search

StrongKey / fido2

Open-source FIDO server, featuring the FIDO2 standard. https://demo4.strongkey.com/getstarted/#/openapi/fido
204 stars 59 forks source link

Document for importing Letsencrypt certificate or a script #195

Closed sanudatta11 closed 2 years ago

sanudatta11 commented 2 years ago

I have been trying to import a custom letsencrypt certificate to the server but the way java webservers import certs are way different. And I have tried quite a few tutorials and unable to import the keystore file as its always saying keytool error: java.io.IOException: keystore password was incorrect mostly for the destination

I was hoping if you guys can create/help me create a script which internally calls certbot or else at least a script where we can pass the certificate path where the pem files are located.

sanudatta11 commented 2 years ago

And also whats the username for the payara admin web ui?

sanudatta11 commented 2 years ago

I ran the below commands

openssl pkcs12 -export -in /etc/letsencrypt/live/yourFQDNhere/fullchain.pem -inkey /etc/letsencrypt/live/yourFQDNhere/privkey.pem -out pkcs.p12 -name letsencrypt

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore letsencrypt.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass changeit

Always getting error - keytool error: java.io.IOException: keystore password was incorrect

push2085 commented 2 years ago

Hi @sanudatta11,

I) The default glassfish admin credentials are username :admin passwrod: adminadmin (if this doesnt work then try blank or no password)

II) To import the lets encrypt certificate into glassfish, do the following: (use the password 'changeit' for all the keystores that you generate below)

  1. Combine the domain.crt and intermediate.pem files that were generated by Let's Encrypt into one file

  2. Create a keystore with the Let's Encrypt cert created in the step 1 above.

shell> openssl pkcs12 -export -in fullchain-from-step#1 -inkey domain.key -out letsencrypt.pkcs12 -name s1as

  1. Covert the PKCS12 file to jks:

shell> keytool -importkeystore -destkeystore le-gf-keystore.jks -srckeystore letsencrypt.pkcs12 -srcstoretype PKCS12 -alias s1as

  1. Copy the keystore to the target server

  2. On the target server, save a copy of the old Glassfish keystore.jks file in case something goes wrong (location: /usr/local/strongkey/payara5/glassfish/domains/domain1/config)

  3. Delete the s1as aliased cert in keystore.jks:

shell> keytool -delete -alias s1as -keystore keystore.jks

  1. Import the new keystore into the Glassfish keystore:

shell> keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.jks

  1. Restart Glassfish and test