changed: [] => (item={'src': 'private/.key', 'dest': 'private/.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] ****************************************************************************
ok: [ -> localhost] => (item=phone)
ok: [ -> localhost] => (item=laptop)
ok: [ -> localhost] => (item=desktop)

TASK [strongswan : Set facts for mobileconfigs] ****************************************************************************
ok: [ -> localhost]

TASK [strongswan : Build the mobileconfigs] ********************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [strongswan : Build the client ipsec config file] *********************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Build the client ipsec secret file] *********************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [strongswan : Restrict permissions for the local private directories] *************************************************
ok: [ -> localhost]

TASK [strongswan : strongSwan started] *************************************************************************************
ok: []

RUNNING HANDLER [strongswan : restart strongswan] **************************************************************************
changed: []

RUNNING HANDLER [strongswan : daemon-reload] *******************************************************************************
ok: []

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ************************************************
changed: []

TASK [ssh_tunneling : Ensure that the algo group exist] ********************************************************************
changed: []

TASK [ssh_tunneling : Ensure that the jail directory exist] ****************************************************************
changed: []

TASK [ssh_tunneling : Ensure that the SSH users exist] *********************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)
[WARNING]: 'append' is set, but no 'groups' are specified. Use 'groups' for appending new groups.This will change to an
error in Ansible 2.14.

TASK [ssh_tunneling : Ensure the config directories exist] *****************************************************************
changed: [ -> localhost]

TASK [ssh_tunneling : Check if the private keys exist] *********************************************************************
ok: [ -> localhost] => (item=phone)
ok: [ -> localhost] => (item=laptop)
ok: [ -> localhost] => (item=desktop)

TASK [ssh_tunneling : Build ssh private keys] ******************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [ssh_tunneling : Build ssh public keys] *******************************************************************************
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost] => (item=None)
changed: [ -> localhost]

TASK [ssh_tunneling : Build the client ssh config] *************************************************************************
changed: [ -> localhost] => (item=phone)
changed: [ -> localhost] => (item=laptop)
changed: [ -> localhost] => (item=desktop)

TASK [ssh_tunneling : The authorized keys file created] ********************************************************************
changed: [] => (item=phone)
changed: [] => (item=laptop)
changed: [] => (item=desktop)

TASK [ssh_tunneling : Get active users] ************************************************************************************
ok: []

TASK [ssh_tunneling : Delete non-existing users] ***************************************************************************
ok: [] => (item=)

TASK [Dump the configuration] **********************************************************************************************
changed: [ -> localhost]
[DEPRECATION WARNING]: Use 'ansible.utils.ipmath' module instead. This feature will be removed from ansible.netcommon in a 
release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [debug] ***************************************************************************************************************
ok: [] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#                     Local DNS resolver                    #\"",
            ""
        ],
        "    \"#        The p12 and SSH keys password for new users is        #\"\n",
        "    \"#        The CA key password is        #\"\n",
        "    "
    ]
}

RUNNING HANDLER [ssh_tunneling : restart ssh] ******************************************************************************
changed: []

PLAY RECAP *****************************************************************************************************************
             : ok=116  changed=75   unreachable=0    failed=0    skipped=28   rescued=0    ignored=0   
localhost                  : ok=32   changed=3    unreachable=0    failed=0    skipped=11   rescued=0    ignored=0

The text was updated successfully, but these errors were encountered:

littlerspade · 2022-12-06T08:43:52Z

I got the same problem in ubuntu 22.04 LTS 64bit python3.10.6 OpenSSL 3.0.2 , but it works fine in ubuntu20.04 LTS python3.8.10 OpenSSL 1.1.1f.

binbap · 2023-02-18T21:10:55Z

Has anyone found a workaround for an already created instance? Also does anyone know if omgagg's changes in the openssl.yml fixes the problem?

binbap · 2023-02-20T02:37:48Z

Has anyone found a workaround for an already created instance? Also does anyone know if omgagg's changes in the openssl.yml fixes the problem?

The omgagg mods to openssl.yml did work for me in a clean install

tmThEMaN · 2023-03-18T11:08:29Z

I have the same issue as well with the latest Ubuntu 22.04 ... I tried running Algo again but the new p12 password was also incorrect.

