Getting SSL working

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting SSL working

John English
I'm a complete SSL newbie, and am trying to get things going with a free
certificate from Let's Encrypt. I have an old Jetty 8.1.4 setup which
worked fine with a self-signed certificate (yes, I know 8.1.4 is old and
destined for the dustbin, but please hear me out!).

What I did:
1. Import fullchain.pem (the all-in-one combined certificate and CA
chain) using the JDK keytool:

keytool -keystore keystore.test -import -alias foo.ddns.net -file
/etc/letsencrypt/live/foo.ddns.net/fullchain.pem -trustcacerts

2. Start the server:

java -jar start.jar OPTIONS=Server etc/jetty.xml

Jetty.xml sets up HTTP on port 8080 and HTTPS on port 9443. I can
connect to port 8080 via HTTP, but using Firefox to connect to HTTPS on
port 9443 gives the error message "Secure connection failed: the
connection to foo.ddns.net was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity
of the received data could not be verified." This tells me nothing about
the problem.

Can anyone tell me how to even get started figuring out what is going wrong?

Jetty.xml is configured like this:

   <Call name="addConnector">
     <Arg>
       <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
         <Set name="Port">8080</Set>
       </New>
     </Arg>
   </Call>

   <Call name="setHandler">
     <Arg>
       <New class="org.eclipse.jetty.webapp.WebAppContext">
         <Set name="Descriptor">
           <Property name="jetty.home" default="."
/>/webapps/ssltest/WEB-INF/web.xml
         </Set>
         <Set name="ResourceBase">
           <Property name="jetty.home" default="." />/webapps/ssltest
         </Set>
         <Set name="ContextPath">/</Set>
       </New>
     </Arg>
   </Call>

   <Call name="addConnector">
     <Arg>
       <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
         <Set name="Port">9443</Set>
         <Set name="MaxIdleTime">30000</Set>
         <Set name="Acceptors">2</Set>
         <Set name="AcceptQueueSize">100</Set>
         <Set name="Keystore"><Property name="jetty.home" default="."
/>/keystore.test</Set>
         <Set name="Password">foo</Set>
         <Set name="KeyPassword">foo</Set>
       </New>
     </Arg>
   </Call>

   <Call name="setHandler">
     <Arg>
       <New class="org.eclipse.jetty.webapp.WebAppContext">
         <Set name="Descriptor">
           <Property name="jetty.home" default="."
/>/webapps/ssltest/WEB-INF/web.xml
         </Set>
         <Set name="ResourceBase">
           <Property name="jetty.home" default="." />/webapps/ssltest
         </Set>
         <Set name="ContextPath">/</Set>
       </New>
     </Arg>
   </Call>

Thanks!
--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

Brian Reichert
On Tue, Jan 17, 2017 at 07:27:57PM +0200, John English wrote:

> I'm a complete SSL newbie, and am trying to get things going with a free
> certificate from Let's Encrypt. I have an old Jetty 8.1.4 setup which
> worked fine with a self-signed certificate (yes, I know 8.1.4 is old and
> destined for the dustbin, but please hear me out!).
>
> What I did:
> 1. Import fullchain.pem (the all-in-one combined certificate and CA
> chain) using the JDK keytool:
>
> keytool -keystore keystore.test -import -alias foo.ddns.net -file
> /etc/letsencrypt/live/foo.ddns.net/fullchain.pem -trustcacerts
>
> 2. Start the server:
>
> java -jar start.jar OPTIONS=Server etc/jetty.xml
>
> Jetty.xml sets up HTTP on port 8080 and HTTPS on port 9443. I can
> connect to port 8080 via HTTP, but using Firefox to connect to HTTPS on
> port 9443 gives the error message "Secure connection failed: the
> connection to foo.ddns.net was interrupted while the page was loading.
> The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified." This tells me nothing about
> the problem.

'Authenticity' implies trusting the issuer of your server's certificate.

Is your server providing the certificate you expect?

  openssl s_client -connect foo.ddns.net:9443 < /dev/null >& out.pem

You can use openssl tools to shake out what's going on.

If your server is not serving the certificate you expect, then you
indeed have a jetty config problem.

If your server is indeed serving the certificate you expect, then
your config is OK, but now you get to track down what your SSL issue
is, and that's not specific to jetty.


