Issues using Keystore with play application - scala

I have a java application developed in play framework. I know that we can use keystore to serve data through https for the play application.
I obtained a certificate of Let’s Encrypt using certbot for my domain. Then i made a pkcs12 file using openssl command and a keystore using keytool.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile cert.pem -caname root -passout pass:somepassword
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype pkcs12 -destkeystore keyStore.jks -deststoretype jks -storepass somepassword
I then pointed my play app to the keystore as follows on the application.conf file
play.server.https.keyStore.path = “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
play.server.https.keyStore.type = “JKS”
play.server.https.keyStore.password = “somepassword”
When i run the application it runs without a hitch. But when I open the application where it needs to validate through https I get following error:
[^[[31merror^[[0m] p.c.s.NettyServer - cannot load SSL context
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider(NettyServer.scala:89)
at play.core.server.NettyServer$$anonfun$channelSink$1.apply(NettyServer.scala:158)
Caused by: java.lang.Exception: Unable to find HTTPS keystore at “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:56)
at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:24)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
The keystore file exists on the said location. I have tried giving the permission 777 just to check and it still does not work.
Any idea what I am missing on this?

Related

How do I connect to MongoDB with SSL in Scala?

I'm trying to set up an ssl connection to a mongodb instance I have running in a container on my machine and keep running into,
nioEventLoopGroup-2-4, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I created a self signed .pem for mongo with,
openssl req -x509 -newkey rsa:4096 -keyout mongo.key -out mongo.crt -days 365 -nodes
cat mongo.key mongo.cert > mongo.pem
Moved those into a folder, mounted it as a bind volume in my container and added
--sslMode requireSSL --sslPEMKeyFile /etc/boundfolder/mongo.pem
to the mongo startup. I can connect to this with the mongo client.
I am setting up my mongo client in scala like so,
val hostConf = ClusterSettings.builder().hosts(List(new ServerAddress(hostName)).asJava).build()
val clientSettings = MongoClientSettings.builder()
.streamFactoryFactory(NettyStreamFactoryFactory())
.clusterSettings(hostConf)
val withTLS = clientSettings.sslSettings(
SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
MongoClient(withTLS.build())
Lastly, I created a keystore with,
keytool -importcert -trustcacerts -file mongo.crt -keystore mongo.keystore
and am starting the application with the following parameters,
-Djavax.net.ssl.keyStore=/path/to/mongo.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=SSL
I'm pretty sure the issue is either what, or how, I'm adding the self signed cert to the keystore. Thanks for any help you can give.

How to consume secured REST API in WSO2 EI

Trying to consume secured REST API using WSO2 EI which is having three certificates (‘abc.key’, ‘xyz.pem’ and ‘ryz.crt’)
Using keytool command able to import wyr.crt and xyz.pem certificates but not able to install abc.key certificate.I guess because of that receiving below error when hit the service:
ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: General SSLEngine problem {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:237)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:271)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:255)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 23 more
Can somebody help me how to import abc.key certificates into WSO2 EI or i am missing anything?
when i tried importing using keytool giving below message:
///security>keytool -import -alias abc -file "/home/security/abc.key" -keystore client-truststore.jks -storepass wso2carbon
keytool error: java.lang.Exception: Input not an X.509 certificate
With curl able access the rest service, same thing need to do with WSO2.
sample:
curl -i -N -X POST \
https://xxxx/xxxx-xx-xxxx \
--key ../abc.key \
--cacert ../xyz.pem \
--cert ../ryz.crt \
--header 'Authorization: Bearer xxxxxxxxxxxxxxx' \
-H 'Content-Type: xxx/xxxx' \
-d '{
"some body
}'

Java Web Start: Certificate does not specify OCSP responder

I try to connect with Java 8 via HTTPS to a JNLP file on a an intranet server which has a self-signed TLS certificate.
When Java Web Start tries to load the first resource (a file from that server) specified in the JNLP try, it throws an exception:
javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
...
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 39 more
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 46 more
Any idea?
Indeed we did not specify the OCSP responder. But is this really a problem? Interestingly this works on the machine of my workmates (they only get a warning). Some days ago I temporarily installed Java 9 to test something. Is it possible that this mixed something up? I uninstalled it again, btw.
My current workaround is to set “Perform TLS certificate revocation checks on” in the Java Control Panel (Tab “Advanced”) to “Do not check (not recommended)”. But I do not like that.
I got past this today, was just an issue with my certificates - recreated my Keystore, but my truststore was missing the new root/intermediate cert that was specified in the website's certificate. I went back and added the certs to the truststore and restarted the site, and it worked.
keytool -import -trustcacerts -alias root -file NewRoot.cer -keystore cacerts
keytool -import -trustcacerts -alias "Intermed Name Here" -file NewInt.cer -keystore cacerts
-- I was going down a dead-end chasing the OCSP responder when Java was really checking CRL and OCSP, in that order. Fixing the Truststore / CAs was really all that was needed.
Brent

keytool -import failed with the error "failed to establish chain from reply"

I have a keystore, which contains only 1 keypair (foo). From that keypair, I generated a csr, which was signed by a CA using the certificate bar (bar is the issuer of foo). The issue I have is that I'm unable to import back the certificate foo in my keystore with this command
keytool -importcert -alias foo -file foo.p7b keypass 123456 -keystore keystore.jks -storepass 123456
It failed with the error
Failed to establish chain from reply.
If add the public certificate bar in my keystore, then it is working fine.
Therefore, one will simply think that I absolutely need to insert the public certificate bar in my keystore, but what is bugging me here is that if I use KeyStore Explorer to import the certificate foo in my keystore (which is only containing the keypair foo), then it is working fine. In other word, I able to import the certificate with KeyStore Explorer ("Import CA reply"), but not keytool.
Is anyone have an idea what I'm doing wrong ?

BlockedException when using selfsigned applet in Chrome

I have an applet jar that I've signed using a key I created and stored using:
keytool.exe -genkey -keyalg rsa -alias myKey
Then I generated a certificate using:
keytool.exe -export -alias myKey -file myCertificate.crt
Finally I signed my applet jar using:
jarsigner.exe myJar.jar myKey
I assume the signing went well because I got only the following message:
Warning:
The signer certificate will expire within six months.
But when I tried to run the applet in Chrome using a simple html, my java console shows the following messages:
...
security: Trust in: *myJar.jar* expired: Wed Dec 31 19:00:00 COT 1969
...
basic: your security settings have blocked a self-signed application from running
ExitException[ 0]com.sun.deploy.security.BlockedException: your security settings have blocked a self-signed application from running
at com.sun.javaws.security.JNLPSignedResourcesHelper.performSecurityCheckForSandbox(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Why is the certificate supposed to be expired? Or what could be the problem? Any ideas?
Note: I also added my site to Java's site list in Security tab of Java Control Panel