TheHackerDev · 2023-03-20T16:30:52Z

Same issue here on the latest Ubuntu 22.04.

jshji252 · 2023-05-25T08:21:50Z

Still the same issue on Ubuntu 22.04 LTS

ExtremeModerate · 2023-07-02T15:59:04Z

This issue still exists, but I was able to resolve it with a minor edit omgagg's fix of adding the -legacy option and I also ended up completely deleting any stored certs, etc. What didn't work for me was the step that set the fact of the openssl_version on line 162 of openssl.yml.

I didn't want to spend to much time with it, so I just changed this

    - name: Get OpenSSL version
      set_fact:
        openssl_version: "{{ ansible_facts.packages['openssl'][0]['version'] }}"

to explicitly set the version that was installed (lazy fix)

    - name: Get OpenSSL version
      set_fact:
        openssl_version: "3.1.1"

but I think this or a variant of it would work properly (untested - I haven't touched ansible in years)

    - name: Get OpenSSL version
      shell: openssl version | cut -f 2 -d ' '
      register: ssl_version
      run_once: true

    - name: Save OpenSSL version
      set_fact:
        openssl_version: {{ ssl_version.stdout }}

https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html

I just needed a working VPN again so I wasn't really doing things the right way. I'll fork and update a branch with this fix (and, you know, test it at least once) when I get a chance, but I wanted to document it a little before I forgot completely.

…ith shell script instead. This may not work in Windows (trailofbits#14558)

…d pipefile option in the shell command for getting openssl version number (trailofbits#14558)

ExtremeModerate · 2023-07-04T18:29:21Z

As a followup to my previous message, I've created a branch from the omgagg fix and changed the way it gets the openssl version. Their branch was giving me an error (below) when running in docker and it was simpler to use a shell script to set the fact and seems like it would be more reliable. I've only done limited testing though, and only using locally built docker images.

Here's the error I was getting from omgagg's branch

TASK [strongswan : Get OpenSSL version] ************************************************************************************************************************************
fatal: [18.206.144.149 -> localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'openssl'\n\nThe error appears to be in '/algo/roles/strongswan/tasks/openssl.yml': line 162, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: Get OpenSSL version\n      ^ here\n"}

Here's my branch with both omgagg's updates and mine, https://github.com/ExtremeModerate/algo/tree/openssl-version. Check that out and build with docker build . -t custom/algo:latest and then run as normal, using your image name.

I haven't figured out why I occasionally need to completely delete my ec2 stack and my local configs directory and start fresh, but I assume it was something I was doing along the way since I could start clean, run a complete build, and then go back and add users successfully multiple times.

…ed openssl tasks to fix macos/ios install issues (trailofbits#14558) original solution from https://github.com/omgagg/algo

rdreher · 2023-07-31T02:13:42Z

Changes work for me but I had to remove lines 158 to 160 on roles/strongswan/tasks/openssl.yml. Those were breaking the install.

akashSugmar · 2023-07-31T10:00:23Z

Changes work for me but I had to remove lines 158 to 160 on roles/strongswan/tasks/openssl.yml. Those were breaking the install.

@rdreher
Are these the lines you removed? Sorry, if this is a noobish question.
- name: Build the client's p12 shell: > umask 077;

olzhasar · 2023-08-14T21:27:52Z

@akashSugmar He is referring to line numbers in the pull request, not in the master branch.

XxMicrowavexX · 2023-08-29T04:33:03Z

I tried that it doesn't help

Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558) trailofbits#14622 https://github.com/trailofbits/algo/pull/14622/files

AfftarN · 2023-12-14T19:12:41Z

The same problem for me. I tried Ubuntu 22.04, 20.04, 23.04, and I had the same problem installing .mobileconfig in my iOS 17.2.
Wireguard works well, but I don’t need it because the ChatGPT app detects VPN on my phone (by protocol) and doesn’t work.

Please Help!

sellersshrug0y · 2024-02-26T23:12:25Z

im experiencing this issue too.. can't install mobileconfig profiles on my iPhone. commit 74051d0

jackivanov · 2024-02-27T00:24:59Z

Can anyone share their mobileconfig here for debug? Make sure to remove all sensitive info first

sellersshrug0y · 2024-02-27T01:26:06Z

Can anyone share their mobileconfig here for debug? Make sure to remove all sensitive info first

Hopefully I didn't share too much/little. Please let me know, especially if I've inadvertently posted something identifiable!

