3

I received certificates from GoDaddy an I'm trying to enable SSL with Jetty but receive an error 107 SSL protocol error when connecting to https://server.com:8443

I generated the keystore using these commands :

keytool -keystore keystore -import -alias gd_bundle -trustcacerts -file gd_bundle.crt
keytool -keystore keystore -import -alias server.com -trustcacerts -file server.com.crt

and placed it in /opt/jetty/etc/

And used the following configuration in jetty.xml :

<Call name="addConnector">
   <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
         <Arg>
            <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
               <Set name="keyStore"><SystemProperty name="jetty.home" default="."/>/etc/keystore</Set>
               <Set name="keyStorePassword">**password1**</Set>
               <Set name="keyManagerPassword">**password1**</Set>
               <Set name="trustStore"><SystemProperty name="jetty.home" default="."/>/etc/keystore</Set>
               <Set name="trustStorePassword">**password1**</Set>
            </New>
         </Arg>
         <Set name="port">8443</Set>
         <Set name="maxIdleTime">30000</Set>
         <Set name="Acceptors">2</Set>
         <Set name="statsOn">false</Set>
         <Set name="lowResourcesConnections">20000</Set>
         <Set name="lowResourcesMaxIdleTime">5000</Set>
      </New>
   </Arg>
</Call>

Am I missing something in jetty's configuration ?

Jerec TheSith
  • 163
  • 1
  • 3
  • 8

1 Answers1

3

I think the keystore aliases need to be the same when you're loading the .crt files back into your keystore file. I'm doing essentially the same thing you are using digicert certificates and here's the process I used to generate my .csr and incorporate the results back. Also I find the .p7b version of the certs easier to deal with then the individual .crt files. This may help you as well.

generate key pair and keystore file

% keytool -genkey -alias server -keyalg RSA -keystore star_mydom_com.jks \
  -dname "CN=*.mydom.com, O=<org>, L=<city>, ST=<state>, C=<country>"

generate .csr file

% keytool -certreq -alias server -file star_mydom_com.csr -keystore star_mydom_com.jks

import .p7b file to keystore file

% keytool -import -trustcacerts -alias server -file star_mydom_com.p7b \
  -keystore star_mydom_com.jks

obfuscate the password

% JETTY_VER=8.1.10.v20130312
% JETTY_HOME=$HOME/jetty_ssl/jetty-hightide-$JETTY_VER
% java -cp $JETTY_HOME/lib/jetty-util-${JETTY_VER}.jar \
    org.eclipse.jetty.util.security.Password jettyuser 'supersecretpassword'
supersecretpassword
OBF:1vny1yte1x8g1wml1yf21ym71sar1uuq1ym51t331ym91uvg1saj1ym71yf41wnl1x8e1yt81vn4
MD5:bbb2c5e63d2ef893106fdd0d797aa97a
CRYPT:je0/SbkypAbJA

add password to etc/jetty-ssl.xml

 <Configure id="Server" class="org.eclipse.jetty.server.Server">
  <!-- digicert -->
  <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/star_mydom_com.jks</Set>
    <Set name="KeyStorePassword">OBF:1vny1yte1x8g1wml1yf21ym71sar1uuq1ym51t331ym91uvg1saj1ym71yf41wnl1x8e1yt81vn4</Set>
    <Set name="KeyManagerPassword">OBF:1vny1yte1x8g1wml1yf21ym71sar1uuq1ym51t331ym91uvg1saj1ym71yf41wnl1x8e1yt81vn4</Set>
    <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/star_mydom_com.jks</Set>
    <Set name="TrustStorePassword">OBF:1vny1yte1x8g1wml1yf21ym71sar1uuq1ym51t331ym91uvg1saj1ym71yf41wnl1x8e1yt81vn4</Set>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
       <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>

        <!--you can disable cipher suites in the following section. -->
        <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
            <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>

            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
          </Array>
        </Set>
      </New>
    </Arg>
  </Call>
 </Configure>
slm
  • 7,355
  • 16
  • 54
  • 72