Generate jks file when mysite.com_fullchain_and_key.p12 is missing

Laco · June 1, 2023, 9:09am

Dear all, please help me!

I have renewed a certificate for our web site. During the past, it worked fine for a couple of times. But now I have get lost and I have a major issue. This is the way I renew the certificate:

# certbot renew

# openssl pkcs12 -export -out /tmp/my-website.com_fullchain_and_key.p12 -in /etc/letsencrypt/live/my-website.com/fullchain.pem -inkey /etc/letsencrypt/live/my-website.com/privkey.pem -name tomcat

# mv /usr/share/CM_Server/conf/my-website.com.jks /usr/share/CM_Server/conf/my-website.com_`date +'%Y_%m_%d'`.jks

# keytool -importkeystore -deststorepass <store-password> -destkeypass <store-password> -destkeystore /usr/share/CM_Server/conf/my-website.com.jks -srckeystore /tmp/my-website.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <store-password> -alias tomcat

In the last step the keytool generates a jks file from the source /tmp/my-website.com_fullchain_and_key.p12. Unfortunately, this time i can not find the my-site_fullchain_and_key.p12 file in the /tmp folder. At the end of the day, I've ended with a fresh set of cert.pem, chain.pem, fullchain.pem and privkey.pem files, but I am not able to generate the jks, as the my-website.com_fullchain_and_key.p12 is missing.

Can anyone help me, how to generate the jks file in this case, please?

Thank you so much!

webprofusion · June 1, 2023, 10:04am

Have a look under /etc/letsencrypt/live/ to see if your website is listed and if it is look under that directory for the related certificate files.

Laco · June 1, 2023, 10:23am

Hi webprofusion,

yes, my website is listed in /etc/letsencrypt and in the live directory I have cert.pem, chain.pem, fullchain.pem and privkey.pem files.

Maybe I was not clear enough, sorry, my question is:

How will I generate a my-website.com.jks file? Untill now, I have generated it through:

# keytool -importkeystore -deststorepass <store-password> -destkeypass <store-password> -destkeystore /usr/share/CM_Server/conf/my-website.com.jks -srckeystore /tmp/my-website.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <store-password> -alias tomcat

But now in the temp folder I have no "my-website.com_fullchain_and_key.p12" file. How can I generate the jks from existing files, please? I am really lost in those certificates.

webprofusion · June 1, 2023, 10:45am

Stepping back a little, what service (what software etc) are you trying to get a certificate for?

You already have your certificate so your problem is converting it into a java key store.

Personally I'd assume you need to create a new Keystore file using keytool, then import your certificate and private key files into that.

Laco · June 1, 2023, 10:59am

I need the file for a webapp of our company. The webserver is apache tomcat and the app uses a CM Server with java. I am really lost a bit now. I have never worked with Keystore files, this is what I have got from my predeccesor.

MikeMcQ · June 1, 2023, 1:32pm

The openssl command created that file. Did any errors occur while running that command?

Laco · June 1, 2023, 2:22pm

It gave me no error. This was my second attempt, first time I have renewed the certificate on April 28. Everything seemed to work fine but yesterday I have realised that the site has still the old certificate and since it is more than 10 days, the old my-site_fullchain_and_key.p12 file in the /tmp folder was allready gone.

Yesterday it was my second attempt and the renewal returned me this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/my-website.com.conf

Renewing an existing certificate for my-website.com

Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/my-website.com/fullchain.pem (success)

Then I have made an another task and the certbot renew has said that the fullchain.pem certificate is not due for renewal yet, it expires on August 29.

MikeMcQ · June 1, 2023, 2:32pm

Why is this missing if your openssl command worked?

Also, what is your real domain name

and, what does this show

certbot certificates

Laco · June 1, 2023, 2:44pm

The certbot certificates gave me this:

Found the following certs:
  Certificate Name: my-website.com
    Serial Number: <some large number>
    Key Type: RSA
    Domains: my-website.com
    Expiry Date: 2023-08-29 17:47:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/my-website.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/my-website.com/privkey.pem

Laco · June 1, 2023, 2:46pm

Sorry, my real domain name is diaprod.bvsas.sk

MikeMcQ · June 1, 2023, 2:51pm

Thanks. Your cert looks recent. So, go one step at a time with your commands and check each one.

After the openssl it should create the .p12 file in your /tmp/ folder (the -out file name in that command).

If that looks good run and check the next command and so on.

Laco · June 1, 2023, 2:55pm

Thanks, I will do. But I have to do it later, because I have to shut down the server, and I am not allowed to do it earlier than in a couple of hours. Thanks a lot, I hope it will help.

Laco · June 1, 2023, 6:24pm

You are the man, MikeMcQ!

Thank you a lot! It worked after I have continued with openssl command, everything works like a charm now!

Thank you both guys for helping me to solve this!

Best,
Laco

system · July 1, 2023, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.