I am trying to figure out how to get Certbot working with PaperCut NG on Windows. I have searched the web for help and I have not found anything.
I installed CertBot on Windows, and successfully registered the server, with the certs currently only sitting in C:\CertBot\live\shredder.mydomain.org
PaperCut uses Java KeyStore. I installed OpenSSL to export the CertBot files in PKSC12 format.
Java keytool - make new keystore
C:\Progra~1\PaperC~1\runtime\jre\bin\keytool -keystore C:/Progra~1/PaperC~1/server/custom/my-ssl-keystore -alias jetty -genkeypair -keypass mypassword -storepass mypassword -keyalg RSA -keysize 2048 -dname "CN=Admin, O=myorg, L=mycity, S=mystate, C=mycountry"
Open SSL - export LE
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -inkey "C:\Certbot\live\shredder.mydomain.org\privkey.pem" -in "C:\Certbot\live\shredder.mydomain.org\fullchain.pem" -out "C:\Certbot\live\shredder.mydomain.org\jetty.pkcs12" -passout pass:mypassword
Keytool - Import this exported PKCS12
C:\Progra~1\PaperC~1\runtime\jre\bin\keytool.exe -importkeystore -noprompt -srckeystore C:/Certbot/live/shredder.mydomain.org/jetty.pkcs12 -srcstoretype PKCS12 -srcstorepass mypassword -destkeystore C:/Progra~1/PaperC~1/server/custom/my-ssl-keystore -deststorepass mypassword
However something keeps failing over and over and I can't determine what is the problem.
Papercut server configuration:
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=mypassword
server.ssl.key-password=mypassword
Startup log errors:
2022-12-25 03:35:58,493 INFO AppServer - ---------------------------------------------------------------------- [WrapperSimpleAppMain]
2022-12-25 03:35:58,496 INFO AppServer - --- Starting PaperCut NG Application Server - 22.0.6 (Build 64379) --- [WrapperSimpleAppMain]
2022-12-25 03:35:58,496 INFO AppServer - ---------------------------------------------------------------------- [WrapperSimpleAppMain]
2022-12-25 03:35:58,709 INFO AppServer - Starting application server version: 22.0.6 (Build 64379), Edition: NG, Platform: Windows Server 2022 - 10.0 64-bit [runtime: 11.0.15+9-LTS (amd64)], User: SYSTEM [WrapperSimpleAppMain]
2022-12-25 03:35:58,805 INFO AppServer - System details - max memory: 1,820.5 MB, processors: 2, database: Derby, home: "C:\Program Files\PaperCut NG\server", free space: 70,735.7 MB, hostname: AZ-Print, IP addresses: [172.16.1.3, 172.31.0.200] (Primary: 172.16.1.3), Server ID: ceade9ac-fe19-453b-860e-1cd968e56795, time-zone: America/Chicago, calendar: GregorianCalendar, locale: en_US, encoding: windows-1252 [WrapperSimpleAppMain]
2022-12-25 03:35:58,806 INFO AppServer - System runtime arguments: [-Djava.io.tmpdir=tmp, -Dserver.home=., -Xverify:none, -XX:+UseParallelOldGC, -Dpc-reserved=X, -Djava.locale.providers=COMPAT,SPI, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Xrs, -XX:-UseBiasedLocking, -Xlog:gc*,heap*,safepoint*=info:file=logs/gc.log:time,uptime:filecount=10,filesize=1m, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dpc-reserved=X, -Dkeystore.pkcs12.legacy, -Dlog4j.configurationFile=file:lib/log4j2.properties, -Djava.library.path=bin/win/lib64, -Dwrapper.key=wRTtHEW3bpPaBCI5, -Dwrapper.port=32000, -Dwrapper.use_system_time=TRUE, -Dwrapper.version=3.1.2, -Dwrapper.native_library=wrapper, -Dwrapper.service=TRUE, -Dwrapper.cpu.timeout=10, -Dwrapper.jvmid=1] [WrapperSimpleAppMain]
2022-12-25 03:35:58,806 INFO AppServer - *** Preparing database connection *** [WrapperSimpleAppMain]
2022-12-25 03:36:00,270 INFO AppServer - Database: Apache Derby, Version: 10.14.2.0 - (1828579) [WrapperSimpleAppMain]
2022-12-25 03:36:00,272 INFO SecurityProtocols - Setting up compatible security defaults [WrapperSimpleAppMain]
2022-12-25 03:36:00,272 INFO SecurityProtocols - Activated Elliptic curve groups: secp256r1, secp384r1, secp521r1, secp160k1 [WrapperSimpleAppMain]
2022-12-25 03:36:00,273 INFO JavaSecurityProperties - Using the JDK's default crypto providers [WrapperSimpleAppMain]
2022-12-25 03:36:00,699 ERROR ServerKeyStore - Unable to read or write to the keystore custom/my-ssl-keystore [WrapperSimpleAppMain]
2022-12-25 03:36:00,892 INFO LiquibaseSchema - Checking Liquibase schema using changelog: C:\Program Files\PaperCut NG\server\lib\sql\changelogs\db.changelog-master.yaml [WrapperSimpleAppMain]
2022-12-25 03:36:01,581 INFO AppServer - *** Starting web server *** [WrapperSimpleAppMain]
2022-12-25 03:36:01,629 INFO Jetty - Starting server listener with configuration (Host: [all] Port: 9191 IdleTime: 30000 Connector: ServerConnector) [WrapperSimpleAppMain]
2022-12-25 03:36:01,629 INFO Jetty - Enable SNI Host Checking: false [WrapperSimpleAppMain]
2022-12-25 03:36:01,737 INFO JettySsl - Configured SSL settings with protocols: [TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello, SSLv3] and 35 ciphers [WrapperSimpleAppMain]