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IKEv2</key>
            <dict>
              <key>OnDemandEnabled</key>
              <integer>1</integer>
              <key>OnDemandRules</key>
              <array>
                  <dict>
                    <key>Action</key>
                      <string>Connect</string>
                    <key>InterfaceTypeMatch</key>
                      <string>WiFi</string>
                    <key>URLStringProbe</key>
                      <string>http://captive.apple.com/hotspot-detect.html</string>
                  </dict>
                  <dict>
                    <key>Action</key>
                      <string>Connect</string>
                    <key>InterfaceTypeMatch</key>
                      <string>Cellular</string>
                    <key>URLStringProbe</key>
                      <string>http://captive.apple.com/hotspot-detect.html</string>
                  </dict>
                  <dict>
                    <key>Action</key>
                      <string>Disconnect</string>
                  </dict>
                </array>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>ChildSecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>
                <key>DeadPeerDetectionRate</key>
                <string>Medium</string>
                <key>DisableMOBIKE</key>
                <integer>0</integer>
                <key>DisableRedirect</key>
                <integer>1</integer>
                <key>EnableCertificateRevocationCheck</key>
                <integer>0</integer>
                <key>EnablePFS</key>
                <true/>
                <key>IKESecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
                    <integer>1440</integer>
                </dict>
                <key>LocalIdentifier</key>
                <string>iphone@********-****-****-****-************.algo</string>
                <key>PayloadCertificateUUID</key>
                <string>********-****-****-****-************</string>
                <key>CertificateType</key>
                <string>********</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>**.***.**.***</string>
                <key>RemoteAddress</key>
                <string>**.***.**.***</string>
                <key>RemoteIdentifier</key>
                <string>**.***.**.***</string>
                <key>UseConfigurationAttributeInternalIPSubnet</key>
                <integer>0</integer>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <string>************</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.vpn.managed.********-****-****-****-************</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>********-****-****-****-************</string>
            <key>PayloadVersion</key>
            <real>1</real>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <string>AlgoVPN ************ IKEv2</string>
            <key>VPNType</key>
            <string>IKEv2</string>
        </dict>
        <dict>
            <key>Password</key>
            <string>vzjjvcOXF</string>
            <key>PayloadCertificateFileName</key>
            <string>iphone.p12</string>
            <key>PayloadContent</key>
            <data>
            ************BREGCSqGSIb3DQEHAaCCBQIEggT+MIIE+jCCA1oGCSqGSIb3DQEHBqCCA0swggNHAgEAMIIDQAYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDDIm8/BMHguiBQ0+oBjE3ZAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQ8MDqwcs22Fmg5DH/rvkElYCCAtBfbhinIL+t0cZT148HdygTk/T7UWg+PRpi9Ds/ckv8vdtHvh5rVCfzueWdPO1BCKINXsyA/nFfFYh7IfySD0BwaCYKQP/Z6Wvx13g+4jASh1mcRSezQizdRtVxjeCwwkV/s2u9Rs8nV58ceYvrORuqFKgiDYExcWrwQFmjQmRK+DUcucqPSNwRBz04phHAsVKIb1JWfmpktbGa3AwU4DyDdwRfKmNNvFCoH9lQv0uK6CexyncYHF0zBLmOf+CrPBs+k3widNQLJ0FlbJsX6b8RUjl7Lekwxdk5We9tkyfb/qklnPbKhg8Kntz6mlXKOfQnCIuSoUZ1bBpIdnq/xJfVpt34k9hb08ewGYJ6p3vzWNizrDFpdqeChxOPQRJmXBEu5wOPlF7LOwz9rbTQAeppj/6fbZscn