2

I used LetsEncrypt's certbot to generate the cert and key pems:

sudo certbot certonly -a standalone -d footeware.ca

...and converted them to a p12:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

I moved the p12 to my development machine into my eclipse project's resources folder. When I start the application and debug thru sun.security.pkcs12.PKCS12KeyStore#engineIsCertificateEntry, it finds the aliased entry but states it's not an instanceof sun.security.pkcs12.PKCS12KeyStore.CertEntry but rather a sun.security.pkcs12.PKCS12KeyStore$PrivateKeyEntry and so it fails with:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

keytool -list on the p12:

Alias name: tomcat
Creation date: Jan. 3, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=footeware.ca
Issuer: CN=R3, O=Let's Encrypt, C=US

What have I done wrong? Should the PrivateKeyEntry be something else?

CraigFoote
  • 371
  • 1
  • 7
  • 23
  • Can you share the files you generated? Make sure you change most of the characters in it. – Saif Jan 04 '22 at 01:30
  • Is there something in the pem files you're looking for, something I can check on and report? I suspect though it's something I'm doing wrong in Spring. I've set the application.properties stuff and created a RestTemplate bean according to https://www.baeldung.com/spring-boot-https-self-signed-certificate – CraigFoote Jan 04 '22 at 01:39
  • I am not quite sure about this. But if you're getting `Entry type: PrivateKeyEntry` through keytool and you have checked the type by debugging and it's expecting it to be a `CertEntry`. Then maybe the import command is wrong `-inkey privkey.pem`. Can you share the files you are generating at each step if it's not possible to share the contents? – Saif Jan 04 '22 at 01:43
  • I think I am wrong about the type shown by keytool – Saif Jan 04 '22 at 01:49
  • There could be different reasons for this error as mentioned here: https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty/25188331#25188331. Please go through the answers (and comments). – Saif Jan 04 '22 at 01:54

1 Answers1

0

Thanks @Saif for that link. I did:

sudo update-ca-certificates -f
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

...and used my original keystore.p12 (seems there was nothing wrong with it). The solution was to change my application.properties' values to:

server.ssl.trust-store=file:/etc/ssl/certs/java/cacerts
server.ssl.trust-store-password=changeit
server.ssl.trust-store-type=JKS

I had been setting those properties to the keystore.p12 thinking they were one and the same (noob). I deployed and started the appication jar, set my router to forward 443 to my server@8443 (instead of 80 to 8090 as it was) and I'm in with a happy https indicator!

Now I just have to fix the broken css that upgrading bootstrap seems to have caused. Pain that the cert prevents me from using localhost now as it only supports footeware.ca. Any ideas there?

CraigFoote
  • 371
  • 1
  • 7
  • 23