"Error outputting keys and certificates" when adding APNS notifications to Amplify

[JoakimMellonn]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v18.13.0

Amplify CLI Version

12.1.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

In my Flutter project I'm trying to add notifications with APNS. When I do this I get the following error message after giving the path to the .p12 certificate and writing the non-existent password (just pressing enter):

Error outputting keys and certificates
00DEF7DD01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
🛑 Command failed: openssl pkcs12 -in /Users/joakimrosenfeldtpedersen/Certificates.p12 -out /var/folders/cy/n2b5gjxj4dv1mztr65gpklgc0000gn/T/temp.pem -nodes -passin pass:
Error outputting keys and certificates
00DEF7DD01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()


Resolution: Please report this issue at https://github.com/aws-amplify/amplify-cli/issues and include the project identifier from: 'amplify diagnose --send-report'
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 72137838-7a44-4758-bd28-aa0766d0a711

✅ Report saved: /var/folders/cy/n2b5gjxj4dv1mztr65gpklgc0000gn/T/MellonnSpeakEU/report-1689771320910.zip

✔ Done

Project Identifier: 369c3e3e1f86cb7691bd7b7aef05de77

Expected behavior

Amplify notifications should be added to the project without any problems.

Reproduction steps

1. Create Flutter project and add Amplify to it.
2. Follow the official guide to add Notifications to said project.

Project Identifier

369c3e3e1f86cb7691bd7b7aef05de77

Log output

# Put your logs below this line
2023-07-19T12:53:29.435Z|info : amplify add notifications  
2023-07-19T12:53:29.533Z|info : @aws-amplify/amplify-cli-core.banner-message/index.ts.fetch banner messages from https://aws-amplify.github.io/amplify-cli/banner-message.json({}
2023-07-19T12:53:31.250Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileConfig(["MacBookPro2021Amplify"])
2023-07-19T12:53:31.252Z|info : amplify-provider-awscloudformation.system-config-manager.getProfiledAwsConfig.profileConfig([{"region":"eu-central-1"}])
2023-07-19T12:53:31.253Z|info : amplify-provider-awscloudformation.system-config-manager.getProfileCredentials(["MacBookPro2021Amplify"])
2023-07-19T12:55:23.323Z|error : Command failed: openssl pkcs12 -in /Users/joakimrosenfeldtpedersen/Certificates.p12 -out /var/folders/cy/n2b5gjxj4dv1mztr65gpklgc0000gn/T/temp.pem -nodes -passin pass:
Error outputting keys and certificates
00DEF7DD01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

UnknownFault: Command failed: openssl pkcs12 -in /Users/joakimrosenfeldtpedersen/Certificates.p12 -out /var/folders/cy/n2b5gjxj4dv1mztr65gpklgc0000gn/T/temp.pem -nodes -passin pass:
Error outputting keys and certificates
00DEF7DD01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @JoakimMellonn, thank you for reaching. Could you let us know the openssl version currently installed by running openssl version.

Additionally, could you try directly running the openssl command in your terminal and let us know the output?
openssl pkcs12 -in /Users/joakimrosenfeldtpedersen/Certificates.p12 -out /var/folders/cy/n2b5gjxj4dv1mztr65gpklgc0000gn/T/temp.pem -nodes -passin <pass>.

Marking this as bug for error messaging improvements as I was able to reproduce a similar error message

🛑 Command failed: openssl pkcs12 -in /Users/abc/Downloads/cert.p12 -out /var/folders/7n/vtvskf9s3czf2429q2kv9yz00000gr/T/temp.pem -nodes -passin pass:
Mac verify error: invalid password?

[JoakimMellonn]

This is the output from openssl version: OpenSSL 3.1.1 30 May 2023.
Regarding running the openssl command, but I'm getting some errors regarding the -passin <pass> part of it. Should I replace anything or is this to be expected?

[ykethan]

@JoakimMellonnThe terminal should prompt you for a pass if we remove the -passin but we can simply press return without any input if the cert does not have a password assigned.

the output should be similar to as follows if the certificates are valid

openssl pkcs12 -in /Users/abc/Downloads/Certificates.p12 -out /var/folders/7n/vtvskf9s3czf2429q2kv9yz00000gr/T/temp.pem -nodes
Enter Import Password:
MAC verified OK

[JoakimMellonn]

Ah okay, I get the same error when doing it directly in the terminal.

Error outputting keys and certificates
00DEF7DD01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

[ykethan]

Hey @JoakimMellonn, thank you for the information. I was able to reproduce the issue using OpenSSL 3.1.1 30 May 2023.
When I switch to LibreSSL 3.3.6 the error does not occur.
This appears to be a issue with the SSL version, could try switching to LibreSSL 3.3.6 and let us know if the issue still occurs.

Making a note here for further investigation.
Working: LibreSSL 3.3.6
Not working: OpenSSL 3.1.1 30 May 2023

[JoakimMellonn]

Thank you, I've now tried switching to LibreSSL and can confirm it is working.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[ykethan]

@JoakimMellonn reopening the issue for tracking this behaviour and provide better error messaging.

[kayzkenny]

Still getting this error, when using the cli amplify add notifications

806024E901000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:342:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
🛑 Command failed: openssl pkcs12 -in /Users/kehindeakeredolu/Desktop/freelance/light-app/carnet_light/assets/amplify.p12 -out /var/folders/n4/r1prvfbj5hs0m1hfkn9y2w180000gn/T/temp.pem -nodes -passin pass:
Error outputting keys and certificates
806024E901000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:342:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()```

[shree-ranga]

openssl pkcs12 -in Certificates.p12 -out apns_cert.pem -legacy -nodes

Above worked

[true-glassy]

These are the steps to switch to libressl from openssl

1. brew install libressl

2. export PATH="/usr/local/opt/libressl/bin:$PATH" (you have to know where is your liberssl was downloaded and use that in your export)

The command to know where is your liberssl was is brew --prefix libressl

[richstimson]

These are the steps to switch to libressl from openssl

1. brew install libressl
2. export PATH="/usr/local/opt/libressl/bin:$PATH" (you have to know where is your liberssl was downloaded and use that in your export)

The command to know where is your liberssl was is brew --prefix libressl

Note: true-glassy's answer resolves the issue for amplify add notifications (or amplify update notifications).