I am tryign to implement SSL to my Spring App. I generated SSL key by keytool and put it to my application.properties. During compilation i get message:
Jetty started on port(s) 8443 (ssl, http/1.1)
but when i try to send rest query from my Angular 2 i got response: "Aborted". Also from terminal crud query i get :
Trying ::1...
Connected to localhost (::1) port 8443 (#0)
found 173 certificates in /etc/ssl/certs/ca-certificates.crt
found 694 certificates in /etc/ssl/certs
ALPN, offering http/1.1
gnutls_handshake() failed: Handshake failed
Closing connection 0
curl: (35) gnutls_handshake() failed: Handshake failed
Any idea? Thank you in advance.
Try to create your self signed certificate with following
keytool -genkeypair -keystore keystore.jks -storepass PASSWORD -keypass PASSWORD -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=HOSTNAME, OU=Example, O=Example, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:HOSTNAME,IP:IPADDRESS" -ext "BC=ca:true"
Change PASSWORD, HOSTNAME and IPADDRESS where needed.
Check if Angular 2 connecting via HTTP/1.1 protocol, also verify localhost:8443 with curl, curl performs SSL certificate verification by default, if there's any error, please write it here.
Related
First I downloaded the certificate with:
echo "" | openssl s_client -connect io.lightstream.bitflyer.com:443 -showcerts 2>/dev/null | openssl x509 -out bitflyer.cer
Then I imported the certificate into a keychain:
keytool -import -file bitflyer.cer -alias bitflyer -keystore bitflyer.jks -storepass "abc123" -keypass "abc123"
So I'm trying to connect to io.lightstream.bitflyer.com:443. Below my full handshake:
Sending HTTP handshake! req=GET / HTTP/1.1
Host: io.lightstream.bitflyer.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Sec-WebSocket-Key: 0enPg4mnHvLcT6s7+4mEGA==
Origin: http://www.websocket.org
Sec-WebSocket-Version: 13
But then I get:
Caused by: sun.security.validator.ValidatorException: Certificate signature validation failed
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:215)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 16 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:213)
... 21 more
Any ideas what am I doing wrong or how to debug that? Thanks!
openssl s_client -connect io.lightstream.bitflyer.com:443
The certificates you get here depend on the OpenSSL version. Up to 1.0.2 the server_name extension (SNI) was not automatically used (i.e. you had to explicitly to use -servername) and without the the resulting certificate is a self-signed certificate for "Kubernetes Ingress Controller Fake Certificate". With SNI though the certificate is the proper certificate for "io.lightstream.bitflyer.com".
My guess is that you actually added to the certificate for "Kubernetes Ingress Controller Fake Certificate" while Java is using SNI and thus getting the certificate for "io.lightstream.bitflyer.com" instead. Or it might be the other way around, depending on your version of OpenSSL, of Java and of the actual Java code.
I have two Spring Boot applications each running in their own docker container.
One is REST Client and the other is REST API.
When the client calls the API ( i.e. GET https://localhost:8443/api/someResource ), I get the following error:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Each spring boot app has its own keystore and self-signed certificate stored in
src/main/resources/keystore.p12
... here's what I have in the application.yml files:
following properties:
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: somethingsecure
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: client or server (depending which .yml file your looking at)
I tested this outside of Docker and everything worked fine! I simply exported the API certificate out of the keystore.p12 file and imported it into my JRA cacerts file.
You can see from my REST Client Dockerfile, I do the same thing there:
FROM openjdk:8-jdk-alpine
EXPOSE 8443
WORKDIR /usr/src/app
COPY client.jar client.jar
COPY server.crt server.crt
RUN keytool -v -import -noprompt -alias server -file server.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "client.jar"]
I've turned SSL debugging on and can see the following:
trustStore is: /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
...
adding as trusted cert:
Subject: CN=localhost, OU=Development, O=Microgen, L=Fleet, ST=Hampshire, C=UK
Issuer: CN=localhost, OU=Development, O=Microgen, L=Fleet, ST=Hampshire, C=UK
Algorithm: RSA; Serial number: 0x4c1fbbc3
Valid from Mon Apr 16 09:49:33 GMT 2018 until Tue Apr 16 09:49:33 GMT 2019
Any ideas?