--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

John English
On 17/01/2017 19:57, Brian Reichert wrote:

> 'Authenticity' implies trusting the issuer of your server's certificate.
>
> Is your server providing the certificate you expect?
>
>   openssl s_client -connect foo.ddns.net:9443 < /dev/null >& out.pem
>
> You can use openssl tools to shake out what's going on.
>
> If your server is not serving the certificate you expect, then you
> indeed have a jetty config problem.
>
> If your server is indeed serving the certificate you expect, then
> your config is OK, but now you get to track down what your SSL issue
> is, and that's not specific to jetty.

OK. I'm not familiar with OpenSSL but what you've told me should be
enough to get me started. I'll probably be back with more questions
tomorrow unless a miracle happens.

Many thanks,
--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

John English
In reply to this post by Brian Reichert
On 17/01/2017 19:57, Brian Reichert wrote:
> Is your server providing the certificate you expect?
>
>   openssl s_client -connect foo.ddns.net:9443 < /dev/null >& out.pem

This is the output:

3073205948:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Any advice on what I should do next?

Many thanks,
--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

John English
In reply to this post by Brian Reichert
On 17/01/2017 19:57, Brian Reichert wrote:
> On Tue, Jan 17, 2017 at 07:27:57PM +0200, John English wrote:
> If your server is indeed serving the certificate you expect, then
> your config is OK, but now you get to track down what your SSL issue
> is, and that's not specific to jetty.

Further enquiries suggest I haven't got the private key in the keystore.
I have two files from letsencrypt.org: fullchain.pem and privkey.pem. I
have followed the instructions in the Jetty docs at
http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates-via-pkcks12:

1) openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out
cert.p12 -name foo.ddns.net

2) rm keystore.test

3) keytool -importkeystore -destkeystore keystore.test -srckeystore
cert.p12 -srcstoretype PKCS12 -srcstorepass x -alias foo.ddns.net

The server then fails to start (java.security.UnrecoverableKeyException:
Cannot recover key).

Looking at the keystore with keytool, it says this:

Your keystore contains 1 entry
foo.ddns.net, Jan 18, 2017, PrivateKeyEntry

The examples I've seen suggest I should end up with 2 entries (a
PrivateKeyEntry and a trustedCertEntry). Can anyone tell me what I'm
doing wrong?

Thanks,
--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

Simone Bordet-3
Hi,

On Wed, Jan 18, 2017 at 7:44 PM, John English <[hidden email]> wrote:
> Further enquiries suggest I haven't got the private key in the keystore.

Yep.

> I have two files from letsencrypt.org: fullchain.pem and privkey.pem. I have
> followed the instructions in the Jetty docs at
> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates-via-pkcks12:

I used basically the same commands to setup https://webtide.com, which
is served by Jetty (that also offloads TLS).
Differences inline.

> 1) openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert.p12
> -name foo.ddns.net

I first cat together the fullchain and the privkey and then imported
only one file.
Also, I did not use the -name option. Do you really need it ?

> 2) rm keystore.test
>
> 3) keytool -importkeystore -destkeystore keystore.test -srckeystore cert.p12
> -srcstoretype PKCS12 -srcstorepass x -alias foo.ddns.net

Here too, I did not use the -alias option.

> The server then fails to start (java.security.UnrecoverableKeyException:
> Cannot recover key).

Are passwords correct ?

> Looking at the keystore with keytool, it says this:
>
> Your keystore contains 1 entry
> foo.ddns.net, Jan 18, 2017, PrivateKeyEntry
>
> The examples I've seen suggest I should end up with 2 entries (a
> PrivateKeyEntry and a trustedCertEntry). Can anyone tell me what I'm doing
> wrong?

Not sure. Mind to try to follow the documentation exactly, and see if it works ?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Getting SSL working

John English
On 20/01/2017 19:32, Simone Bordet wrote:
>> The server then fails to start (java.security.UnrecoverableKeyException:
>> Cannot recover key).
>
> Are passwords correct ?

That turned out to be the problem -- the password used to create the
PKCS12 file needed to be specified in setKeyPassword, and the password
used for the JKS keystore needed to be specified in setPassword; my
jetty.xml (Jetty 8.1.4) config needed to look like this:

<Set name="Keystore"><Property name="jetty.home" default="."
/>/keystore.test</Set>
<Set name="Password">keystore-password</Set>
<Set name="KeyPassword">pkcs12-password</Set>


The use of the PKCS12 password isn't terribly clear in the docs IMHO; it
mentions jetty.sslContext.keyStorePassword (presumably what I specified
as keystore-password above) but doesn't say what to do with
pkcs12-password. And of course this didn't matter when I was using a
self-signed certificate, but is crucial for a proper certificate...

Thanks!
--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users