JKS conversion issues

Help
1

Hello!

I am looking for some additional info when it comes to converting a Let's Encrypt cert to JKS. I have very little to no experience when it comes to TLS/SSL so any help or relevant documents would be much appreciated.

I am currently trying to test my TLS/SSL cert for lets encrypt in a JKS format (needed for a project).

With the JKS cert loaded when I attempt to verify via: openssl s_client -connect I get back verify error:num=20:unable to get local issuer certificate.

The same test with a server running the fullchain and privkey instead:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = playpen.ninox360.com
verify return:1

Additionally when running my own test tool:
Fullchain: Connected to playpen.ninox360.com on port 3003. Status: 200

Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

Additionally when connecting via chrome I can see that all certs are present and in good health.

2

Hi @TLSNoob, and welcome to the LE community forum :slight_smile:

That sounds like your system needs local trusted root store updated to include "ISRG Root X1".

3 Likes
3

Thanks for the welcome @rg305. Out of curiosity, wouldnt that be disproved by the fullchain working?

When dumping the cacerts based on 'isrg'

keytool -list -keystore /usr/lib/jvm/jdk-22.0.2/lib/security/cacerts -v | grep -i 'isrg'

Alias name: isrgrootx1 [Manually imported]
Owner: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US

Alias name: letsencryptisrgx1 [jdk]
Owner: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US

Alias name: letsencryptisrgx2 [jdk]
Owner: CN=ISRG Root X2, O=Internet Security Research Group, C=US
Issuer: CN=ISRG Root X2, O=Internet Security Research Group, C=US

It seems like the files are present in the local cacerts. Unless I am confusing this with something else?

4

Does the first test show the same cert and chain info as the second just with the added message about "local issuer". Or what the output different in other ways? If so, please show the entire output.

I think you understand this but just in case ... different TLS Clients may use different CA Root Stores. But, if you get different results from the same client (e.g., openssl) we'll focus on that. Saying tool1 did this and tool2 is a different story (maybe).

3 Likes
5

Sure! From what I can see in the 'Certificate chain' area of the test these seem to line up. Same with the first certificate which is sent. Both are using

When testing on the JKS enabled server via openssl s_client -connect: 
CONNECTED(00000003)
depth=0 CN = playpen.ninox360.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = playpen.ninox360.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = playpen.ninox360.com
verify return:1
---
Certificate chain
 0 s:CN = playpen.ninox360.com
   i:C = US, O = Let's Encrypt, CN = R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 24 00:52:15 2024 GMT; NotAfter: Oct 22 00:52:14 2024 GMT

-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISBHlAJrqWrcIA5JT23rVzvIyQMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNzI0MDA1MjE1WhcNMjQxMDIyMDA1MjE0WjAfMR0wGwYDVQQD
ExRwbGF5cGVuLm5pbm94MzYwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAK6t20cCSjOl7pSyAeELA6ncxH1K60oImRUr+VdyWcWJq/Jp25qh4BRm
ekRL9qawdk7/ZN4bydkYzfBTwoPEW03NjWw3LcTrKTM2ErrAZdCz/dejQOs1aFgf
9SmOYKoqQkVn5/9G6vwbfPTMLe0qh3w5Z9aTiVkC/OYm3YDLEy0qUDk6y4KtQCBM
dPBB3gMguBAyUpCF8nxB390JMUQOX5AUC4zOafnmAU1y8sAdd9huTnGRCoyS8jyM
2HCE2UVDLxyQttiVNfh9obraXPXb8zMiRdTL33QDcmAWX9TYRXFcjVR4dPmh2D0P
S2fVYFBxZKBVks+UDWCiT6WodA+k518CAwEAAaOCAhgwggIUMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUJmnSEcrjLeFwib4b9sfG9vE9UZwwHwYDVR0jBBgwFoAUu7zD
R6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUHAQEESzBJMCIGCCsGAQUFBzABhhZo
dHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdodHRwOi8vcjEwLmku
bGVuY3Iub3JnLzAfBgNVHREEGDAWghRwbGF5cGVuLm5pbm94MzYwLmNvbTATBgNV
HSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEiw42va
pkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkOJwaM4AAAQDAEcwRQIgSzig
JPk9+0GDv5xmBmKs9Sf0lbqYAdH7TLk5WyNkoCMCIQCSjDhOIAdPbEMFP0Nz2BN2
RRzmzm25/ktDCPj9jsGC9QB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs
+GRuAAABkOJwaNcAAAQDAEcwRQIhAOKVSWKVid28fLVuyYTkMw6yeOGgi41TiZJ5
aOaJ2EW4AiBUuBrcmnebvUlRgpAVMAlk1i44x3G/bYXI8NzwZJMyDjANBgkqhkiG
9w0BAQsFAAOCAQEAuF9lwfmehogkt1oKO0+VyBSFgM7tTQXNKr84qlf3ECoNOcs7
IkGDFlvikEaYogT1M8Zaicah9ACuR4FYA1m6oFmymsDOkpJ6DwhuVW+9JO+Ywz9T
yKHxrZWp/0MRr4KWENhoxjKCa6uA75msPscOot6N4YOlpYG8zPWVw2F3IPHOdbzg
ARsuEmTIfK6++s96wUw3+2C7T3M1z59qLwPzK1EL+/ovYAdNDbV13rtrSi7gZs5I
UhHSH4G3WmcmGxbmNfhBHjeTB8DSCNMSVMhGZU9e8lHdEMmpzSydUUjUQi/c/o6t
uGIv9bng9HwIAMf7GOkC5kqlCwiN7qRrl3TIww==
-----END CERTIFICATE-----

