ACME4Jv2 - java.io.IOException: Invalid keystore format about acme4j HOT 10 CLOSED

acme4j uses a local keystore for the self-signed certificate used by the Pebble server. It seems that com.ibm.crypto.provider.JavaKeyStore is unable to read that keystore format.

I have tried to reproduce this error with Oracle JDK, OpenJDK and also OpenJ9, but the connection always succeeded. Maybe IBM's J9 or Domino expects a different keystore format, but I have no way to test that here.

Can you try to create your own pebble truststore with the keytool on your machine? You can find the pebble.minica.pem here, and convert it with:

openssl x509 -outform der -in pebble.minica.pem -out pebble.minica.der
keytool -import -alias pebble -keystore pebble.truststore -file pebble.minica.der

The keystore password is acme4j. Copy the generated pebble.truststore file to acme4j-client/src/main/resources/org/shredzone/acme4j/provider/pebble/pebble.truststore.

from acme4j.

I have checked the existing truststore with keytool.
Next I created a new truststore as suggested and rebuilt the acme4j-client.2.0-SNAPSHOT

Rebuilt my project and now the error is gone. Will contact IBM regarding this issue.

C:\tools\OpenSSL\bin>keytool -list -keystore pebble.org.truststore
keytool error (likely untranslated): java.io.IOException: Invalid keystore format

C:\tools\OpenSSL\bin>keytool -list -keystore pebble.truststore
Enter keystore password:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

pebble, Jan 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 3C:19:DA:2D:22:5C:FB:D7:C7:6B:CA:1B:FF:81:65:A2:42:02:8C:C2

from acme4j.

Can you give the pebble.truststore in the attached zip file a try? I created the original truststore with OpenJDK, and the attached truststore with Oracle JDK. Thanks!

truststore.zip

from acme4j.

Sorry, does not work. Same error: Caused by: java.io.IOException: Invalid keystore format

from acme4j.

Would it be an idea not to use a local truststore but let the user / developer import the certificate into the system cacerts?

from acme4j.

OK, it was worth a try... Thank you!

The Pebble cert should never be added to the system cacerts. The corresponding CA private key is intentionally made public, so it would be easy to generate all kind of fake SSL certificates that would be deemed valid by the system.

An alternative approach could be to read the PEM file to the KeyStore directly. Then we could completely avoid the openssl and keytool conversion. I'll have a look at that later. There are some other things I need to get completed first, before the official ACMEv2 launch in Februrary.

from acme4j.

thx! no worries. I have a running environment now.

from acme4j.

I have issue when i run apk as a debug.
And its issue for some older projects:

like this:

Execution failed for task ':app:packageDebug'.

A failure occurred while executing com.android.build.gradle.tasks.PackageAndroidArtifact$IncrementalSplitterRunnable
com.android.ide.common.signing.KeytoolException: Failed to read key AndroidDebugKey from store "C:\Users\admin.android\debug.keystore": Invalid keystore format

from acme4j.

@vocsyurvish I'm sorry, but this problem is unrelated to acme4j. Maybe you will find help in an Android forum.

from acme4j.

@shred Thankyou for suggestion :)

from acme4j.