Using LetsEncrypt Certificates on Tomcat 8.x on Windows

Please fill out the fields below so we can help you better.

My domain is: retok.ddns.net

I ran this command:
1 - Generate account.key WITH SUCCESS:
C:>c:\Programas\GnuWin32\bin\openssl.exe genrsa -out account.key 2048
Loading ‘screen’ into random state - done
Generating RSA private key, 2048 bit long modulus
…+++

…+++
e is 65537 (0x10001)

2 - Generate the Tomcat CSR file.
C:>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore .keys
tore
Enter keystore password:

C:>

3 - Register account WITH SUCCESS:
C:>java -jar acme_client.jar -a c:\account.key --command register --with-agreem
ent-update --email amrbrodrigues@gmail.com
{“status”:“ok”}

4 - Authorize domain WITH SUCCESS
C:>java -jar acme_client.jar -a c:\account.key -w c:\ --command authorize-domai
ns -d retok.ddns.net --well-known-dir c:\wellknown --one-dir-for-well-known
{“status”:“ok”}

5 - Copy welknow file to: C:\Programas\Apache Software Foundation\Tomcat 8.0\webapps\ROOT.well-known\acme-challenge\

6 - Verify Domain WITH SUCCESS
C:>java -jar acme_client.jar -a c:\account.key -w c:\ --command verify-domains
-d retok.ddns.net
{“status”:“ok”}

7 - Generate certificate ERROR:
C:>java -jar acme_client.jar -a c:\account.key -w c:\ --command generate-certif
icate --csr c:\certreq.csr --cert-dir c:\wellknown
{“status”:“error”}

It produced this output: {“status”:“error”}

My operating system is (include version): Windows XP Version: 2002 SP2 using the acme_client.jar (Java API indicated in LetsEncript homepage)

My web server is (include version): Apache Tomcat 8.0

My hosting provider, if applicable, is: Router and communication is Vodafone, the server machine is mine (I believe not relevant to this problem)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

How could I solve this problem? Why the LetsEncript not accepting CSR files created according the tomcat documentation. Tomcat 8.0 documentation have the following to generate the certificate:

"Installing a Certificate from a Certificate Authority

To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com or trustcenter.de), read the previous section and then follow these instructions:
Create a local Certificate Signing Request (CSR)

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”. To create a CSR follow these steps:

Create a local self-signed Certificate (as described in the previous section):

keytool -genkey -alias tomcat -keyalg RSA
    -keystore <your_keystore_filename>

Note: In some cases you will have to enter the domain of your website (i.e. www.myside.org) in the field "first- and lastname" in order to create a working Certificate.
The CSR is then created with:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
    -keystore <your_keystore_filename>

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Importing the Certificate

Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into your keystore

keytool -import -alias root -keystore <your_keystore_filename>
    -trustcacerts -file <filename_of_the_chain_certificate>

And finally import your new Certificate

keytool -import -alias tomcat -keystore <your_keystore_filename>
    -file <your_certificate_filename>

hi @arjava

I can see your certificate was issued: https://crt.sh/?q=retok.ddns.net

The second part is to import it to the java key store.

I would suggest importing the certificate and the intermediates

I do not use the acme_client.jar but you need to find out the following things

A) Do you have the certificate and private key somewhere on your file system
b) if so you need to import them to the JKS or create a JKS
C) You then need to tell tomcat how to get the key (path to the JKS and password)
D) You will then need to restart tomcat

Andrei

Hi Andrei,

The certificate issued I can not use in the Tomcat, returns a error when I
try to import it to the Tomcat keystore.
C:>keytool -import -alias tomcat -keystore .keystore -file
c:/wellknown/cert.pem
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t
match

I believe this problem occur because when I generate this certificate I use
the openssl to generate the request file (CSR).
This certificate you mentioned in your reply was generated with the
following command in the step 2 of my problem description:
2.1 - Generate the domain.key with the openssl
C:>c:\Programas\GnuWin32\bin\openssl.exe genrsa -out retok.ddns.net.key
2048
Loading ‘screen’ into random state - done
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)

2.2 - Generate request file (CSR) with openssl
C:>c:\Programas\GnuWin32\bin\openssl.exe req -new -key retok.ddns.net.key
-sha2
56 -nodes -config openssl.cnf -outform PEM -out retok.ddns.net.csr
Loading ‘screen’ into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

hi @arjava

I believe the issue is that the key was generated outside of the Java Key Store which java doesn’t like

have a read of this http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i

as you have openssl it should be straightforward to generate the pfx and import that

I also suggest that you import the intermediate certs as well

Andrei

i have just found this out

but you can use this tool: http://keystore-explorer.org/downloads.html to fix your JKS

you need to click import keypair or control K

chose openssl

point it to your LetsEncrypt cert and your original RSA key and it should import both and created a JKS for you

You can then use that JKS with your tomcat :smiley:

Andrei

Hi Andrei,

Thanks a lot for the tips, it works almost everything fine.

