Skip to main content

Updated SSL certificate but browser still shows as invalid

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
4 replies [Last post]
TenG_uk
Offline
Joined: 2014-07-08

Running GlassFish 3.1.1 (build 12) on Amazon Linux.

The app has been running for 3 years without an issue, but now I need to update the SSL certificate.

My research included the following web sites:

http://aliok.wordpress.com/2011/06/04/using-your-ssl-certificate-on-glas...

http://www.denizoguz.com/2011/01/02/installing-godaddy-ssl-certificates-...

In my existing keystore I have:

$ /usr/java/jdk1.7.0_01/bin/keytool -list -keystore keystore.jks
Enter keystore password: changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

root, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): 27:96:BA........:20:EE:E4
glassfish-instance, Aug 5, 2011, PrivateKeyEntry,
Certificate fingerprint (SHA1): CD:ED:ED.......:F2:52:99
app, Mar 15, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): D2:91:C9........:54:03:0A
intermed, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): 7C:46:56..........:11:FC:44
s1as, Aug 5, 2011, PrivateKeyEntry,
Certificate fingerprint (SHA1): 93:89:A1........:E0:22:3E
cross, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): DE:70:F4:........:3B:2C:62

In the Glassfish "server-config" listerner-2 section the SSL tab shows alias "app" and keystore is "keystore.jks".

I applied to GoDaddy for the replacement certificate, and after going through the verification process received a zip file containing:

71.......8c4.crt gd_bundle.crt

I deleted the existimg "app" alias from the keystore:

/usr/java/jdk1.7.0_01/bin/keytool -delete -alias app -keystore keystore.jks.test

Then added the new certificate to teh same alias:

/usr/java/jdk1.7.0_01/bin/keytool -import -alias app -keystore keystore.jks.test -trustcacerts -file 71.......8c4.crt

I then restarted GlassFish.

Then I navigated to the SSL site on my browser but got the same Invalid Certificate warning.

When I use the browsers "View Certificate" option and look at the "Thumbprint" the hex key matches the old "app" key from the keystore, i.e. GlassFish doesn't seem to be picking up the new keystore.

Any ideas?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
TenG_uk
Offline
Joined: 2014-07-08

SOLVED:

Reapplied the gd_bundle and cert file but also included the "-keypass" flag and then restart GlassFish, and it worked:

keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks -keypass changeit -storepass changeit

keytool -import -trustcacerts -alias app -file 7***a8c4.crt -keystore keystore.jks -keypass changeit -storepass changeit

benerridge
Offline
Joined: 2007-03-21

Did you add the gd_bundle.crt to your cacerts.jks? The client will need the path to a trusted authority.

Also you can add this to the JVM args to help debug cert issues.
-Djavax.net.debug=ssl:handshake:verbose

Maybe browser is caching?

TenG_uk
Offline
Joined: 2014-07-08

Thanks for teh hint.

I just tried to add gd_bundle.crt to cacarts.jks as well and retried. But to no avail.

To recap, here is what I did:

cd /opt/glassfish3/glassfish/domains/domain1/config

# Backup keystores

cp keystore.jks keystore.jks.bak
cp cacerts.jks cacerts.jks.bak

# Stop glassfish

sudo /etc/init.d/glassfish stop

# Delete the old cert from the keystore

keytool -delete -alias app -keystore keystore.jks -storepass changeit

# Add new cert to keystore

keytool -import -alias app -keystore keystore.jks -trustcacerts -file 717......8c4.crt

# Delete root cert from keystore

keytool -delete -alias root -keystore keystore.jks -storepass changeit

# Add new root cert yo keystore

keytool -import -v -alias root -keystore keystore.jks -trustcacerts -file gd_bundle.crt

# Delete Go Daddy entry from cacerts and import new one

keytool -delete -alias godaddyclass2ca -keystore cacerts.jks

keytool -import -alias godaddyclass2ca -keystore cacerts.jks -trustcacerts -file gd_bundle.crt

# Start glassfish

sudo /etc/init.d/glassfish start

# Test

openssl s_client -msg -connect mydomain.com:8181 -state

Result:

CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.0 Handshake [length 006c], ClientHello
01 00 00 68 03 01 53 ca cc 84 6f bc c2 f4 81 fa
snip
03 00 ff 02 01 00 00 04 00 23 00 00
SSL_connect:SSLv2/v3 write client hello A
139675755902792:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

jbeckstrom
Offline
Joined: 2011-10-21

We are having a similar problem. I installed Glassfish 3.1.2.2 and added my certificates to server.keystore. I then went into Glassfish admin and for the listener set the nickname to apex and keystore to server.keystore. However, when I go to the web page via ssl, it states there is a problem with the certificate - I said to continue. When the next page comes up, it shows a certificate error. I click on the message and it shows a valid cert date of today through the next 10 years - no way. Where is this coming from. I did this by following the Glassfish v3.1.2 and SSL by the Java Dude weblog. Any ideas?