Install letsencrypt in java certificate keystore (PKIX path building failed error handling 2nd)

background

The other day, as a workaround for the following error,

[Error message]sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[Error summary]class javax.net.ssl.SSLHandshakeException
[Where the error occurred]
Alerts.java[192] sun.security.ssl.Alerts.getSSLException
SSLSocketImpl.java[1949] sun.security.ssl.SSLSocketImpl.fatal
Handshaker.java[302] sun.security.ssl.Handshaker.fatalSE
Handshaker.java[296] sun.security.ssl.Handshaker.fatalSE
ClientHandshaker.java[1509] sun.security.ssl.ClientHandshaker.serverCertificate

I wrote the following article.

Correcting the PKIX path building failed error. Import the API server side TLS certificate into the trusted host of the JVM

This way you can eliminate the API request error, but if you think about it, you'll probably need to reinstall it each time the other party's certificate expires.

So, as a fundamental measure, I investigated how to install the certificate of Let's Encrypt, which is the main book. It describes in detail.

SSL error: How to import the Let's Encrypt certificates in the Java truststore - Tutorials & Examples / Solutions - openHAB Community

In addition, some people have published the above procedure as a shell script on Github. This time I will use this.

install-letsencrypt-in-jdk.sh

Execution method

Script download

Clone from Github. Specify the directory name so that you can easily understand it later.

$ git clone https://gist.github.com/109b0f1a90156f6c933a50fe40aa777e.git install_letsencrypt_to_java_cacerts
$ cd install_letsencrypt_to_java_cacerts

Java home directory check

Find the location of the Java home directory where you want to install the certificate.

ʻEcho $ JAVA_HOME, which java, locate cacerts`.

Backup of keystore files

Back up the keystore files (cacerts) just in case it fails. The file is located in / jre / lib / security / cacerts under the Java home directory.

Run

$ sudo  ./install-letsencrypt-in-jdk.sh <JAVA home directory eg./usr/java/latest>

Execution result

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/letsencryptauthorityx1.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx1.der’

letsencryptauthorityx1.der             100%[=========================================================================>]   1.39K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (247 MB/s) - ‘letsencryptauthorityx1.der’ saved [1425/1425]

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/letsencryptauthorityx2.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx2.der’

letsencryptauthorityx2.der             100%[=========================================================================>]   1.39K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (255 MB/s) - ‘letsencryptauthorityx2.der’ saved [1425/1425]

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x1-cross-signed.der’

lets-encrypt-x1-cross-signed.der       100%[=========================================================================>]   1.17K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (136 MB/s) - ‘lets-encrypt-x1-cross-signed.der’ saved [1196/1196]

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x2-cross-signed.der’

lets-encrypt-x2-cross-signed.der       100%[=========================================================================>]   1.17K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (217 MB/s) - ‘lets-encrypt-x2-cross-signed.der’ saved [1196/1196]

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x3-cross-signed.der’

lets-encrypt-x3-cross-signed.der       100%[=========================================================================>]   1.15K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (215 MB/s) - ‘lets-encrypt-x3-cross-signed.der’ saved [1174/1174]

--2019-06-29 10:28:00--  https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x4-cross-signed.der’

lets-encrypt-x4-cross-signed.der       100%[=========================================================================>]   1.15K  --.-KB/s    in 0s      

2019-06-29 10:28:00 (220 MB/s) - ‘lets-encrypt-x4-cross-signed.der’ saved [1174/1174]

Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore

This script is expected to be run multiple times and also implements the process of removing the installed certificate from the keystore. Therefore, the following error will appear because there is no certificate at the first execution, but there is no problem.

** Delete process (6 in total) **

keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true

** Errors that occur only for the first time (6 in total) **

keytool error: java.lang.Exception: Alias <isrgrootx1> does not exist

Installation confirmation

Check if it was installed using keytool.

$ keytool -v -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep isrgrootx1
Enter keystore password:changeit ★ Enter and Enter ★
Alias name:isrgrootx1 ★ If displayed, installation is successful ★

Reboot

It is also mentioned on Github, but it requires a reboot.

Operation check

Check if the API request results in an error.

that's all. It will be saved.

Recommended Posts

Install letsencrypt in java certificate keystore (PKIX path building failed error handling 2nd)
PKIX path building failed: Add SSL certificate to java
Error handling in Graphql-ruby