5

I'm currently trying to set up a Confluence (6.6.0) on an Ubuntu Server with Plesk (17.5.3) and Let's-Encrypt-Extension installed.

Confluence itself is up and running, but I am experiencing some issues, when it comes to SSL. Securing the Domain itself is easily done by just taking the "easy road" via the Plesk-Panel One-Click-Installer.

The Certificates will be located at /usr/local/psa/var/modules/letsencrypt/etc/archive/<MY_DOMAIN>/

There are four .pem-files in this directory:

  • cert1.pem
  • chain1.pem
  • fullchain1.pem
  • privkey1.pem

But now i need to tell Tomcat, that i have this certificate installed in the server.xml.
Since the Plesk-Let's-Encrypt-Extension saves the files as .pem-files i need to convert them via OpenSSL to be able to use the Java keytool.
I found a nice tutorial about this topic in general right here:
http://robblake.net/post/18945733710/using-a-pem-private-key-and-ssl-certificate-with

When i am trying the following, i get stuck at the very beginning, when i try to execute

openssl pkcs12 -export -in <PATH>/cert1.pem -inkey <PATH>/privkey1.pem -out foo.p12 -name tomcat -chain -CAFile <PATH>/chain1.pem

The command itself runs, when I am not using -CAFile and generates my .p12-File, but then throws a warning:

Error unable to get local issuer certificate getting chain.

If i try adding -CAFile /usr/local/psa/var/modules/letsencrypt/etc/archive/<MY_DOMAIN>/chain1.pem or using [...]/fullchain1.pem instead nothing will happen but OpenSSL printing the Usage-Documentation.

So since these four .pem-files are the only ones available i'm not sure what else to do.

Since i need the intermediate-certs too, i am wondering what i have to do here.

jww
  • 97,681
  • 90
  • 411
  • 885
bquarta
  • 559
  • 6
  • 19
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Web Applications Stack Exchange](http://webapps.stackexchange.com/), [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Dec 15 '17 at 13:08
  • 1
    The usage message is because the option is `-CAfile` (lowercase f) not `-CAFile` – dave_thompson_085 Dec 15 '17 at 13:59

1 Answers1

4

It looks like chain1.pem file from Let's Encrypt is incomplete. In my case it contains only one certificate - the intermediate CA Let's Encrypt Authority X3

Check the contents of this file. In my case there was only one certificate.

openssl x509 -noout -in chain1.pem -subject -issuer

subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

The reason for the error is that openssl misses the certificate for DST Root CA X3

How to create the complete chain.

  1. Download the DST Root CA X3 certificate:

    wget http://apps.identrust.com/roots/dstrootcax3.p7c

  2. Convert it to PEM

    openssl pkcs7 -inform der -in dstrootcax3.p7c -out dstrootcax3.pem -print_certs

    At this moment the certificate for DST Root CA X3 is in dstrootcax3.pem

  3. Build full chain (overwrites fullchain1.pem)

    cp chain1.pem fullchain1.pem
echo >> fullchain1.pem
cat dstrootcax3.pem >> fullchain1.pem

  4. Generate P12 file

    openssl pkcs12 -export -in cert1.pem -inkey privkey1.pem -chain -CAfile fullchain1.pem -out cert1.p12 -name tomcat

To check that all certificates are stored in P12 file:

 openssl pkcs12 -info -in cert1.p12

Good luck with the keytool ;)

Pak Uula
  • 2,750
  • 1
  • 8
  • 13
  • Thank you :) This solution worked for me. Nevertheless, i noticed that a don't even need to do this. The warning in Confluence came from a misconfiguration of nginx, that I run as reverse Proxy. So all the fancy SSL-Stuff is done on the Reverse-Proxy, and i simply have to set the Proxy in server.xml the right way. After i fixed that nginx-issue, the official documentation of Atlassian how to change the server.xml file worked... so keytool-stuff is luckily not needed :)... – bquarta Dec 14 '17 at 08:52
  • 1
    There's no real need to include the root cert; neither TLS nor Java requires it, and OpenSSL doesn't require it if you just _omit_ `-chain` from `pkcs12 -export` – dave_thompson_085 Dec 15 '17 at 13:59