I have an instance of Apache Tomcat running on our server, for which I am trying to use LetsEncrypt for https. I found some scripts to import the certificate, and I can check in the keystore that the certificate is imported.
Unfortunately, https is not working. Whenever I try to connect, it just keeps waiting(progress bar rotating). I don't know what I am doing wrong.
Script :
cd /var/git/letsencrypt
#git pull origin master
iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -t nat -I PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999
./letsencrypt-auto certonly --standalone --test-cert --break-my-certs -d $mydomain --renew-by-default --email $myemail --agree-tos
iptables -t nat -D PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999
iptables -D INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
$keytooldir/keytool -delete -alias root -storepass NEWPASS -keystore $keystoredir
$keytooldir/keytool -delete -alias tomcat -storepass NEWPASS -keystore $keystoredir
openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa
$keytooldir/keytool -importkeystore -srcstorepass aaa -deststorepass NEWPASS -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
$keytooldir/keytool -import -trustcacerts -alias root -deststorepass NEWPASS -file $certdir/chain.pem -noprompt -keystore $keystoredir
Output :
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Checking for new version...
Requesting root privileges to run letsencrypt...
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domina-name/fullchain.pem.
Your cert will expire on 2016-07-27. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Certificate was added to keystore
Apache tomcat connector :
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="200"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/.keystore" keystorePass="newPASS" />
OpenSSL connection output :
openssl s_client -connect domain_name.de:443
CONNECTED(00000003)
It is stuck at connected.
What am I doing wrong. Any ideas? Thank you.
Update
As I checked, I was getting a cannot recover key exception. I thought it might be because Tomcat requires Key-pass, so I changed the password of the key with the following command, but still error continues :
openssl rsa -aes192 -in yourprivatekeywithoutpassword.pem -out newprivatekeywithpassword.pem
Error log :
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)