I make the folowing commands and copy the keystore to the tomcat
configuration and it works fine:

1 - Convert the openssl certificate to PKCS12
C:>c:\Programas\GnuWin32\bin\openssl.exe pkcs12 -export -in
c:/wellknown/cert.pem -inkey retok.ddns.net.key -out server.p12
Loading ‘screen’ into random state - done
Enter Export Password:
Verifying - Enter Export Password:

2 - Convert a PKCS12 to java keystore format
C:>keytool -importkeystore -deststorepass -destkeypass
-destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12
-srcstorepass
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries
failed or
cancelled

3 - Import fullchain to the certificate
C:>keytool -import -alias root -keystore server.keystore -trustcacerts
-file c:/wellknown/fullchain.pem
Enter keystore password:
Certificate already exists in keystore under alias <1>
Do you still want to add it? [no]: y
Certificate was added to keystore

4 - Imports the chain to the certificate
C:>keytool -import -alias tomcat -keystore server.keystore -trustcacerts
-file c:/wellknown/chain.pem
Enter keystore password:
Certificate was added to keystore

Problems I had to make this conversion:
1 - If I used the openssl as described in the stackoverflow forum not
worked:
C:>c:\Programas\GnuWin32\bin\openssl.exe pkcs12 -export -in
c:/wellknown/cert.p
em -inkey retok.ddns.net.key -out server.p12 -name tomcat -CAfile ca.cert
-canam
e root
Loading ‘screen’ into random state - done
Enter Export Password:
Verifying - Enter Export Password:
6560:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc
failure:./cryp
to/asn1/asn1_lib.c:381:
6560:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc
fa
ilure:./crypto/x509/x509_att.c:317:
2 - If I used the keytool as described in the stackoverflow forum not
worked:
C:>keytool -importkeystore -deststorepass arjavaretok -destkeypass
arjavaretok
-destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12
-srcs
torepass arjavaretok -alias tomcat
keytool error: java.lang.Exception: Alias does not exist

However there are some questions I have after make this:
1 - I check the keystore and discover the cert.pem and fullchain.pem are
the same certificate (the fullchain have the cert and chain inside). When I
tried to import to the keystore it indicate “Certificate already exists”. I
really need to import the fullchain Lets Encript file to my certificate?
2 - Even not converting the certificate to PKCS12 using the openssl, I
check and using the fullchain.pem file keytool imports OK to JKS file
format.
The manual of tomcat says to import the Chain Certificate and new
certificate to keystore (see my initial question, I have the manual
extraction from tomcat). If I make the import of the fullchain.pem works
OK, when I try to make the import of cert.pem it returns a error I sent in
my last email. Why I need to import the cert.pem if cert and chain is
already in the fullchain.pem file and it loads fine with keytool without
using any convertion to PKCS12?

Thank you again for your support.

Best regards

António Rodrigues

Hi Antonio

Below is how I configured this with windows on Tomcat 8.5

A) My certs are in the format below (I use certrbot on windows so this is what creates)

B) Config for server.xml

Note: I had to use the protocol=“org.apache.coyote.http11.Http11NioProtocol” instead of the default config as I was getting ssl_error_rx_record_too_long errors

Alos Note: i use the chain.pem not fullchain.pem for the intermediates (fullchain.pem contains the cert + intermediates)

C) Restart the server

D) Browse to HTTPS enabled site

Note the right certificate is being served up my errors are to do with hostnames.

also review this article if you still want to use JKS files:

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

Andrei

Hi Andrei,

Sorry for the late reply but I was in holidays last 4 days.

My comments to your mails:
First mail:
A) Certbot on windows! I searched for that and in the certbot homepage
indicates this ACME client not available to windows. That is the reason I
used the JAVA ACME client API. Where could I download the certbot to
Windows?
I do not have the “privkey.pem”! Why was not generated this file in my
certificate generation case?
B) I have the same protocol you indicate in your configuration but I
configured the 443 port. I used the .keystore default file configuration of
the Tomcat and is working fine. I do not understand is why it is needed to
configure cert and chain, considering the fullchain file have both?
C) In the initial cert configuration, Tomcat restart is not a problem for
me, however I do not see any alternative to make also web server restart in
the certificate renew, and this is a problem for me (not good idea to make
restarts periodically to the server because could have users using the site
at that time, specially making this automatically with scripts without real
time supervision). Any solution to renew the certificate without restarting
the Tomcat server?
D) The certificate generated worked fine in the following browsers:

  • Windows PC - Browser Firefox
  • Windows PC - Browser Edge
  • Windows PC - Browser IE
  • Windows PC - Browser Chrome
  • Aple PC - Browser Safari
    However when I use any Android browser of the mobile phone or tablet it
    returns the following error:
    ERR:CERT_AUTHORITY_INVALID
    And ask to confirm if the user want to proceed to this not thrusted site.
    After this confirmation, the browser even navigating in https presents a
    open locker indicating it is not a secure site.
    How could I solve this certificate Android browsers problem?

Second mail:
I have the Tomcat documentation, thank you anyway. My initial mail about
this certificate generation problem have one extraction of this manual
(extraction from one chapter of the manual you send in your email).

Best regards

António Rodrigues

Hi Andrei,

Any news about the Android browsers problem?

Best regards

António Rodrigues

Hi @arjava

run your domain through ssllabs.com

https://www.ssllabs.com/

this should tell you what clients are currently supported with your config

mozilla also has a list of TLS configs for compatibilty

I think there may be a problem with Android recognizing the Certificate authority

Andrei

Hi Andrei,

I submit the site in ssllabs but return a error (do not conclude the
validation):
“Assessment failed: Unable to connect to the server”

The error explanation: “Unable to connect to server - failed to connect
to the server, it usually happens due to firewall restrictions”

I tested the site from the same browser I used to submit in ssllabs and the
site is running and replies fine! This do not helps so much…

I already tested from several Androids (all my Android phones and tablets
and I already tested with some friends of mine Androids equipments) and
returns in all the same error: CERT_AUTHORITY_INVALID. I do not believe all
the Androids are wrong configured! I believe the Android browsers do not
recognise yet the Lets Encript as a valide certification authority. Do you
have any idea when Android will recognise Lets Encript?

Best regards

António Rodrigues

Hi Antonio

This issue is caused by the fact you are not serving up the intermediate certificate.

You need to configure this is as well.

SSLlabs:

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.