Comments (10)
acme4j uses a local keystore for the self-signed certificate used by the Pebble server. It seems that com.ibm.crypto.provider.JavaKeyStore
is unable to read that keystore format.
I have tried to reproduce this error with Oracle JDK, OpenJDK and also OpenJ9, but the connection always succeeded. Maybe IBM's J9 or Domino expects a different keystore format, but I have no way to test that here.
Can you try to create your own pebble truststore with the keytool
on your machine? You can find the pebble.minica.pem here, and convert it with:
openssl x509 -outform der -in pebble.minica.pem -out pebble.minica.der
keytool -import -alias pebble -keystore pebble.truststore -file pebble.minica.der
The keystore password is acme4j
. Copy the generated pebble.truststore
file to acme4j-client/src/main/resources/org/shredzone/acme4j/provider/pebble/pebble.truststore
.
from acme4j.
I have checked the existing truststore with keytool.
Next I created a new truststore as suggested and rebuilt the acme4j-client.2.0-SNAPSHOT
Rebuilt my project and now the error is gone. Will contact IBM regarding this issue.
C:\tools\OpenSSL\bin>keytool -list -keystore pebble.org.truststore
keytool error (likely untranslated): java.io.IOException: Invalid keystore format
C:\tools\OpenSSL\bin>keytool -list -keystore pebble.truststore
Enter keystore password:
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
pebble, Jan 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 3C:19:DA:2D:22:5C:FB:D7:C7:6B:CA:1B:FF:81:65:A2:42:02:8C:C2
from acme4j.
Can you give the pebble.truststore in the attached zip file a try? I created the original truststore with OpenJDK, and the attached truststore with Oracle JDK. Thanks!
from acme4j.
Sorry, does not work. Same error: Caused by: java.io.IOException: Invalid keystore format
from acme4j.
Would it be an idea not to use a local truststore but let the user / developer import the certificate into the system cacerts?
from acme4j.
OK, it was worth a try... Thank you!
The Pebble cert should never be added to the system cacerts. The corresponding CA private key is intentionally made public, so it would be easy to generate all kind of fake SSL certificates that would be deemed valid by the system.
An alternative approach could be to read the PEM file to the KeyStore
directly. Then we could completely avoid the openssl and keytool conversion. I'll have a look at that later. There are some other things I need to get completed first, before the official ACMEv2 launch in Februrary.
from acme4j.
thx! no worries. I have a running environment now.
from acme4j.
I have issue when i run apk as a debug.
And its issue for some older projects:
like this:
Execution failed for task ':app:packageDebug'.
A failure occurred while executing com.android.build.gradle.tasks.PackageAndroidArtifact$IncrementalSplitterRunnable
com.android.ide.common.signing.KeytoolException: Failed to read key AndroidDebugKey from store "C:\Users\admin.android\debug.keystore": Invalid keystore format
from acme4j.
@vocsyurvish I'm sorry, but this problem is unrelated to acme4j. Maybe you will find help in an Android forum.
from acme4j.
@shred Thankyou for suggestion :)
from acme4j.
Related Issues (20)
- Remove service loader mechanism HOT 3
- Did you find any provider for RFC8823 support / email-reply-00 challenges? HOT 4
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Can only parse traditional files HOT 2
- EAB HMAC keys with arbitrary lengths HOT 5
- CVE-2023-33201 from Bouncy Castle HOT 8
- add utils to do pre validation or help
- How to check if certificate needs renewal without ordering a new one? HOT 8
- Is there a way to keep txt unchanged and verify twice? HOT 2
- New account registration HOT 1
- Bouncy Castel dependency? HOT 9
- Allow to pass query parameters in directory URL HOT 2
- Provide example showing how to save and load existing certificates HOT 2
- AcmeJsonResource#update throws AcmeRetryAfterException even if resource is ready HOT 3
- Abstract away certificate renewal HOT 6
- response is not reading correctly HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.