Will the cross root cover trust by the default list in the JDK/JRE?

hedefalk · April 11, 2016, 3:09pm

So, I guess I’m gonna have to do this again a few times so made a small script, might be useful for someone else:

gist.github.com

https://gist.github.com/hedefalk/9442c224e7de4739e8cee6b7e88c4d7f

install-letsencrypt-in-jdk.sh

#!/bin/bash

JAVA_HOME=${1-text}
[ $# -eq 0 ] && { echo "Usage: sudo $0 \$(/usr/libexec/java_home -v '1.8*')" ; exit 1; }

KEYSTORE=$JAVA_HOME/jre/lib/security/cacerts

wget https://letsencrypt.org/certs/isrgrootx1.pem
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der

This file has been truncated. show original

motoko · April 11, 2016, 3:24pm

You shouldn’t need to store (and probably shouldn’t store) the intermediate certs in the root trust store. Rather, add both the ISRG root and the DST root. All the certs made right now with the letsencrypt client use an intermediate chained back to the DST root because it has wider trust acceptance.

tlussnig · May 11, 2016, 6:31am

Since @pfg mention this topic as relevant for oracle jdk root inclusion.
It would be nice to get an update if there is any progress or timeline.

msklvsk · May 12, 2016, 10:15pm

Getting LE-verified site e.g. https://gethttpsforfree.com/ fails for current latest Oracle java (1.8.0_91).

josh · May 12, 2016, 10:17pm

Oracle needs to add IdenTrust’s DST Root X3 to Java in order for things to work by default. I’ve been notified by Oracle that they have accepted the root into their program and that it will ship in a software update. I don’t know when that software update will ship, unfortunately.

came88 · May 13, 2016, 11:25am

Very good news!
Do you know at least if it will be in a major update (i.e. JRE 9) or in a minor update?

Thanks

erikcostlow · May 13, 2016, 2:14pm

The ticket at https://bugs.openjdk.java.net/browse/JDK-8154757 and shows a backport for JDK 8u101. The next Oracle Critical Patch Update is July 2016 per http://www.oracle.com/technetwork/topics/security/alerts-086861.html

thhart · June 10, 2016, 10:57am

Just wanted to let you know that importing chain.pem into cacerts (/etc/ssl/java/cacerts) from /etc/letsencrypt/live// worked with an Oracle JDK 1.8.0_91 in Debian 64. In my case I used the certificates for a Jira Tomcat container which had its own JDK by the way. So check carefully which JDK is really used.

user09735 · July 8, 2016, 8:12pm

Even though the certificate should’ve been added to Java per https://bugs.openjdk.java.net/browse/JDK-8154757, the latest JDK 8u112 Build b02 from Early Access Releases (https://jdk8.java.net/download.html) still doesn’t have it. Java trust store file (lib/security/cacerts) hasn’t changed since JDK 8u92.

user09735 · July 13, 2016, 2:26pm

I’ve just tried the latest Java 9 build and its cacerts also still doesn’t include IdenTrust and DST certificates. Any idea why?

Firefishy · July 20, 2016, 12:25pm

Letsencrypt certificates are confirmed working with Oracle JDK >= 8u101 (release)

mrtux · July 20, 2016, 10:41pm

List of browsers and operating systems where LE is trusted ( Which browsers and operating systems support Let's Encrypt) updated.

micheljung · July 22, 2016, 11:00am

Who confirmed that and how? I just tried to access a website whose certificate was issued by “Let’s Encrypt Authority X3” with jdk 8u102 and it did not work.

Firefishy · July 22, 2016, 11:30am

I used my h4x0r3d code https://gist.github.com/Firefishy/b2e606c42edcc4f513ba with JDK 8u101 and worked as expected. Java™ SE Runtime Environment (build 1.8.0_101-b13)

okket · July 22, 2016, 11:37am

Works for me on OS X (10.12 beta 3 / jdk-8u102):

gist.github.com

https://gist.github.com/okket/ffcc3f5e0a213a621b5fa5d188165df1

java-ssltest.txt

→ java -version
java version "1.8.0_102"
Java(TM) SE Runtime Environment (build 1.8.0_102-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode)

(see https://gist.github.com/Firefishy/b2e606c42edcc4f513ba)

→ java URLConnectionReader 
<!DOCTYPE html>
<html>

This file has been truncated. show original

micheljung · July 22, 2016, 11:55am

Embarassing, I just THOUGHT I used the new JDK - thx

retorquere · August 25, 2016, 8:43am

Is it safe to distribute chain.pem to my users?

Osiris · August 25, 2016, 8:50am

chain.pem is a certificate which can be downloaded from https://letsencrypt.org/certificates/ … So yes, that would be safe. Only private keys should be kept private

By the way: webservers using Let’s Encrypt certificates should provide chain.pem in their TLS handshake, so it is distributed already most of the time.

VVD · September 16, 2016, 2:32pm

Error still here.
$ java -version
openjdk version "1.8.0_102"
OpenJDK Runtime Environment (build 1.8.0_102-b14)
OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode)

After copy /usr/local/linux-oracle-jdk1.8.0/jre/lib/security/cacerts to /usr/local/openjdk8/jre/lib/security/cacerts all work fine => OpenJDK have old cacerts without trust for letsencrypt.

ejain · December 11, 2016, 10:46pm

I’m still getting the “ValidatorException: PKIX path building failed” error with both Oracle’s Java 1.8.0_112 and RedHat’s OpenJDK 1.8.0_111 on Windows 7. Importing lets-encrypt-x3-cross-signed.der resolves the problem, but this doesn’t seem to be sufficient for the OpenJDK 1.8.0_111 on Ubuntu 16.04…