Keytool error: java.lang.Exception: Failed to establish chain from reply

Hello Guys,

I ran into an exception while importing my certificate (certificate.crt, While importing my certificate after importing root certificate.),
keytool error: java.lang.Exception: Failed to establish chain from reply

Do any one how to go about this?

Detail:
OS: Ubuntu, 16
Java version: 8
Server:Tomcat8, no revers proxies used
Generated certificates through CSR
domain: ikk.cool
alias: ragha
Hosted in AWS

Did you import the intermediate from Let’s Encrypt into your keystore before?

From LetsEncrypt, I got 3 files in zip

  1. Certificat
  2. Private.key
  3. CA_Bundle -> This is both root and intermediate.

I imported CA_Bundle(1 keytool import command), It went through fine. So I’m thinking that intermediate will also be imported as part of it.
Next, When I imported actual certificate, I faced this issue.

Do let me know if you need any details. Much appreciate your help

I have to admit that I don’t know this tool at all. Maybe this documentation will help you (warning: link goes to symantec).

https://support.symantec.com/en_US/article.TECH220191.html

try search JKS on this forum and you may find a very detailed tutorial that covers this

i know it exists as i wrote the tutorial :wink:

Andrei

Hi Guys,

I think I’m doing basic stuffs wrong. So thought of sharing what I’m doing.

  1. Created a keystore and created a CSR
  2. Went to letsEncrypt chose manually create certificate
  3. Generated certificated with CSR, Downloaded them
  4. Copied these files to ec2
  5. Now ran the below commands:
    1. keytool -import -alias root -keystore /home/ubuntu/mycertificate -trustcacerts -file ca_bundle.crt
      o/p: Certificate imported successfully
    2. Downloaded intermediate from https://letsencrypt.org/certificates/, imported this as well, command used is below
      keytool -import -trustcacerts -alias intermediate -file ./letsencrypt/letsencryptauthorityx3.crt -keystore ./mycertificate
      o/p: Certificate already exists in keystore under alias root
      Do you still want to add it? [no]: yes
      Certificate was added to keystore
    3. Imported my certificate
      keytool -import -alias tomcat -keystore /home/ubuntu/mycertificate -file ./letsencrypt/certificate.crt
      o/p: keytool error: java.lang.Exception: Failed to establish chain from reply

follow it very carefully there are reasons why things were done in a certain way

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.