I followed this tutorial for using a self signed certificate and that worked so far.
Then, I purchased a SSL certificate from my provider and tried to use that one. I get the error:
2019-04-19 17:45:36.385 ERROR 9245 --- [ restartedMain] org.apache.catalina.util.LifecycleBase : Failed to start component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1004) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:226) [tomcat-embed-core-9.0.14.jar:9.0.14]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:259) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:311) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:164) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) [spring-context-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:316) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at de.tki.chinese.ChineseApplication.main(ChineseApplication.java:24) [classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_73]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_73]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_73]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_73]
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.1.2.RELEASE.jar:2.1.2.RELEASE]
Caused by: java.lang.IllegalArgumentException: DerInputStream.getLength(): lengthTag=109, too big.
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1171) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:568) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1001) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
... 19 common frames omitted
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) ~[na:1.8.0_73]
at sun.security.util.DerValue.init(DerValue.java:365) ~[na:1.8.0_73]
at sun.security.util.DerValue.<init>(DerValue.java:320) ~[na:1.8.0_73]
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) ~[na:1.8.0_73]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_73]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:178) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ~[tomcat-embed-core-9.0.14.jar:9.0.14]
... 25 common frames omitted
2019-04-19 17:45:36.405 INFO 9245 --- [ restartedMain] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2019-04-19 17:45:36.414 INFO 9245 --- [ restartedMain] ConditionEvaluationReportLoggingListener :
I created a keystore like this:
MacBook-Pro:keystore tobias$ keytool -import -alias tomcat -file hanzien_de.key -keystore keystore_hanzien.de.p12 -storepass xxxxx
Then I used that keystore in my application.properties file:
# ==============================================================
# = ssh
# ==============================================================
# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true
# The format used for the keystore
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/keystore_hanzien.de.p12
#server.ssl.key-store=classpath:keystore/hanzien_de.pfx
# The password used to generate the certificate
server.ssl.key-store-password=xxxxx
# The alias mapped to the certificate
server.ssl.key-alias=tomcat
What am I doing wrong?
First, you appear to be using java 8 (8u73). Through 8 keytool defaults to JKS format, not PKCS12. (9 up does default to PKCS12.) This is why your exception cause is about DerStuff; PKCS12 format is/uses DER but JKS not. Either specify -storetype pkcs12 on the keytool command, or specify ..key-store-type=JKS in your app config (and preferably change the name so it is not actively misleading and confusing to people).
Second, keytool -import on a new keystore (or entry) imports only a certificate as a 'trustedcert' entry only usable to verify other parties. A TLS server (or SSL before it was obsoleted) like Tomcat, or in general any prover, must have a 'privatekey' entry containing a cert AND matching PRIVATEKEY AND usually CHAIN CERT(S). To be exact, the TLS standards require the server to send the/all chain cert(s) needed to verify the entity=server cert, optionally excluding the root or anchor; JSSE normally sends the cert(s) that are in the PrivateKeyEntry, so you must put the needed cert(s) there. For any public CA (like Verisign^WSymantec^WDigicert, GoDaddy, LetsEncrypt/Identrust) since about 1990, at least one chain cert is required, sometimes two and very rarely more. For a private CA this may vary depending on the CA. If the server does not send the required chain cert(s), some clients may still be able to verify some certs; in particular, browsers can often 'fill in' missing chain cert(s) from public CAs. This creates a situation where some connections to your server succeed while other connections to the same server fail, which tends to be very confusing and upsetting to users, and is not recommended.