5zDoTTC078xXBlr7VHIWpFa6h2A4wiaVsSoX9bfcY2i3nPaG6PT6b1CDiQk1B23rHWRbN0lTTSGdGzMet6VsZDSlCg0Lvo7Kx1hyK8Vk29nsmEjQIVUIUMLK65xPuEIZSx+op9K7evbyzU+TbW0cWX0cMsmb0egGZDRMQ1SIGb5pe0lkm+ApJFGzifleG5fl6Fy5lBaxNjDO8MamOJ5QUY60L8XaPPYA4uVfrmSr1BuKlGoQ/5lwe/HRmvkmSp8AssGWkWC5XKNj/Acln7Y/HTCRUUMv0l0kTQ8dQxMKKhpBg1sw302N049OMbBfojFhab0xlaoSeIrmBGGwm5WUimL/3CyzEUYZXAW4HApboqqHVv/Uy/M6Smqw/gaWYs5lr7JraCrFoNkxNvpN+QweTq0A2pPrPx8D+4GpMJzcHy0VRuMrmX3IUCC32v1TW9hlrpkK/EUbJti3wI7YNorF5wTLObbcDx34r4BD4gRe88uAc7/uRKOvfmezHDKuFAzC33Y+bDUwOWx7D2A58JiBk/JHEcvea0Z/KkwggGYBgkqhkiG9w0BBwGgggGJBIIBhTCCAYEwggF9BgsqhkiG9w0BDAoBAqCCASgwggEkMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBBWIlroMroy28fxsHpeLRDxAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQYl+G6andGCqNBc3530s9ggSBwExdn0vfsWxdYUbFyyP6tSyOUfQnQJ4eboKrBb+OYvqFoaUWCxk+IcuCBl3StqJFlZjYJZWOIcx+TaTLRsebzeyfeVoZLH4d02u6uDnMO9G2VIhLBZnE1kDdyPvnnKx9vWSn9ZQLD4y64727wvcwhzvXHjk6atE0kYf7h618ztlHbhiorovvvzRWKY9BpwzUukvW8oGiY93eQYoWCpUKo7ZhA68SDGpmHqUr+DJ2JA01T6UAqUO26nMq5wGPdkpvSTFCMBsGCSqGSIb3DQEJFDEOHgwAbABhAHAAdABvAHAwIwYJKoZIhvcNAQkVMRYEFK4RUTGzqEqwJS9la3kIIeJt3W5hMEEwMTANBglghkgBZQMEAgEFAAQg6/+VdrQxWdWUX7C1akhr4J1J7YR1Hz/hcsUounzWDXIECAb6ABBQNmIRAgIIAA==
            </data>
            <key>PayloadDescription</key>
            <string>Adds a PKCS#12-formatted certificate</string>
            <key>PayloadDisplayName</key>
            <string>************</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.pkcs12.********-****-****-****-************</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>********-****-****-****-************</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>ca.crt</string>
            <key>PayloadContent</key>
            <data>
            ************TiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxVENDQWk2Z0F3SUJBZ0lVTGlnYUJqS25lcStIUjZWeDUxamJDNmhtQldnd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXd3Tk5qZ3VNVGd6TGpVekxqRTNOekFlRncweU5EQXlNall5TXpNNU1ETmFGdzB6TkRBeQpNak15TXpNNU1ETmFNQmd4RmpBVUJnTlZCQU1NRFRZNExqRTRNeTQxTXk0eE56Y3dkakFRQmdjcWhrak9QUUlCCkJnVXJnUVFBSWdOaUFBUXNwSFNkaDEyT3dyRjVUdUFINi9EaWhDNE9hS0FJRzRncVBmOGlkS0F4RloySFJXYlgKVVIrUk5CcE9UQ2xqNTFtQ2FnaTVwN29pU2JnQkFwS29zWG5vWW9JeW96bkdCRlZSUCtTRXoxb3lDcnoycUZZbAppNGswUjg0SWpQMHNOVDZqZ2dFM01JSUJNekFkQmdOVkhRNEVGZ1FVV0pCWlRhRnFFaytqVVRaRGkyc21pUG9iCnd4Z3dVd1lEVlIwakJFd3dTb0FVV0pCWlRhRnFFaytqVVRaRGkyc21pUG9id3hpaEhLUWFNQmd4RmpBVUJnTlYKQkFNTURUWTRMakU0TXk0MU15NHhOemVDRkM0b0dnWXlwM3F2aDBlbGNlZFkyd3VvWmdWb01CSUdBMVVkRXdFQgovd1FJTUFZQkFmOENBUUF3Z1pzR0ExVWRIZ0VCL3dTQmtEQ0JqYUNCaWpBS2h3aEV0eld4Ly8vLy96QXJnaWs0Ck9URXlNVFEwWXkwNE1EUTFMVFZtT0RrdFlXVmtNaTB5T1RFeU5UWTBZVEprTnpJdVlXeG5iekFyZ1NrNE9URXkKTVRRMFl5MDRNRFExTFRWbU9Ea3RZV1ZrTWkweU9URXlOVFkwWVRKa056SXVZV3huYnpBaWh5QW1CS2lBQ0FBQQpFQUFBQUFBTXJqQUIvLy8vLy8vLy8vLy8vLy8vLy8vLy96QUxCZ05WSFE4RUJBTUNBUVl3Q2dZSUtvWkl6ajBFCkF3SURhUUF3WmdJeEFJeUpvdktVaS9Bdm05eUYrQVBHeENLV3pyMVlLanBnVkcxK0V3WFdOYTMvT3orN1M5dlAKMVpNSVl1T2tuQ3ppVVFJeEFOaUV2WERITXBCaGY2djdnMnVoMTByaWg2NW5JZDQvUHRhMno4MVB2Mzd4dFRIZApJaEtqOVQveER2RmlXSE5QaHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
            </data>
            <key>PayloadDescription</key>
            <string>Adds a CA root certificate</string>
            <key>PayloadDisplayName</key>
            <string>************</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.root.********-****-****-****-************</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>********-****-****-****-************</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>AlgoVPN ************ IKEv2</string>
    <key>PayloadIdentifier</key>
    <string>donut.local.********-****-****-****-************</string>
    <key>PayloadOrganization</key>
	<string>AlgoVPN</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>********-****-****-****-************</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

