Hi i am requesting some data from another cuba application. Both apps are identical in settings.
ubuntu 18.04.4 LTS , uberJar cuba app with ssl enabled via jetty.xml (same setting as in cuba example)
But when requesting, all data request fails due to ssl validation not passing.
If i for example shield whole server with cloudflare, request passes, but eventually cloudflare happens to be more problem with conjunction with cuba app.
Does anybody happend to solve something like this?
Hi,
There are two options:
SSL certificate is not trusted, it was issued by not trusted authority.
You haven’t properly configured SSL certificate chain in the application server.
What is chain?
E.g. consider cuba-platform.com:
cuba-platform.com is signed with Thawte certificate.
Thawte certificate is signed by the DigiCert Global Root.
Certificate “DigiCert global root” must be in the list of trusted certificates on every local computer and server which accesses https resource.
cuba-platform.com together with Thawte certificate must be installed to the Jetty server.
You can debug SSL negotiation with Linux command-line tools, e.g. “curl -v”
$ curl -v https://who.int
* Trying 158.232.12.119:443...
* TCP_NODELAY set
* Connected to who.int (158.232.12.119) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.who.int
* start date: Jan 17 00:00:00 2020 GMT
* expire date: Apr 20 00:00:00 2022 GMT
* subjectAltName: host "who.int" matched cert's "who.int"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: who.int
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Wed, 07 Oct 2020 06:54:02 GMT
< Server: Apache/2.4.46
< Location: http://www.who.int/
< Content-Length: 203
< Content-Type: text/html; charset=iso-8859-1
<
...
Hi @AlexBudarov.
I am using this sh script to generate and move letsencrypt cert to its place. It is using certbot for letsencrypt key generation. In other words is the server just empty. There is nothing running on ports 80 etc. They are only opened for certbot to resolve certificate.
Should i also move certificate to be accesible for apache2 or it is still misconfigured somehow? App is resolving normally with ssl enabled in browser.
#!bin/bash
DOMAIN_NAME=`curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/domena" -H "Metadata-Flavor: Google" -s`
KEY_PASS=some-pass
# Create keystore
echo "Refreshing '~/ssl/$DOMAIN_NAME.keystore'"
openssl pkcs12 -export \
-in /etc/letsencrypt/live/$DOMAIN_NAME/cert.pem \
-inkey /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem \
-out /tmp/$DOMAIN_NAME.p12 \
-name $DOMAIN_NAME \
-CAfile /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem \
-caname "Let's Encrypt Authority X3" \
-password pass:$KEY_PASS
keytool -importkeystore \
-deststorepass $KEY_PASS \
-destkeypass $KEY_PASS \
-deststoretype pkcs12 \
-srckeystore /tmp/$DOMAIN_NAME.p12 \
-srcstoretype PKCS12 \
-srcstorepass $KEY_PASS \
-destkeystore /tmp/$DOMAIN_NAME.keystore \
-alias $DOMAIN_NAME
# Move certificates to other servers
echo "Copy '~/$DOMAIN_NAME.keystore' location"
cp /tmp/$DOMAIN_NAME.keystore /home/user/cuba/$DOMAIN_NAME.keystore
and i am using jetty with following settings:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Server"/>
</Arg>
<Set name="port">8090</Set>
</New>
</Arg>
</Call>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Server"/>
</Arg>
<Arg>
<New class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="keyStorePath">same.keystore</Set>
<Set name="keyStorePassword">some-pass</Set>
<Set name="keyManagerPassword">some-pass</Set>
<Set name="trustStorePath">same.keystore</Set>
<Set name="trustStorePassword">some-pass</Set>
</New>
</Arg>
<Set name="port">8443</Set>
</New>
</Arg>
</Call>
</Configure>You need to check your Jetty setup with curl.
E.g. like mentioned in this article:
https://www.sorcerers-tower.net/articles/configuring-jetty-for-https-with-letsencrypt
Confirm Jetty is serving requests with curl, for example:
curl -IsS https://www.example.com
You should see a 200 OK (or whatever you've configured the default response to be).
If you get certificate errors that disappear after adding -k to the above, this indicates Jetty is working but your certificate is not correct - pay attention to the error message.
This is really helpfull. Now i know i definitelly did something wrong. @AlexBudarov is there any noob step by step documentation how to configure certificates for uberJar? At the moment i am using same keystore for: keyStorePath and trustStorePath. This i guess is wrong.