If your .key file actually contains only a cert, naming it .key is misleading and confusing. If it contains a cert and then key in PEM, Java is able to read and separate the cert part and ignore the key; this allows keytool to run but produces a resulting file that Tomcat cannot use to accept TLS/SSL connections. (Depending on the version and maybe config, it may throw a reasonably specific exception like 'not a key' or 'key not found', or it may simply reject all connection attempts with handshake_failure.) If it contains only a key, or a key then a cert, or not PEM, the keytool command would fail, and yours apparently didn't.
keytool is not able to import a privatekey from anything but a(nother) supported keystore, which doesn't help you much because if it's already in a keystore you don't need to import it. Your choices are:
if you have openssl commandline, use it to convert the key + cert(s) to PKCS12. (openssl pkcs12 -export will include chain cert(s) if you provide it/them explicitly, or explicitly specify -chain and provide or default a truststore containing it/them.) There are dozens of existing Stack Qs and As, going back many years, covering this common and popular alternative.
use keytool to generate the keypair (already in a Java-supported keystore format) and CSR and get a certificate issued for that CSR, and then use keytool -import to either (1) import CA chain certs as trusted and then the server cert to the existing privatekey entry, which automatically fills in the chain or (2) import the whole CA chain directly to the existing privatekey entry. There are many existing Qs and As on this alternative also, as well as Sun/Oracle's own doc for Java, and tailored versions from every CA (or nearly so).
write, or find, and use a program that explicitly loads a privatekey and cert(s) from whatever format(s) you have to a 'privatekey' entry in a supported keystore. This is more work, and there are only a few Qs and As on this.
If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder.
Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.
More about maven resource filtering: http://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html
Faced with this error during Spring Boot Application with PCKS12 cert start. Simply rasing Java version from 8 to 11 fixed the error. Keep in mind that all the classes you use have to be in both versions of Java.
what about direct running from cmd
java -jar -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=C:\Users\certificates\Cert_name -Dspring.profiles.active=local target\jar_or_war_name_with_dot_extension
Related
I know this might look familiar but I assure everyone that I have checked and reran all the answers but still I can't use my valid GoDaddy SSL certificate.
Here are the steps I've taken to make and use a keystore in an Spring Boot application.
I appreciate any suggestion or comment on this post.
I have downloaded the certificate package from my GoDaddy account which is related to tomcat option (Haven't generated and submitted CSR and just used the one which is pre-generated by GoDaddy).
The package contains below set of files.
gd_bundle-g2-g1.crt (Intermediate Certificate)
[Random_Hex].crt (Root Certificate)
gdig2.crt.pem (public key)
Using above files and keytool, I have generated a keystore running the following commands
keytool -import -trustcacerts -alias intermediate -file gd_bundle-g2-g1.crt -keystore mydomain.jks
keytool -import -trustcacerts -alias mydomain.com -file <randomhex>.crt -keystore mydomain.jks
keytool -importkeystore -srckeystore mydomain.jks -destkeystore mydomain.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass Password -srcalias mydomain.com -destalias mydomain
Putting the .p12 file generated in previous step into "resources" path of my Spring Boot project and updating the application.properties file as following, I expected the project to run and expose my web application on HTTPS.
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:mydomain.p12
server.ssl.key-store-password=Password
server.ssl.key-password=Password
server.ssl.key-alias=mydomain.com
But no matter which config I use or how many times to recreate the keystore, I face below error.
org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:263) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:195) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:297) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:163) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552) ~[spring-context-5.1.9.RELEASE.jar:5.1.9.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:743) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:390) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:312) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1214) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1203) ~[spring-boot-2.1.7.RELEASE.jar:2.1.7.RELEASE]
at com.pincha.patient.MyApp.main(MyApp.java:10) ~[classes/:na]
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:585) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
... 14 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:325) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.22.jar:9.0.22]
... 20 common frames omitted
#Boris the Spider :
This is not a keystore it is a truststore. There is no private
material, this is just a chain the trust back to the GoDaddy root CA.
In order for it to the a keystore there must be a key pair which
includes a private key that only you have and a public key which
containers your server’s domain name(s) signed by a GoDaddyCA. This is
what the CSR is - you generate this key pair and then ask GoDaddy to
sign it. TL;DR: you need a key pair.
