Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: omeet.yahsglobalkingdom.org
I ran this command: on
10/12/2019 sudo certbot certonly --apache
10/13/2019 start following this tutorial Tutorial - Java KeyStores (JKS) With Let's Encrypt
I did the following:
- Import LetsEncrypt Root Ca certifcate
goto https://letsencrypt.org/certificates/
copy certificate text into file and name it LetEncrptCA.crt
Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.
- You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA’s concatenated together).
Then run sudo update-ca-certificates
.
- Add Root certificate from CA - letsencrypt
sudo keytool -import \
-alias root \
-keystore /opt/open502/conf/keystore \
-trustcacerts \
-file /usr/local/share/ca-certificates/letsencrypt.crt
creates the keystore root and add the certificate to it if it does not exist.
- Add intermediate certificates to keystore
sudo keytool -import \
-trustcacerts \
-alias LE_INTERMEDIATE \
-file .file /usr/local/share/ca-certificates/lets-encrypt-x3-cross-signed.cer \
-keystore /opt/open502/conf/keystore \
-storepass '<storepassword>'
–the actual name of the intermediate certificate you recieved or downloaded from letsencrypt.
- Generatate Certificate Signing Request (CSR)
sudo keytool -certreq -keyalg RSA -alias openmeetings -file yahsglobalkingdom.csr -keystore /opt/open502/conf/keystore
- Request Cert from LetsEncrypt
sudo certbot certonly --manual --csr /opt/open502/conf/yahsglobalkingdom.csr
It produced this output: on 10/12/2019
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/omeet.yahsglobalkingdom.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/omeet.yahsglobalkingdom.org/privkey.pem
Your cert will expire on 2020-01-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
OUTPUT on 10/13/2019
<response>
sudo certbot certonly --manual --csr /opt/open502/conf/yahsglobalkingdom.csr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Server issued certificate; certificate written to /opt/open502/conf/0000_cert.pem
Cert chain written to 10
Cert chain written to 11
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/opt/open502/conf/0001_chain.pem
Your cert will expire on 2020-01-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version): TOMCAT3
The operating system my web server runs on is (include version): Ubuntu 18.04
My hosting provider, if applicable, is: Self Hosted
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.31.0
1 I requested certbot to create a certificate and install for apache. But I have a Tomcat (so I started over as the configurations are not the same).
2. Started following the Tutorial mentioned above but I ran in a problem when I run:
sudo keytool -importcert -alias openmeetings -keystore /opt/open502/conf/keystore -storepass '<storepassword>' -file /opt/open502/conf/openmeeting_omeetSSL_cert.cer < renamed 0000_cert.pem
'storepassword> masked actual store password removed
Output from this command
keytool error: java.lang.Exception: Failed to establish chain from reply
Everything I found says it has to do with not having the Intermediate Certficates installed.
Your keystore contains 6 entries
openmeetings, Oct 12, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): Fingerprint removed for this post
yahsglobalkingdomministries, Oct 12, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): Fingerprint removed for this post
yahglobalkingdom, Oct 13, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): Fingerprint removed for this post
root, Oct 13, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
intermed, Oct 13, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68
intermed-letsencryptauthorityx3, Oct 13, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68
I am basically lost, trying to document the process for tomcat server and will contribute it back the community, if when I can get this work