B4J Question VPS ssl on port 8000 for a b4j webserver

yfleury

Active Member
Licensed User
Longtime User
Because this subject was beginning here
https://www.b4x.com/android/forum/threads/vps-jar-error.147321/
But there is not the right subject and to be confusing, so now it's was right place.

I have a VPS server and a b4j webserver running port 8000
On my local computer, I create a keystore and upload it on vps.
Now I can acces to my b4j webserver on vps by https on port 8000. But I receive a warning the browser will not trust the certificate
secure.png
On VPS I use Let's Encrypt on port 443 and port 80 is redirect to https (443)
So I can download .pem file
I can have acces to

CSR​

like this
-----BEGIN CERTIFICATE REQUEST-----
MIICqDCCAZACAQAwHDEa
....
....
auJxKwzQyE+4xhHWyQotdN2QmnPtmcyZfdaSq8NwREK5baJeE3/rbyrb0WNQ9nad
lD2/ugslDfJtLYPI
-----END CERTIFICATE REQUEST-----

Private key (*.key)​

Certificate (*.crt)​

CA certificate (*-ca.crt)​

Then now I am stuck here. Can I do something with keystore and theses informations (Let's Encrypt things)?
What is next?
 
Solution
B4X:
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout 236541
Invalid password argument "236541"
Error getting passwords
It' so difficult and painfull, I am about to do my huge app in php just to have a certificate run on app.
The first time is always difficult. But its probably my mistake...

aaronk

Well-Known Member
Licensed User
Longtime User
 
Upvote 0

Magma

Expert
Licensed User
Longtime User
...Hmmm you mean created custom/hand-made certificate at your local pc - to use it... and you receive that is not trusted... That is the right thing to be not trusted...

If you create a let's encrypt... and use it in "keystore" will be trusted.. (i think - because lately i use only mqtt that use the same certificates as apache)

You can use the let's encrypt at b4j server... read some of these:

 
Upvote 0

yfleury

Active Member
Licensed User
Longtime User
I have this error
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
I update, upgrate vps and install certbot, still same error
 
Upvote 0

yfleury

Active Member
Licensed User
Longtime User
Thanks @Magma , I will look on that.

I ask to ChatGPT this
User: I have access to the CSR file, Private key (.key), Certificate (.crt), CA certificate (*-ca.crt), how can I use them with the keystore?

AI: To use these files with the keystore, you will need to import them into the keystore using the keytool command. First, import the private key and certificate into a PKCS12 keystore using the following command:

rustCopy code
keytool -importkeystore -srckeystore your_private_key.key -srcstoretype PKCS8 -destkeystore your_keystore.p12 -deststoretype PKCS12 -alias your_alias_name

You will need to provide the password for your private key and choose a new password for the PKCS12 keystore. Next, import the CA certificate into the keystore using the following command:

bashCopy code
keytool -importcert -keystore your_keystore.jks -file your_ca_certificate.crt -alias your_ca_alias_name

Finally, you can import the certificate chain into the keystore using the following command:

bashCopy code
keytool -importcert -keystore your_keystore.jks -file your_certificate.crt -alias your_alias_name -trustcacerts

You will need to provide the password for the keystore and choose a new alias name for the certificate chain.
Not try but I am not sur is good
 
Upvote 0

nbarakat

Member
This is how I do it on Ubuntu to renew my certificate:

rm jetty.keystore
# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in YOURPATHTOfullchain.pem -inkey YOURPATHTOprivkey.pem -name jetty -passout YOURKEYSTOREPASSWORD (Which you will use in B4J)

# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore jetty.keystore -storepass THEPASSWORDINABOVESTATEMENT -srcstorepass THEPASSWORDINABOVESTATEMENT

# don't need the PKCS#12 file anymore
rm keystore.pkcs12

Note: YOURPATHTO This is usually /etc/letsencrypt/live/yourdomain

You need to repeat the process every time you renew your letsencrypt cert.
Then you would need to restart your B4J server app.

Hope this works for you.
 
Upvote 0

yfleury

Active Member
Licensed User
Longtime User
B4X:
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout 236541
Invalid password argument "236541"
Error getting passwords
It' so difficult and painfull, I am about to do my huge app in php just to have a certificate run on app.
 
Upvote 0

nbarakat

Member
B4X:
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout 236541
Invalid password argument "236541"
Error getting passwords
It' so difficult and painfull, I am about to do my huge app in php just to have a certificate run on app.
The first time is always difficult. But its probably my mistake...

/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout pass:236541

Forgot to add the pass: to the password.
Hope it works this time.
 
Upvote 0
Solution

yfleury

Active Member
Licensed User
Longtime User
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# openssl pkcs12 -export -out keystore.pkcs12 -in /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/fullchain.pem -inkey /opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca/privkey.pem -name jetty -passout pass:236541
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore jetty.keystore -storepass 236541 -srcstorepass 236541
Importing keystore keystore.pkcs12 to jetty.keystore...
Entry for alias jetty successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem jetty.keystore keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# rm jeystore.pkcs12
rm: cannot remove 'jeystore.pkcs12': No such file or directory
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca# ls
cert.pem chain.pem fullchain.pem jetty.keystore keystore.pkcs12 privkey.pem README
root@vps-7a1ecfb2:/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca#
Now I need to move jetty.keystore to the folder of my .jar file?
 
Upvote 0

nbarakat

Member
No need. You can configure the path in B4J.

B4X:
Sub setSSL(sslPort As Int)
    Dim KeyStoreDir As String = "/opt/psa/var/modules/letsencrypt/etc/live/travauxpublics.ca" ' The directory of the SSL keystore.
    Dim KeyStoreFile As String = "jetty.keystore" ' The SSL keystore filename.
    Dim KeyStorePassword As String = "236541" ' The SSL keystore password.
    Dim ssl As SslConfiguration
    ssl.Initialize ' Initializes the SSL configuration.
    ssl.SetKeyStorePath(KeyStoreDir, KeyStoreFile) ' Sets the path to the SSL keystore.
    ssl.KeyStorePassword = KeyStorePassword ' Sets the password for the SSL keystore.
    srvr.SetSslConfiguration(ssl, sslPort) ' Sets the SSL configuration for the web server and the SSL port.
End Sub

You can latter put the parameters in a configuration file and read then at startup.

You can rm keystore.pkcs12
 
Upvote 0
Top