I am trying to consume one of the rest service in wso2
"https://localhost:9443/api/identity/recovery/v0.9/recover-password?type=email¬ify=false" using rest template. But I am getting below exception
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:9443/api/identity/recovery/v0.9/recover-password": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:579)
at com.diligent.cdd.master.services.impl.UserServiceImpl.getWSO2ResetPWDKey(UserServiceImpl.java:49)
at com.diligent.cdd.master.services.impl.UserServiceImpl.resetUserPwd(UserServiceImpl.java:43)
at com.diligent.cdd.master.controllers.UserController.resetUserPassword(UserController.java:26)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:189)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
I have tried enabling ssl properties in my application by below,
server.ssl.key-store-type=JKS
server.ssl.key-store=classpath:wso2carbon.jks
server.ssl.key-store-password=wso2carbon
server.ssl.key-alias=wso2carbon
This happened because WSO2 Identity server expects the certificate of the application during SSL handshake and the certificate of the application is missing in the truststore. So what you have to do is,
Import the application's SSL public certificate into Identity Server's client-truststore.jks. It is located in /repository/resources/security/ folder.
You can use the following command to import into the client-truststore.
keytool -importcert -alias -file
-keystore ${IS_HOME}/repository/resources/security/client-truststore.jks
-storepass wso2carbon -noprompt
Restart the server.
You can refer this blog.
Hope this will resolve your issue
I have a Spring Boot (2.x.x) service which customers can download. Once they've downloaded and started the service, they login to a managed portal to interact with the service.
The managed portal is hosted on Firebase, and setup with the default SSL certificates from Firebase. When viewing the managed portal in Chrome I can see This page includes resources that were loaded with certificate errors..
If I attempt to view the managed portal from Firefox, the following exception is thrown in the Spring Boot service.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) [netty-transport-4.1.33.Final.jar:4.1.33.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799) [netty-transport-native-epoll-4.1.33.Final-linux-x86_64.jar:4.1.33.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:427) [netty-transport-native-epoll-4.1.33.Final-linux-x86_64.jar:4.1.33.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:328) [netty-transport-native-epoll-4.1.33.Final-linux-x86_64.jar:4.1.33.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905) [netty-common-4.1.33.Final.jar:4.1.33.Final]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_191]
Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896) ~[na:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[na:1.8.0_191]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.8.0_191]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295) ~[netty-handler-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301) ~[netty-handler-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203) ~[netty-handler-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247) ~[netty-handler-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.33.Final.jar:4.1.33.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.33.Final.jar:4.1.33.Final]
... 13 common frames omitted
From here, I'm sure I've got something wrong, but unsure what exactly.
The configuration for my service is:
server:
port: 8443
ssl:
key-store: classpath:keystore.jks
key-password: changeit
key-alias: keystore
and I created the keystore using
keytool -genkeypair -alias keystore -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 3650
How can I clean up this so I get a nice green secure badge?
In your application.yml, change key-password to key-store-password.
You can also add SSL Truststore and keystore certificates to your JVM using java properties during startup. I found this works with no fuss all the time.
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
I have configured the environment of [kurento server][1] (a WebRTC media server and a set of client APIs making simple the development of advanced video applications for WWW and smartphone platforms) and I got the tutorial project up and running.
But I am having an issue with changing the certificate that are included with the projects.
Can you please point me in the right direction on how to do that without causing a problem, since when I created a new keystore the maven compile failed.
