Keytool error: java.lang.Exception: Failed to establish chain from reply

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: omeet.yahsglobalkingdom.org

I ran this command: on
10/12/2019 sudo certbot certonly --apache
10/13/2019 start following this tutorial Tutorial - Java KeyStores (JKS) With Let's Encrypt
I did the following:

  1. Import LetsEncrypt Root Ca certifcate
    goto https://letsencrypt.org/certificates/
    copy certificate text into file and name it LetEncrptCA.crt

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

  1. You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA’s concatenated together).

Then run sudo update-ca-certificates.

  1. Add Root certificate from CA - letsencrypt
sudo keytool -import \
  -alias root \
  -keystore /opt/open502/conf/keystore \
  -trustcacerts \
  -file /usr/local/share/ca-certificates/letsencrypt.crt

creates the keystore root and add the certificate to it if it does not exist.

  1. Add intermediate certificates to keystore
sudo keytool -import \
  -trustcacerts \
  -alias LE_INTERMEDIATE \
  -file .file /usr/local/share/ca-certificates/lets-encrypt-x3-cross-signed.cer \
  -keystore /opt/open502/conf/keystore \
  -storepass '<storepassword>'

–the actual name of the intermediate certificate you recieved or downloaded from letsencrypt.

  1. Generatate Certificate Signing Request (CSR)
sudo keytool -certreq -keyalg RSA -alias openmeetings -file yahsglobalkingdom.csr -keystore /opt/open502/conf/keystore
  1. Request Cert from LetsEncrypt
sudo certbot certonly --manual --csr /opt/open502/conf/yahsglobalkingdom.csr 
It produced this output: on 10/12/2019 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/omeet.yahsglobalkingdom.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/omeet.yahsglobalkingdom.org/privkey.pem
   Your cert will expire on 2020-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
OUTPUT on 10/13/2019
<response>

sudo certbot certonly --manual --csr /opt/open502/conf/yahsglobalkingdom.csr 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Server issued certificate; certificate written to /opt/open502/conf/0000_cert.pem
Cert chain written to 10
Cert chain written to 11

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /opt/open502/conf/0001_chain.pem
   Your cert will expire on 2020-01-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): TOMCAT3

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 I requested certbot to create a certificate and install for apache. But I have a Tomcat (so I started over as the configurations are not the same).
2. Started following the Tutorial mentioned above but I ran in a problem when I run:

sudo keytool -importcert -alias openmeetings -keystore /opt/open502/conf/keystore -storepass '<storepassword>' -file /opt/open502/conf/openmeeting_omeetSSL_cert.cer < renamed 0000_cert.pem 
'storepassword> masked actual store password removed

Output from this command

keytool error: java.lang.Exception: Failed to establish chain from reply

Everything I found says it has to do with not having the Intermediate Certficates installed.

Your keystore contains 6 entries

openmeetings, Oct 12, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): Fingerprint removed for this post
yahsglobalkingdomministries, Oct 12, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): Fingerprint removed for this post
yahglobalkingdom, Oct 13, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): Fingerprint removed for this post
root, Oct 13, 2019, trustedCertEntry, 
Certificate fingerprint (SHA-256): 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
intermed, Oct 13, 2019, trustedCertEntry, 
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68
intermed-letsencryptauthorityx3, Oct 13, 2019, trustedCertEntry, 
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68

I am basically lost, trying to document the process for tomcat server and will contribute it back the community, if when I can get this work

I’m not sure quite what is going on with the process you are following. Assuming you are trying to install a certificate to Tomcat, it should not be necessary to play around with roots and intermediates at all.

I previously wrote a 2-3 step guide to deploy a Certbot certificate to Tomcat 8/9. If you like, take a look at it and see if suits what you’re doing.

2 Likes

try using this tool https://keystore-explorer.org/downloads.html

can you take a screenshot of the certificates in the tool

this should help with intermediates etc.

May I ask why you are still on Tomcat 3? Assuming that's not a typo, that particular Tomcat release was last updated back in 2004. :scream:

According to https://knowledge.digicert.com/solution/SO5102.html, the following error is because you have the wrong intermediate certificate or didn't import an intermediate certificate.

keytool error: java.lang.Exception: Failed to establish chain from reply

Can you verify if you have our intermediate (X3 and the IdenTrust cross sign) in your trust store? Chain of Trust - Let's Encrypt

Are you importing the fullchain.pem into your trust store?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.