|Re: [jetty-users] Getting SSL working|
Hi, On Wed, Jan 18, 2017 at 7:44 PM, John English <john.foreign@xxxxxxxxx> wrote: > Further enquiries suggest I haven't got the private key in the keystore. Yep. > I have two files from letsencrypt.org: fullchain.pem and privkey.pem. I have > followed the instructions in the Jetty docs at > http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates-via-pkcks12: I used basically the same commands to setup https://webtide.com, which is served by Jetty (that also offloads TLS). Differences inline. > 1) openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert.p12 > -name foo.ddns.net I first cat together the fullchain and the privkey and then imported only one file. Also, I did not use the -name option. Do you really need it ? > 2) rm keystore.test > > 3) keytool -importkeystore -destkeystore keystore.test -srckeystore cert.p12 > -srcstoretype PKCS12 -srcstorepass x -alias foo.ddns.net Here too, I did not use the -alias option. > The server then fails to start (java.security.UnrecoverableKeyException: > Cannot recover key). Are passwords correct ? > Looking at the keystore with keytool, it says this: > > Your keystore contains 1 entry > foo.ddns.net, Jan 18, 2017, PrivateKeyEntry > > The examples I've seen suggest I should end up with 2 entries (a > PrivateKeyEntry and a trustedCertEntry). Can anyone tell me what I'm doing > wrong? Not sure. Mind to try to follow the documentation exactly, and see if it works ? -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts.
Back to the top