Hi, This is how I import the certificate when there is no private key:
# keytool -importcert -file uim.ip-spotlight.pem -keystore keystore -alias xxx40 Enter keystore password: Owner: [email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT Issuer: [email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT Serial number: c7f48113270982ef Valid from: Tue Sep 29 21:12:58 CEST 2009 until: Fri Sep 27 21:12:58 CEST 2019 Certificate fingerprints: MD5: D5:40:58:CF:C2:F7:88:CF:61:78:3E:18:A9:88:2C:79 SHA1: 8D:01:09:F0:4A:4F:2C:FA:AB:12:FC:6E:00:23:4B:87:B0:8C:B2:7D SHA256: 2E:40:60:D3:1C:82:AB:70:80:DF:BE:92:AC:20:58:FF:39:E3:70:B1:B3:FD: E8:C8:E3:A3:E8:0D:E7:2A:F5:18 Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 1024-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 30 32 4D A0 5B 3D 0B 34 19 2C AA F2 DA 2D EF D4 02M.[=.4.,...-.. 0010: 2B 27 AE F8 +'.. ] [[email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT] SerialNumber: [ c7f48113 270982ef] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 30 32 4D A0 5B 3D 0B 34 19 2C AA F2 DA 2D EF D4 02M.[=.4.,...-.. 0010: 2B 27 AE F8 +'.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12". Then it says: sun.security.validator.ValidatorException: PKIX path building failed: sun. security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target The troubleshooting step above gives: # openssl s_client -connect xxx40:636 | sed -n '/Certificate chain/,/^---/p' depth=1 C = AT, ST = Vienna, O = UPC, CN = cio.net, emailAddress = [email protected] verify error:num=19:self signed certificate in certificate chain Certificate chain 0 s:/O=UPC/CN=xxx40 i:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] 1 s:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] i:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] --- PS. I still cannot find out how to call `jrunscript` from JDK Could you please advise what/if am doing wrong ? On Wednesday, October 24, 2018 at 11:01:53 PM UTC+2, Nikos Skalis wrote: > > Hi Arvind, > > Thank you very much for the advice. > > JAVA_HOME is not set. And i am not able to see (after a lot of googling) > how i can install "jrunscript" or run it. > > Since the issue, seems to be confusing, i did a clean install of GoCD. > > go]# keytool -list -v -keystore keystore -storepass serverKeystorepa55w0rd > > Keystore type: jks > > Keystore provider: SUN > > Your keystore contains 1 entry > > Alias name: cruise > > Creation date: Oct 24, 2018 > > Entry type: PrivateKeyEntry > > Certificate chain length: 1 > > Certificate[1]: > > Owner: OU=Cruise server webserver certificate, CN= > nl-ams02c-ispctl02.aorta.net > > Issuer: OU=Cruise server webserver certificate, CN= > nl-ams02c-ispctl02.aorta.net > > Serial number: 5ea8c241be3 > > Valid from: Thu Jan 01 01:00:00 CET 1970 until: Tue Oct 24 19:29:50 CEST > 2028 > > Certificate fingerprints: > > MD5: 38:EE:4A:E3:5D:91:24:A7:44:0F:01:E2:34:C7:18:93 > > SHA1: 10:9B:AA:43:D8:11:42:49:C2:84:32:70:FB:6D:1D:0E:1F:26:D8:6A > > SHA256: > 51:D8:E3:6C:C3:17:39:A8:FE:AB:0E:FB:C0:13:31:1D:04:2F:51:F8:AC:84:80:4B:C8:AC:35:96:8E:40:AE:B4 > > Signature algorithm name: SHA512withRSA > > Subject Public Key Algorithm: 2048-bit RSA key > > Version: 1 > > ******************************************* > > ******************************************* > > Warning: > > The JKS keystore uses a proprietary format. It is recommended to migrate > to PKCS12 which is an industry standard format using "keytool > -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype > pkcs12". > > What is different in my case compared to what is described in > https://docs.gocd.org/current/installation/ssl_tls/custom_server_certificate.html > is that > the ca cert is used to make sure the (ldap) server is presenting the right > cert before i send my credentials to it > All we need to do is to import the cacert into the keystore > > keytool -importkeystore -srckeystore uim.ip-spotlight.pem -srcstoretype > PKCS12 -destkeystore keystore -srcalias 1 -destalias cruise -deststorepass > serverKeystorepa55w0rd -destkeypass serverKeystorepa55w0rd > > Importing keystore uim.ip-spotlight.pem to keystore... > > Enter source keystore password: > > keytool error: java.io.IOException: toDerInputStream rejects tag type 45 > > Taking a step back; can you advise what is the exact command to import the > cacert into the keystore ? > In order the connection to LDAP to work ? This is not described in the > docs. > > In non-java apps, you just point to the certificate and it works. > > > > On Wednesday, October 24, 2018 at 5:31:38 PM UTC+2, Aravind SV wrote: >> >> On Wed, Oct 24, 2018 at 12:43:06 +0200, Nikos Skalis wrote: >> > Seems to make progress, but now am getting a different error: >> > >> > Caused by: javax.net.ssl.SSLHandshakeException: >> > sun.security.validator.ValidatorException: PKIX path building failed: >> > sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find >> > valid certification path to requested target >> >> It's still a problem with the certificates and the chain. Still nothing >> to do with GoCD directly. >> >> What is the output of the command I mentioned last time? >> >> --- --- --- >> jrunscript -e >> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("LDAP_SERVER_URL_YOU_ARE_USING", >> >> 636).startHandshake())' >> --- --- --- >> >> >> You can find out the certificates you have in your cacerts by doing this: >> >> --- --- --- >> echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name >> cacerts) | grep 'Owner:' >> --- --- --- >> >> >> You can then find the cert chain used by your LDAP server by doing this: >> >> --- --- --- >> openssl s_client -connect LDAP_SERVER_URL_YOU_ARE_USING:636 | sed -n >> '/Certificate chain/,/^---/p' >> --- --- --- >> >> >> The certs in the chain (especially the last one in that chain) will need >> to be in the list returned by keytool. My guess is that it's not. >> >> >> As an example, google.com's root cert is not in my cacerts and so, Java >> is unable to connect to google.com, for me: >> >> --- --- --- >> $ openssl s_client -connect google.com:443 | sed -n '/Certificate >> chain/,/^---/p' >> Certificate chain >> 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com >> i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 >> 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 >> i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign >> --- >> >> $ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name >> cacerts) | grep 'Owner:' | grep GlobalSign >> # Returns no matches. >> >> $ jrunscript -e >> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket(" >> google.com", 443).startHandshake())' >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at >> jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:531) >> >> >> at >> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:448) >> >> >> at >> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:405) >> >> >> ... >> --- --- --- >> >> If I add that root cert, the one named GlobalSign, I'm sure Java will be >> able to connect. >> >> Cheers, >> Aravind >> >> PS: Make sure you're using the same Java version for GoCD that you're >> running locally (for JAVA_HOME, keytool, jrunscript, etc) >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