2022-12-25 03:36:01,739 ERROR Jetty - Error setting up SSL listener. keystore password was incorrect [WrapperSimpleAppMain]
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at biz.papercut.pcng.server.ServerKeyStore.load(ServerKeyStore.kt:67) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore.access$load(ServerKeyStore.kt:27) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore$certAlias$2.invoke(ServerKeyStore.kt:37) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore$certAlias$2.invoke(ServerKeyStore.kt:27) ~[pcng-server-22.0.6.jar:22.0.6]
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74) ~[kotlin-stdlib-1.3.72.jar:1.3.72-release-468 (1.3.72)]
at biz.papercut.pcng.server.ServerKeyStore.getCertAlias(ServerKeyStore.kt) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.JettySsl.createSslContextFactory(JettySsl.kt:14) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createSslSocketConnector(Jetty.java:296) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createConnectors(Jetty.java:138) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createEmbeddedServerWithConnectors(Jetty.java:98) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createServer(Jetty.java:87) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.EmbeddedServer.start(EmbeddedServer.java:69) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.startWebServer(AppServer.java:357) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.start(AppServer.java:190) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.main(AppServer.java:114) [pcng-server-22.0.6.jar:22.0.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136) [wrapper-3.1.2.jar:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size
... 24 more
2022-12-25 03:36:01,744 INFO Jetty - Enable SNI Host Checking: false [WrapperSimpleAppMain]
2022-12-25 03:36:01,745 INFO JettySsl - Configured SSL settings with protocols: [TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello, SSLv3] and 35 ciphers [WrapperSimpleAppMain]
2022-12-25 03:36:01,746 ERROR Jetty - Error setting up high security SSL listener. keystore password was incorrect [WrapperSimpleAppMain]
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at biz.papercut.pcng.server.ServerKeyStore.load(ServerKeyStore.kt:67) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.ServerKeyStore.getHighSecurityCertAlias(ServerKeyStore.kt:93) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.JettySsl.createSslContextFactory(JettySsl.kt:14) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createSslSocketConnector(Jetty.java:296) ~[pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createConnectors(Jetty.java:144) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createEmbeddedServerWithConnectors(Jetty.java:98) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.Jetty.createServer(Jetty.java:87) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.web.EmbeddedServer.start(EmbeddedServer.java:69) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.startWebServer(AppServer.java:357) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.start(AppServer.java:190) [pcng-server-22.0.6.jar:22.0.6]
at biz.papercut.pcng.server.AppServer.main(AppServer.java:114) [pcng-server-22.0.6.jar:22.0.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:136) [wrapper-3.1.2.jar:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size
... 20 more
2022-12-25 03:36:02,697 INFO Jetty - Starting: Server@73704807{STARTING}[9.4.44.v20210927] [WrapperSimpleAppMain]
2022-12-25 03:36:14,051 INFO ScanDeliveryManagerImpl - Initialising akka system with default settings [WrapperSimpleAppMain]
2022-12-25 03:36:18,084 INFO ToshibaDeviceTypeRegistration - Adding Toshiba device types dynamically [WrapperSimpleAppMain]
2022-12-25 03:36:18,100 INFO ToshibaDeviceTypeRegistration - Toshiba device types added. (including v3+) [WrapperSimpleAppMain]
2022-12-25 03:36:18,182 INFO ModuleRegistry - Registered module with URI prefix toshiba and annotation Toshiba [WrapperSimpleAppMain]
2022-12-25 03:36:18,318 INFO ModuleRegistry - Registered module with URI prefix xerox and annotation Xerox [WrapperSimpleAppMain]
2022-12-25 03:36:18,339 INFO XeroxDeviceTypeRegistration - Adding Xerox device types dynamically [WrapperSimpleAppMain]
Log closed at: 2022-12-25 03:36:19,277
So this seems to be the problem but it doesn't explain the problem at all:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.InvalidKeyException: Illegal key size
,
I tried changing certbot from ECDSA to RSA, but it still says illegal key size.
certbot renew --key-type rsa --cert-name shredder.mydomain.org --force-renewal
Congratulations, all renewals succeeded
I have no idea what is wrong at this point.