I ran this command: sudo certbot certonly -a standalone -d footeware.ca
It produced this output:
Requesting a certificate for footeware.ca
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/footeware.ca/fullchain.pem
Key is saved at: /etc/letsencrypt/live/footeware.ca/privkey.pem
This certificate expires on 2022-04-03.
These files will be updated when the certificate renews.
My web server is (include version): Embedded Tomcat in Spring Boot 2.6.1 jar not sure the version.
The operating system my web server runs on is (include version): Ubuntu 20.10
My hosting provider, if applicable, is: local 'server' computer
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0
I converted the generated artifacts to p12 via:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
I moved the p12 to my development machine into my eclipse project's resources folder.
When I start the application (and its server) and debug thru it finds the truststore but states it's not an instanceof sun.security.pkcs12.PKCS12KeyStore.CertEntry but rather a sun.security.pkcs12.PKCS12KeyStore$PrivateKeyEntry and so it fails with:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
I really don't know much about PKCS#12 but I wonder if the -inkey privkey.pem is doing something you don't want (if the software you're using doesn't expect the private key to be included in the resulting file). It seems that this is asking openssl to read the private key corresponding to the certificate and so I imagine it would presumably want to include that private key in the output file as well.
I'm a total noob with certs in general and I've been following blogs and posts to set this up. They all seem to agree in that exact conversion of the pems to p12 using openssl though. Unless there's something wrong with the generated pems, and I definitely doubt that, I suspect I'm doing something wrong on the Spring Boot side. Would it be poor etiquette to cross-post on Stack Overflow? They have a dedicated Spring Boot tag that seems to deliver pretty good.
I feel like Java and PKCS#12 stuff is one area where this forum's expertise is unfortunately fairly thin, so I don't think there would be anything at all wrong with trying a different forum where people might have more experience with that.
On this forum, when users are using Tomcat, people have often suggested not using Tomcat's HTTPS support directly, and instead creating a reverse proxy with something like Caddy (that has built-in Let's Encrypt support) that then proxies to a TCP port on localhost where Tomcat is listening. That can be a very quick and convenient solution, but I also understand if people want to get things working with a Tomcat-only approach. But it's just not something that most people on this forum have had that much experience with.
I had been setting those properties to the keystore.p12 thinking they were one and the same (noob).
I deployed and started the appication jar, set my router to forward 443 to my server@8443 (instead of 80 to 8090 as it was) and I'm in with a happy https indicator!
Now I just have to fix the broken css that upgrading bootstrap seems to have caused. Pain that the cert prevents me from using localhost now as it only supports footeware.ca.
Any ideas there?
Great, so potentially your default config for the trusts store was not pointing to an updated cacerts locations.
To work on localhost but emulate connecting via the real domain you can add the fully qualified (domain) name to your hosts file for development pointing to 127.0.0.1 (or any local machine IP), then browse to your website normally using the 'real' domain that matches the cert. This works on Windows as well as linux and macos. You just need to remember and remove it later!
