Closed phette23 closed 2 years ago
Hi @phette23
You are correct, the certificate store bundled in the admin console package is indeed static - as it is with all Java installations. Details for updating it are located in the README.md @ https://github.com/openequella/openEQUELLA-admin-console-package#adding-root-ca-certificates
Typically the way that this is managed is to regularly update your Java installation, but obviously with a bundled approach that then becomes the responsibility of the bundle - and we're hoping to do another release soon so we'll include an update for that.
However, that said the bundling of the JRE is just to make things simpler for people to download and use - when they don't have any custom requirements (CA certs or otherwise) and/or possibly work in an environment where they don't want Java installed on the SOE. So as to your query as to whether you could just use a local Java installation, yes that is definitely an option - but you'll want to obviously test before hand to ensure it works with what ever Java is part of your SOE. All you'd have to do, is download the package, tweak the launcher scripts to your environment, and then go with that. (You'll just need to do that each time you download an update to the package though.)
OK that makes sense! Sorry, I missed the explanation in the readme, that would have solved my problem.
We recently updated our SSL certificate for an oE instance at https://vault.cca.edu and it broke the admin launcher (see the error stacktrace at the bottom of this issue). After reading about certificates and Java, trying a few failed approaches, I finally figured out how to fix it:
$PATH_TO_ADMIN_LAUNCHER/jdk8u242-b08-jre/Contents/Home/bin/keytool -import -file ~/Downloads/downloaded.cer -alias $ALIAS -keystore $PATH_TO_ADMIN_LAUNCHER/jdk8u242-b08-jre/Contents/Home/lib/security/cacerts
(I'm on a Mac)Does the JVM packaged with the launcher app really not keep its certs up to date? Would I be better off rewriting the launcher shell script to point to a system JVM? If we downloaded a fresh version of the launcher, would that work? It took a fair amount of time for me to fix this certificate error and I'm not sure how to help my coworkers fix it without running the commands for each person myself, not everyone is capable of navigating the command line.
For the record, the things I tried that did not work were adding
-Dcom.sun.net.ssl.checkRevocation=false
to the launcher shell script (is this an outdated setting? Maybe there's a correct one under javax.net.ssl) and trying a few different settings in MacOS's Java preferences (which I assume relate to a different JVM than the app launcher's?).Error message: