Search code examples
ssltomcat8confluencelets-encryptplesk-onyx

OpenSSL use -CAFile on LetsEncrypt-Certificate

I'm currently trying to set up a Confluence (6.6.0) on an Ubuntu Server with Plesk (17.5.3) and Let's-Encrypt-Extension installed.

Confluence itself is up and running, but I am experiencing some issues, when it comes to SSL. Securing the Domain itself is easily done by just taking the "easy road" via the Plesk-Panel One-Click-Installer.

The Certificates will be located at /usr/local/psa/var/modules/letsencrypt/etc/archive/<MY_DOMAIN>/

There are four .pem-files in this directory:

  • cert1.pem
  • chain1.pem
  • fullchain1.pem
  • privkey1.pem

But now i need to tell Tomcat, that i have this certificate installed in the server.xml.
Since the Plesk-Let's-Encrypt-Extension saves the files as .pem-files i need to convert them via OpenSSL to be able to use the Java keytool.
I found a nice tutorial about this topic in general right here:
http://robblake.net/post/18945733710/using-a-pem-private-key-and-ssl-certificate-with

When i am trying the following, i get stuck at the very beginning, when i try to execute

openssl pkcs12 -export -in <PATH>/cert1.pem -inkey <PATH>/privkey1.pem -out foo.p12 -name tomcat -chain -CAFile <PATH>/chain1.pem

The command itself runs, when I am not using -CAFile and generates my .p12-File, but then throws a warning:

Error unable to get local issuer certificate getting chain.

If i try adding -CAFile /usr/local/psa/var/modules/letsencrypt/etc/archive/<MY_DOMAIN>/chain1.pem or using [...]/fullchain1.pem instead nothing will happen but OpenSSL printing the Usage-Documentation.

So since these four .pem-files are the only ones available i'm not sure what else to do.

Since i need the intermediate-certs too, i am wondering what i have to do here.

Solution

  • It looks like chain1.pem file from Let's Encrypt is incomplete. In my case it contains only one certificate - the intermediate CA Let's Encrypt Authority X3

    Check the contents of this file. In my case there was only one certificate.

    openssl x509 -noout -in chain1.pem -subject -issuer

subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

    The reason for the error is that openssl misses the certificate for DST Root CA X3

    How to create the complete chain.

    1. Download the DST Root CA X3 certificate:

      wget http://apps.identrust.com/roots/dstrootcax3.p7c

    2. Convert it to PEM

      openssl pkcs7 -inform der -in dstrootcax3.p7c -out dstrootcax3.pem -print_certs

      At this moment the certificate for DST Root CA X3 is in dstrootcax3.pem

    3. Build full chain (overwrites fullchain1.pem)

      cp chain1.pem fullchain1.pem
echo >> fullchain1.pem
cat dstrootcax3.pem >> fullchain1.pem

    4. Generate P12 file

      openssl pkcs12 -export -in cert1.pem -inkey privkey1.pem -chain -CAfile fullchain1.pem -out cert1.p12 -name tomcat

    To check that all certificates are stored in P12 file:

     openssl pkcs12 -info -in cert1.p12

    Good luck with the keytool ;)