sellersshrug0y · 2024-03-13T20:22:48Z

Quick followup: I can't install mobileconfig IPsec configurations in Mac OS, either. When I try, I get an error that reads "Profile installation failed. The certificate could not be verified (authentication error)."

It's worth noting that the WireGuard mobileconfig files do work on both iOS and Mac, however. It's just the IPsec ones that have the password/authentication issue.

zenkio · 2024-04-16T22:16:49Z

Quick followup: I can't install mobileconfig IPsec configurations in Mac OS, either. When I try, I get an error that reads "Profile installation failed. The certificate could not be verified (authentication error)."

It's worth noting that the WireGuard mobileconfig files do work on both iOS and Mac, however. It's just the IPsec ones that have the password/authentication issue.

Same here. This issue seems open from 2022, but I still got it now.

jackivanov · 2024-04-16T22:19:45Z

This issue seems open from 2022, but I still got it now.

Feel free to submit a PR. I never was able to reproduce the bug in my environment.

zenkio · 2024-04-18T22:46:05Z

@sellersshrug0y
Based on the Pull request here: https://github.com/trailofbits/algo/pull/14622/files with applied rafaelsms's fix and also the comment here: #14622 (comment), I got the mobileconfig installed successfully on my iPhone.
Screen cap for the final workable change on my end, hope you can make it works on your end.

sellersshrug0y · 2024-04-20T17:19:29Z

@zenkio I have no idea what I'm doing when it comes to code :( glad you got it working though!

zenkio · 2024-04-20T19:36:52Z

@zenkio I have no idea what I'm doing when it comes to code :( glad you got it working though!

If you are not familiar with modifying code, my forked version can be accessed here: https://github.com/zenkio/algo/tree/fix-profile-install-failed

I am not at the level to raise a PR and test all related things. what I have done is follow the previous comments and make a workable version for my environment.

sellersshrug0y · 2024-04-20T21:07:57Z

@zenkio I have no idea what I'm doing when it comes to code :( glad you got it working though!

