Certbot and PaperCut NG / Windows

I am trying to figure out how to get Certbot working with PaperCut NG on Windows. I have searched the web for help and I have not found anything.

I installed CertBot on Windows, and successfully registered the server, with the certs currently only sitting in C:\CertBot\live\shredder.mydomain.org

PaperCut uses Java KeyStore. I installed OpenSSL to export the CertBot files in PKSC12 format.


Java keytool - make new keystore

C:\Progra~1\PaperC~1\runtime\jre\bin\keytool -keystore C:/Progra~1/PaperC~1/server/custom/my-ssl-keystore -alias jetty -genkeypair -keypass mypassword -storepass mypassword -keyalg RSA -keysize 2048 -dname "CN=Admin, O=myorg, L=mycity, S=mystate, C=mycountry"

Open SSL - export LE

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -inkey "C:\Certbot\live\shredder.mydomain.org\privkey.pem" -in "C:\Certbot\live\shredder.mydomain.org\fullchain.pem" -out "C:\Certbot\live\shredder.mydomain.org\jetty.pkcs12" -passout pass:mypassword

Keytool - Import this exported PKCS12

C:\Progra~1\PaperC~1\runtime\jre\bin\keytool.exe -importkeystore -noprompt -srckeystore C:/Certbot/live/shredder.mydomain.org/jetty.pkcs12 -srcstoretype PKCS12 -srcstorepass mypassword -destkeystore C:/Progra~1/PaperC~1/server/custom/my-ssl-keystore -deststorepass mypassword


However something keeps failing over and over and I can't determine what is the problem.

Papercut server configuration:
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=mypassword
server.ssl.key-password=mypassword


Startup log errors:

2022-12-25 03:35:58,493 INFO AppServer - ---------------------------------------------------------------------- [WrapperSimpleAppMain]
2022-12-25 03:35:58,496 INFO AppServer - --- Starting PaperCut NG Application Server - 22.0.6 (Build 64379) --- [WrapperSimpleAppMain]
2022-12-25 03:35:58,496 INFO AppServer - ---------------------------------------------------------------------- [WrapperSimpleAppMain]
2022-12-25 03:35:58,709 INFO AppServer - Starting application server version: 22.0.6 (Build 64379), Edition: NG, Platform: Windows Server 2022 - 10.0 64-bit [runtime: 11.0.15+9-LTS (amd64)], User: SYSTEM [WrapperSimpleAppMain]
2022-12-25 03:35:58,805 INFO AppServer - System details - max memory: 1,820.5 MB, processors: 2, database: Derby, home: "C:\Program Files\PaperCut NG\server", free space: 70,735.7 MB, hostname: AZ-Print, IP addresses: [172.16.1.3, 172.31.0.200] (Primary: 172.16.1.3), Server ID: ceade9ac-fe19-453b-860e-1cd968e56795, time-zone: America/Chicago, calendar: GregorianCalendar, locale: en_US, encoding: windows-1252 [WrapperSimpleAppMain]
2022-12-25 03:35:58,806 INFO AppServer - System runtime arguments: [-Djava.io.tmpdir=tmp, -Dserver.home=., -Xverify:none, -XX:+UseParallelOldGC, -Dpc-reserved=X, -Djava.locale.providers=COMPAT,SPI, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Xrs, -XX:-UseBiasedLocking, -Xlog:gc*,heap*,safepoint*=info:file=logs/gc.log:time,uptime:filecount=10,filesize=1m, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dkeystore.pkcs12.legacy, -Dlog4j.configurationFile=file:lib/log4j2.properties, -Djava.library.path=bin/win/lib64, -Dwrapper.key=wRTtHEW3bpPaBCI5, -Dwrapper.port=32000, -Dwrapper.use_system_time=TRUE, -Dwrapper.version=3.1.2, -Dwrapper.native_library=wrapper, -Dwrapper.service=TRUE, -Dwrapper.cpu.timeout=10, -Dwrapper.jvmid=1] [WrapperSimpleAppMain]
2022-12-25 03:35:58,806 INFO AppServer - *** Preparing database connection *** [WrapperSimpleAppMain]
2022-12-25 03:36:00,270 INFO AppServer - Database: Apache Derby, Version: 10.14.2.0 - (1828579) [WrapperSimpleAppMain]
2022-12-25 03:36:00,272 INFO SecurityProtocols - Setting up compatible security defaults [WrapperSimpleAppMain]
2022-12-25 03:36:00,272 INFO SecurityProtocols - Activated Elliptic curve groups: secp256r1, secp384r1, secp521r1, secp160k1 [WrapperSimpleAppMain]
2022-12-25 03:36:00,273 INFO JavaSecurityProperties - Using the JDK's default crypto providers [WrapperSimpleAppMain]
2022-12-25 03:36:00,699 ERROR ServerKeyStore - Unable to read or write to the keystore custom/my-ssl-keystore [WrapperSimpleAppMain]
2022-12-25 03:36:00,892 INFO LiquibaseSchema - Checking Liquibase schema using changelog: C:\Program Files\PaperCut NG\server\lib\sql\changelogs\db.changelog-master.yaml [WrapperSimpleAppMain]
2022-12-25 03:36:01,581 INFO AppServer - *** Starting web server *** [WrapperSimpleAppMain]
2022-12-25 03:36:01,629 INFO Jetty - Starting server listener with configuration (Host: [all] Port: 9191 IdleTime: 30000 Connector: ServerConnector) [WrapperSimpleAppMain]
2022-12-25 03:36:01,629 INFO Jetty - Enable SNI Host Checking: false [WrapperSimpleAppMain]
2022-12-25 03:36:01,737 INFO JettySsl - Configured SSL settings with protocols: [TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello, SSLv3] and 35 ciphers [WrapperSimpleAppMain]
2022-12-25 03:36:01,739 ERROR Jetty - Error setting up SSL listener. keystore password was incorrect [WrapperSimpleAppMain]
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at biz.papercut.pcng.server.ServerKeyStore.load(ServerKeyStore.kt:67) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore.access$load(ServerKeyStore.kt:27) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore$certAlias$2.invoke(ServerKeyStore.kt:37) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore$certAlias$2.invoke(ServerKeyStore.kt:27) ~[pcng-server-22.0.6.jar:22.0.6]
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74) ~[kotlin-stdlib-1.3.72.jar:1.3.72-release-468 (1.3.72)]
at biz.papercut.pcng.server.ServerKeyStore.getCertAlias(ServerKeyStore.kt) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.JettySsl.createSslContextFactory(JettySsl.kt:14) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createSslSocketConnector(Jetty.java:296) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createConnectors(Jetty.java:138) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createEmbeddedServerWithConnectors(Jetty.java:98) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createServer(Jetty.java:87) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.EmbeddedServer.start(EmbeddedServer.java:69) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.startWebServer(AppServer.java:357) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.start(AppServer.java:190) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.main(AppServer.java:114) [pcng-server-22.0.6.jar:22.0.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136) [wrapper-3.1.2.jar:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size
... 24 more
2022-12-25 03:36:01,744 INFO Jetty - Enable SNI Host Checking: false [WrapperSimpleAppMain]
2022-12-25 03:36:01,745 INFO JettySsl - Configured SSL settings with protocols: [TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello, SSLv3] and 35 ciphers [WrapperSimpleAppMain]
2022-12-25 03:36:01,746 ERROR Jetty - Error setting up high security SSL listener. keystore password was incorrect [WrapperSimpleAppMain]
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at biz.papercut.pcng.server.ServerKeyStore.load(ServerKeyStore.kt:67) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore.getHighSecurityCertAlias(ServerKeyStore.kt:93) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.JettySsl.createSslContextFactory(JettySsl.kt:14) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createSslSocketConnector(Jetty.java:296) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createConnectors(Jetty.java:144) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createEmbeddedServerWithConnectors(Jetty.java:98) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createServer(Jetty.java:87) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.EmbeddedServer.start(EmbeddedServer.java:69) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.startWebServer(AppServer.java:357) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.start(AppServer.java:190) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.main(AppServer.java:114) [pcng-server-22.0.6.jar:22.0.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136) [wrapper-3.1.2.jar:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size
... 20 more
2022-12-25 03:36:02,697 INFO Jetty - Starting: Server@73704807{STARTING}[9.4.44.v20210927] [WrapperSimpleAppMain]
2022-12-25 03:36:14,051 INFO ScanDeliveryManagerImpl - Initialising akka system with default settings [WrapperSimpleAppMain]
2022-12-25 03:36:18,084 INFO ToshibaDeviceTypeRegistration - Adding Toshiba device types dynamically [WrapperSimpleAppMain]
2022-12-25 03:36:18,100 INFO ToshibaDeviceTypeRegistration - Toshiba device types added. (including v3+) [WrapperSimpleAppMain]
2022-12-25 03:36:18,182 INFO ModuleRegistry - Registered module with URI prefix toshiba and annotation Toshiba [WrapperSimpleAppMain]
2022-12-25 03:36:18,318 INFO ModuleRegistry - Registered module with URI prefix xerox and annotation Xerox [WrapperSimpleAppMain]
2022-12-25 03:36:18,339 INFO XeroxDeviceTypeRegistration - Adding Xerox device types dynamically [WrapperSimpleAppMain]

Log closed at: 2022-12-25 03:36:19,277


So this seems to be the problem but it doesn't explain the problem at all:

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size

,

I tried changing certbot from ECDSA to RSA, but it still says illegal key size.

certbot renew --key-type rsa --cert-name shredder.mydomain.org --force-renewal
Congratulations, all renewals succeeded

I have no idea what is wrong at this point.

