Hi, On Wed, Jan 18, 2017 at 7:44 PM, John English <[email protected]> wrote: > Further enquiries suggest I haven't got the private key in the keystore.
Yep. > I have two files from letsencrypt.org: fullchain.pem and privkey.pem. I have > followed the instructions in the Jetty docs at > http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates-via-pkcks12: I used basically the same commands to setup https://webtide.com, which is served by Jetty (that also offloads TLS). Differences inline. > 1) openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert.p12 > -name foo.ddns.net I first cat together the fullchain and the privkey and then imported only one file. Also, I did not use the -name option. Do you really need it ? > 2) rm keystore.test > > 3) keytool -importkeystore -destkeystore keystore.test -srckeystore cert.p12 > -srcstoretype PKCS12 -srcstorepass x -alias foo.ddns.net Here too, I did not use the -alias option. > The server then fails to start (java.security.UnrecoverableKeyException: > Cannot recover key). Are passwords correct ? > Looking at the keystore with keytool, it says this: > > Your keystore contains 1 entry > foo.ddns.net, Jan 18, 2017, PrivateKeyEntry > > The examples I've seen suggest I should end up with 2 entries (a > PrivateKeyEntry and a trustedCertEntry). Can anyone tell me what I'm doing > wrong? Not sure. Mind to try to follow the documentation exactly, and see if it works ? -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