-- here is a snapshot of the stack trace after doing what the site [ securing the application ] steps ( I double checked the password and certificate ) :
2017-07-16 10:35:43.508 ERROR 11944 --- [llRecApp.main()] o.a.coyote.http11.Http11NioProtocol : Failed to start end point associated with ProtocolHandler [https-jsse-nio-8443]
java.lang.IllegalArgumentException: java.io.IOException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) [tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) [tomcat-embed-core-8.5.5.jar:8.5.5]
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:233) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:178) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:544) [spring-context-4.3.3.RELEASE.jar:4.3.3.RELEASE]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.1.RELEASE.jar:1.4.1.RELEASE]
at org.kurento.tutorial.one2onecallrec.One2OneCallRecApp.main(One2OneCallRecApp.java:68) [classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293) [exec-maven-plugin-1.4.0.jar:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[na:1.8.0_131]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_131]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_131]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_131]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_131]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:194) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ~[tomcat-embed-core-8.5.5.jar:8.5.5]
... 23 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[na:1.8.0_131]
... 31 common frames omitted
[1]: http://doc-kurento.readthedocs.io/en/stable/what_is_kurento.html
Without an exact description of "the problem" or "the issue", it will be difficult to pinpoint what can help.
You can start by double-checking the content of "Securing Kurento Applications".
For instance, the command
mvn compile exec:java -Dkms.url=ws://kms_host:kms_port/kurento
would only work if your jar does include the new keystore in your jar file:
File keystore.jks must be in the project’s root path, and a file named application.properties must exist in src/main/resources/, with the following content:
server.port: 8443
server.ssl.key-store: keystore.jks
server.ssl.key-store-password: yourPassword
server.ssl.keyStoreType: JKS
server.ssl.keyAlias: yourKeyAlias
Double-check with this answer which states:
Check that you file is according to that, and make sure that you are providing the correct keystore location in server.ssl.key-store
Regarding the error message "Keystore was tampered with, or password was incorrect", see "keytool error Keystore was tampered with, or password was incorrect". It can be a passphrase issue for instance.
The OP AhMaD AbUIeSa adds in the comments:
After creating a new keystore from official site using the certificate and the private key the project worked with no problem.
As commented below by Nikola Lukic, to add a new certificat, you would need to :
copy it into the container (docker container cp) using the right path (a path valid from within the container, not the host),
create a new image (docker container commit)
run the new image as a new container: docker container run
Trying to achieve:
As required in Apple Pay for Web, 2 way TLS 1.2 is required. In my case i'm trying to hit apple pay server from my java with json payload (which you can say as client).
https://developer.apple.com/reference/applepayjs/applepaysession#2166532
My points of Concern:
1) Any command that list all the cipher suites supported? running on java 1.8.
2) What is required while making HttpsURLconnection.openconnection to be TLS1.2?
3) Any example code by which i can achieve this connection.
4) What are the settings required like certificate and private key?
Any help would be useful.
I know i have asked very direct questions, but i will keep adding more specific questions in this.
Update: First 3 points are done.
Now only Regarding point 4: I'm sending both the files key and cert by converting to cert.p12 file and saving as new keystore.
openssl x509 -inform der -in merchant_id.cer -out merchant_id.pem
openssl pkcs12 -nodes -export -in merchant_id.pem -inkey clientprivate.key -out cert.p12 -name "Certificate"
After that running java code with VM arguments in eclipse:
-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=cert.p12 -Djavax.net.debug=ssl
I can see following error in console:
*ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
* Certificate chain
** ECDHClientKeyExchange
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:
*
main, WRITE: TLSv1.2 Handshake, length = 64
main, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 48
main, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
main, called closeSocket()
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
Here is the java code:
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(factory);
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("Content-Type", "application/json; charset=UTF-8");
conn.setRequestProperty("Accept", "application/json");
conn.setRequestMethod("POST");
OutputStream os = conn.getOutputStream();
os.write(jsonInString.getBytes("UTF-8"));
Failing at
conn.getOutputStream();
Using java 1.8
General answers in the order asked..
I found this very helpful to list all ciphers: https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
I used this System.setProperty("https.protocols", "TLSv1.2"); to set it to TLS 1.2.
I can't post my whole project here its too much code... It's a basic http request with all required fields sent along.
First create an "apple pay merchant id" certificate on apple's website, download it, extract the certificate and the key from it into 2 separate files, send both along with your request (with the password, of course).