---
Server certificate
subject=CN = playpen.ninox360.com
issuer=C = US, O = Let's Encrypt, CN = R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1922 bytes and written 402 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
Now the same openssl s_client -connect command but on the Fullchain server: 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = playpen.ninox360.com
verify return:1
---
Certificate chain
 0 s:CN = playpen.ninox360.com
   i:C = US, O = Let's Encrypt, CN = R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 24 00:52:15 2024 GMT; NotAfter: Oct 22 00:52:14 2024 GMT

-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISBHlAJrqWrcIA5JT23rVzvIyQMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNzI0MDA1MjE1WhcNMjQxMDIyMDA1MjE0WjAfMR0wGwYDVQQD
ExRwbGF5cGVuLm5pbm94MzYwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAK6t20cCSjOl7pSyAeELA6ncxH1K60oImRUr+VdyWcWJq/Jp25qh4BRm
ekRL9qawdk7/ZN4bydkYzfBTwoPEW03NjWw3LcTrKTM2ErrAZdCz/dejQOs1aFgf
9SmOYKoqQkVn5/9G6vwbfPTMLe0qh3w5Z9aTiVkC/OYm3YDLEy0qUDk6y4KtQCBM
dPBB3gMguBAyUpCF8nxB390JMUQOX5AUC4zOafnmAU1y8sAdd9huTnGRCoyS8jyM
2HCE2UVDLxyQttiVNfh9obraXPXb8zMiRdTL33QDcmAWX9TYRXFcjVR4dPmh2D0P
S2fVYFBxZKBVks+UDWCiT6WodA+k518CAwEAAaOCAhgwggIUMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUJmnSEcrjLeFwib4b9sfG9vE9UZwwHwYDVR0jBBgwFoAUu7zD
R6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUHAQEESzBJMCIGCCsGAQUFBzABhhZo
dHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdodHRwOi8vcjEwLmku
bGVuY3Iub3JnLzAfBgNVHREEGDAWghRwbGF5cGVuLm5pbm94MzYwLmNvbTATBgNV
HSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEiw42va
pkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkOJwaM4AAAQDAEcwRQIgSzig
JPk9+0GDv5xmBmKs9Sf0lbqYAdH7TLk5WyNkoCMCIQCSjDhOIAdPbEMFP0Nz2BN2
RRzmzm25/ktDCPj9jsGC9QB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs
+GRuAAABkOJwaNcAAAQDAEcwRQIhAOKVSWKVid28fLVuyYTkMw6yeOGgi41TiZJ5
aOaJ2EW4AiBUuBrcmnebvUlRgpAVMAlk1i44x3G/bYXI8NzwZJMyDjANBgkqhkiG
9w0BAQsFAAOCAQEAuF9lwfmehogkt1oKO0+VyBSFgM7tTQXNKr84qlf3ECoNOcs7
IkGDFlvikEaYogT1M8Zaicah9ACuR4FYA1m6oFmymsDOkpJ6DwhuVW+9JO+Ywz9T
yKHxrZWp/0MRr4KWENhoxjKCa6uA75msPscOot6N4YOlpYG8zPWVw2F3IPHOdbzg
ARsuEmTIfK6++s96wUw3+2C7T3M1z59qLwPzK1EL+/ovYAdNDbV13rtrSi7gZs5I
UhHSH4G3WmcmGxbmNfhBHjeTB8DSCNMSVMhGZU9e8lHdEMmpzSydUUjUQi/c/o6t
uGIv9bng9HwIAMf7GOkC5kqlCwiN7qRrl3TIww==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
jmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = playpen.ninox360.com
issuer=C = US, O = Let's Encrypt, CN = R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3126 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
6

Are you using -showcerts ?
[with openssl]

3 Likes
7

No, they don't look lined up to me. The JKS one is just the leaf (no intermediate chain) and the other has the fullchain. The error about "local issuer" is because the leaf does not lead to a locally trusted root (ISRG Root X1)

Check the process you used to make that

Notice in JKS display

CONNECTED(00000003)
depth=0 CN = playpen.ninox360.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = playpen.ninox360.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = playpen.ninox360.com
verify return:1

But the fullchain display shows depth=0,1,2

4 Likes
8

Understood! Thanks for clarifying.

Looking into it now.

2 Likes
9

Yep the full command is openssl s_client -connect playpen.ninox360.com:3003 -servername playpen.ninox360.com -showcerts

1 Like
10

Then it is serving only the leaf cert [without the intermediate].

3 Likes
11

Thank you @MikeMcQ and @rg305. The way the jks was being generated, it was dropping the root cert completely.

I was able to manually add it after the fact and now everything is up and running smoothly. Thank you so much!

2 Likes
12

Looks like it was dropping the intermediate. Does the openssl showcert for it look like the other one now?

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.