If you are not familiar with modifying code, my forked version can be accessed here: https://github.com/zenkio/algo/tree/fix-profile-install-failed

I am not at the level to raise a PR and test all related things. what I have done is follow the previous comments and make a workable version for my environment.

this worked!! thanks so much!

omgagg added a commit to omgagg/algo that referenced this issue Feb 4, 2023

Fix PKCS#12 file creation (trailofbits#14558)

904bf5e

omgagg added a commit to omgagg/algo that referenced this issue Feb 5, 2023

Fix PKCS#12 file creation (trailofbits#14558)

4bb12c4

ExtremeModerate added a commit to ExtremeModerate/algo that referenced this issue Jul 4, 2023

Fixed issue with getting openssl version from existing fact, get it w…

5394f06

…ith shell script instead. This may not work in Windows (trailofbits#14558)

ExtremeModerate added a commit to ExtremeModerate/algo that referenced this issue Jul 4, 2023

Consistent with other shell executions, fix to use {{openssl_bin}} an…

4321212

…d pipefile option in the shell command for getting openssl version number (trailofbits#14558)

ExtremeModerate added a commit to ExtremeModerate/algo that referenced this issue Jul 4, 2023

Merged in trailofbits/master (trailofbits#14558)

4ecec2d

ExtremeModerate mentioned this issue Jul 4, 2023

Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558) #14622

Open

3 tasks

gh0st-network added a commit to gh0st-network/algo that referenced this issue Dec 10, 2023

Update openssl.yml

68cb12d

Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558) trailofbits#14622 https://github.com/trailofbits/algo/pull/14622/files

gh0st-network added a commit to gh0st-network/algo that referenced this issue Dec 10, 2023

Update users.yml

426b37d

Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558) trailofbits#14622 https://github.com/trailofbits/algo/pull/14622/files

vvorlov mentioned this issue May 6, 2024

Use legacy OpenSSL Format for Apple Devices #14718

Merged

3 tasks

dguido mentioned this issue May 8, 2024

Unable to install ipsec mobileconfig file on mac #14643

Closed

jackivanov closed this as completed in #14718 May 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

iPhone: "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect. #14558

iPhone: "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect. #14558

larryqiann commented Dec 3, 2022

littlerspade commented Dec 6, 2022

binbap commented Feb 18, 2023

binbap commented Feb 20, 2023

tmThEMaN commented Mar 18, 2023

TheHackerDev commented Mar 20, 2023

jshji252 commented May 25, 2023

ExtremeModerate commented Jul 2, 2023

ExtremeModerate commented Jul 4, 2023

rdreher commented Jul 31, 2023

akashSugmar commented Jul 31, 2023 •

edited

olzhasar commented Aug 14, 2023

XxMicrowavexX commented Aug 29, 2023

AfftarN commented Dec 14, 2023

sellersshrug0y commented Feb 26, 2024

jackivanov commented Feb 27, 2024

sellersshrug0y commented Feb 27, 2024

sellersshrug0y commented Mar 13, 2024

zenkio commented Apr 16, 2024

jackivanov commented Apr 16, 2024 •

edited

zenkio commented Apr 18, 2024

sellersshrug0y commented Apr 20, 2024

zenkio commented Apr 20, 2024 •

edited

sellersshrug0y commented Apr 20, 2024

iPhone: "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect. #14558

iPhone: "Profile Installation Failed" - The password for the certificate "phone.p12" is incorrect. #14558

Comments

larryqiann commented Dec 3, 2022

littlerspade commented Dec 6, 2022

binbap commented Feb 18, 2023

binbap commented Feb 20, 2023

tmThEMaN commented Mar 18, 2023

TheHackerDev commented Mar 20, 2023

jshji252 commented May 25, 2023

ExtremeModerate commented Jul 2, 2023

ExtremeModerate commented Jul 4, 2023

rdreher commented Jul 31, 2023

akashSugmar commented Jul 31, 2023 • edited

olzhasar commented Aug 14, 2023

XxMicrowavexX commented Aug 29, 2023

AfftarN commented Dec 14, 2023

sellersshrug0y commented Feb 26, 2024

jackivanov commented Feb 27, 2024

sellersshrug0y commented Feb 27, 2024

sellersshrug0y commented Mar 13, 2024

zenkio commented Apr 16, 2024

jackivanov commented Apr 16, 2024 • edited

zenkio commented Apr 18, 2024

sellersshrug0y commented Apr 20, 2024

zenkio commented Apr 20, 2024 • edited

sellersshrug0y commented Apr 20, 2024

akashSugmar commented Jul 31, 2023 •

edited

jackivanov commented Apr 16, 2024 •

edited

zenkio commented Apr 20, 2024 •

edited