Hi @tiny-k12-it-admin, and welcome to the LE community forum :slight_smile:

Tripple check that the password being used is correct.

5 Likes

Following your instructions, I got the same errors when trying to run the software.

The PaperCut NG server comes with a create-ssl-keystore tool, which can be used to directly convert Certbot's certificate files into a compatible keystore.

Here is how I used it (the path to the tool might be slightly different on Windows):

$ sudo "/Applications/PaperCut NG/server/bin/mac/create-ssl-keystore" \
    -cert /etc/letsencrypt/live/example.com/cert.pem \
    -key /etc/letsencrypt/live/example.com/privkey.pem \
    -certCA /etc/letsencrypt/live/example.com/chain.pem \
    -keystoreentry standard -f

The output I got was:

Keystore file successfully created for: x2.local at /Applications/PaperCut NG/server/data/default-ssl-keystore
Restart the Application Server to apply the new SSL certificate.

Then, I modified server.properties such that:

server.ssl.keystore=/Applications/PaperCut NG/server/data/default-ssl-keystore

and I kept the keystore-password and key-password blank (commented), because there is no password protection on the keystore with the way I called create-ssl-keystore.

Starting the server this way, everything worked :clap: .

6 Likes

Thank you, that worked. Your solution is unlike anything provided by the company. Bizarre that they don't reference that tool in their setup guide.

The output keystore is placed in
C:\Program Files\PaperCut NG\server\data\default-ssl-keystore

The config file for the custom keystore location and password can be left blank.
C:\Program Files\PaperCut NG\server\server.properties

I should mention that I changed the certbot authentication method to RSA so that is what was used here, and it worked. Apparently the default mode is ECDSA, and that apparently worked for you.

The next step is to modify the certbot scheduled auto-renewal to also stop the Papercut NG service, update the keystore with this command, and restart the service.

3 Likes

use --deploy-hook option to run command when certbot get a new certficate

8 Likes

Since I expect thousands of other people will be referencing this thread in the future for help, note that this discussion does not have anything to do with PaperCut MF.

That involves installing custom "print hold and release" software on multifunction scanner / copier / printers, and requires signing in to the device with a password or keyfob in order to print.

Those devices may also need SSL certificates installed and I am not aware of any automation methods to use Let's Encrypt with them. That is a bridge I expect I will have to cross eventually but I am not yet at that point to even have any PaperCut MF devices available for testing.

I already know that Canon multifunction copiers "sorta kinda" have SSH capability but it's really only intended for use by copier service technicians, and not actual end-user IT staff.

In the worst case scenario it may be necessary to write a powershell web screen scraper to upload the LE SSL certificate via Canon / Ricoh / HP web admin management interfaces... which I expect I will probably have to figure out at some point anyway..

4 Likes

I have discovered that PaperCut Mobility Print doesn't use the same Java certificate storage, so you need to set this up separately. However this part is far less complex. You can just copy and rename two files from CertBot Live, restart the service, and it works.

  • copy /y C:\CertBot\live\DOMAIN\privkey.pem "C:\Program Files (x86)\PaperCut Mobility Print\data\tls.pem"
  • copy /y C:\CertBot\live\DOMAIN\cert.pem "C:\Program Files (x86)\PaperCut Mobility Print\data\tls.cer"
  • Restart Service named: pc-mobility-print

(I don't claim to be entirely sure I'm doing this right, but the SSL web page for Mobility Print comes up with a lock in Google Chrome, and Chrome says the site is secure, so apparently I did it correctly.. lol)

,

Also, if you're feeling adventurous, Windows can just copy the symbolic links in Cerbot live, so you may only need to restart Mobility Print when Certbot updates.

copy /L -- "If the source is a symbolic link, copy the link to the target instead of the actual file the source link points to."

1 Like

That's a very strange naming style.
I'd expect one to have "key" somewhere in the name.
[as is, you can't tell which is public / which is private]

3 Likes