Thanks,
Ben
I am no expert but when exporting the certificate and importing I wonder if in your new location the certificate chain is the same as the location you took it from.
Here is a link that might provide some insight, under the Cause section
https://confluence.atlassian.com/kb/connecting-to-ssl-services-802171215.html
I've managed to figure this out this morning. The server certificate was simply corrupt and since regenerating, this worked.
I'm trying to launch web server with HTTPS on Spring Boot 1.4 ( and on 2.0.X). But I fail to connect to started server.
Here is my steps:
Add SSL properties to application.yml
server:
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-password: password
key-alias: tomcat
port: 8443
Generate self sign certificate on src/main/resources
`keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
After run of application
`mvn clean install && java -jar target/audiochat.war
Then in browser https://localhost:8433 (Chrome, Firefox, Edge)
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I was try to test SSL handshake
openssl s_client -connect localhost:8443
CONNECTED(000001A8)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1522596727
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
28412:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
Any ideas on correct setup of HTTPS on SpringBoot ?
I am trying to install SSL certificate in Tomcat7. This is what i have done so far.
installed ssl certificate received on email
sudo ./keytool -import -trustcacerts -alias download.addressdoctor -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/certx509.cer
Installed Intermediate certificate
sudo ./keytool -import -trustcacerts -alias intermediate -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/combined.cer
These is my entries in keystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: adnewkey
Creation date: Sep 10, 2014
Entry type: trustedCertEntry
Owner: CN=website.com, OU=IT, O=company, L=City, ST=state, C=country
*******************************************
*******************************************
Alias name: mykey
Creation date: Sep 10, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=website.com, OU=IT, O=company
Now if i try to check the certificate through https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
It says it is self signed certificate, whereas i installed the certificate received from verisign. If i remove the entry "alias mykey" then it will show error no root certificate found.
Can you please help me in pointing out what i am doing wrong, also for running SSL certificate what values should be present in the keystore.
Thanks,
I want to use Google Maps in my application, I have followed this tutorial to generate MD5 fingerprint of my eventappkey.keystore. But keytool generates SHA1 fingerprint instead of MD5, due to which I am unable to register for Google Api as google accepts MD5 fingerprint of keystore.
I have looked at other answers which suggest to use jdk1.6. But is there a better way so that I do not need to move to jdk1.6. Any suggestion would be greatly appreciated.
If you add the -v (verbose) option to your command line, like
keytool -v -list -alias alias_name -keystore my-release-key.keystore
it should show you the MD5 fingerprint
If use android studio then use this method :
Syntax:
keytool -list -v -keystore "%USERPROFILE%\.android\debug.keystore" -alias androiddebugkey -storepass android -keypass android
Example:
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore c:\users\your_u
ser_name\.android\debug.keystore -alias androiddebugkey -storepass android -keyp
ass android
keytool error: java.lang.Exception: Keystore file does not exist: c:\users\your_
user_name\.android\debug.keystore
java.lang.Exception: Keystore file does not exist: c:\users\your_user_name\.andr
oid\debug.keystore
at sun.security.tools.KeyTool.doCommands(KeyTool.java:738)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore C:\Users\sriniv
as\.android\debug.keystore -alias androiddebugkey -storepass android -keypass an
droid
Alias name: androiddebugkey
Creation date: Apr 8, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 4e7c69e7
Valid from: Wed Apr 08 15:17:20 IST 2015 until: Fri Mar 31 15:17:20 IST 2045
Certificate fingerprints:
MD5: 9D:C3:05:CB:FF:CA:06:31:8C:FC:FE:44:6C:94:BC:90
SHA1: 2F:88:EF:9D:1B:3E:35:87:18:7D:56:B5:95:83:9A:EF:C1:B3:25:B4
SHA256: 0F:D2:BC:2C:58:1B:16:3D:E3:5C:76:7D:C3:49:3A:A0:9D:95:4E:3E:6B:
71:0B:F7:2B:23:72:54:B8:57:62:A2
Signature algorithm name: SHA256withRSA
Version: 3