Problem with installing certificate on tomcat server

pcoenen · August 9, 2017, 2:56pm

Hi everyone,

I got a problem with installing let’s encrypt on my tomcat server on Centos 7.

I ran the following commands to install the necessary programs:

sudo yum -y install epel-release
sudo yum -y install certbot

After that I stopped tomcat and forwarded the ssl port using these commands

sudo systemctl stop tomcat
sudo firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
systemctl restart firewalld

Then I generated the certifcate:

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/.keystore -keysize 2048
sudo keytool -certreq -alias tomcat -file request.csr -keystore /opt/tomcat/.keystore
sudo certbot certonly --csr request.csr

When I want to add the file to the keystore, it goes wrong.
sudo keytool -import -trustcacerts -alias tomcat -file 0000_chain.pem -keystore /opt/tomcat/.keystore

I need to enter my keystore password, but it always gives me the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Hope somebody can help me, I’m really a noob with ssl certificates.

rg305 · August 9, 2017, 3:02pm

Have you previously used the alias “tomcat”?
If so, try a new alias - tomcat2

pcoenen · August 9, 2017, 3:11pm

Hi,

Thanx for the fast reply!

I tried it with another alias, but I still got the same error.

Thanx !

rg305 · August 9, 2017, 4:07pm

I think you may need to add the root ca first before adding the 0000_chain.pem

pcoenen · August 9, 2017, 4:22pm

Hi,

Can you tell me how I do that ?

Sorry I never worked with Let’s encrypt before and I have really no clue.

Thanx !

rg305 · August 9, 2017, 4:34pm

Try:
sudo keytool -import -trustcacerts -alias tomcat -file 0000_fullchain.pem -keystore /opt/tomcat/.keystore

schoen · August 9, 2017, 4:53pm

There are some previous forum posts that might help, like

pcoenen · August 9, 2017, 5:57pm

I have no file called 0000_fullchain.pem

rg305 · August 9, 2017, 9:00pm

what other files are near 0000_chain.pem

ahaw021 · August 10, 2017, 1:46am

i believe the trustedcacerts is for intermediates not the cert itself

-import -trustcacerts

you should use -importcert

let me know the output of

sudo keytool -importcert -alias tomcat -file 0000_chain.pem -keystore /opt/tomcat/.keystore

Andrei

pcoenen · August 10, 2017, 7:29am

Thanx for the answer, when I run this I get

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

pcoenen · August 10, 2017, 7:37am

I also have the following files:

0000_cert.pem
0000_chain.pem
0001_chain.pem

system · September 9, 2017, 7:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuring Let's Encrypt with Tomcat 6.x and 7.x Server	5	44356	May 24, 2017
Keytool error: java.lang.Exception: Public keys in reply and keystore don't match Server	14	33859	July 16, 2017
Using let's encrypt with tomcat Server	10	39057	September 30, 2017
Could you share steps for tomcat 7 on Ubuntu? Help	6	1856	April 1, 2018
Secure WebSockets with Tomcat Servers Server	17	8632	July 28, 2017

Problem with installing certificate on tomcat server

Related topics