B4J Question [Solved] [ABMaterial] - using https (secure)

[Harris]

myApp.StartServerHTTP2(srvr, "srvr", port, 443,"keystore","b12xxxxx","b12xxxxx" ) ' port = 51046
Is this correct?


I purchased SSL cert from SSLs.com (namecheap)...

I had my VPS provider setup the certs on my VPS.
I created a keystore (named keystore) according to this command - and answering questions...

keytool -keystore keystore -alias jetty -genkey -keyalg RSA

Updated server with new jar and rebooted. The jar did start on the server, however
now I can't run the app in my browser.

 

[Harris]

 

[OliverA]

NET::ERR_CERT_AUTHORITY_INVALID

Getting closer. Where did you get your certificate from?

 

[OliverA]

You may have installed a wrong certificate when you created your keystore. This is what Firefox says about your certificate

https://comcrimewatch.com:51047/ccwatch/HomePage

The certificate is not trusted because it is self-signed.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIENk6d9jANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC
Q0ExGDAWBgNVBAgTD0JyaXRzaCBDb2x1bWJpYTERMA8GA1UEBxMIS2FtbG9vcHMx
IDAeBgNVBAoTF01vZGVybiBNb2JpbGUgU29sdXRpb25zMRQwEgYDVQQLEwtkZXZl
bG9wbWVudDEaMBgGA1UEAxMRY29tY3JpbWV3YXRjaC5jb20wHhcNMTkwNDEzMTk1
NjE3WhcNMTkwNzEyMTk1NjE3WjCBjjELMAkGA1UEBhMCQ0ExGDAWBgNVBAgTD0Jy
aXRzaCBDb2x1bWJpYTERMA8GA1UEBxMIS2FtbG9vcHMxIDAeBgNVBAoTF01vZGVy
biBNb2JpbGUgU29sdXRpb25zMRQwEgYDVQQLEwtkZXZlbG9wbWVudDEaMBgGA1UE
AxMRY29tY3JpbWV3YXRjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDhF8uXn1l8o19yNOTciFYRGCRie5R6UhgfwF+G02puEiOm/NCJj7TL4h6q
73mmzaAJrcITKzVHqxAJndFBgpGiVX2h3PP9C+QzXcv4lDMPr0MMnUmRIn/esPBl
stJ1u1I1XYcw5oIxRo+oD3l0UpLKPdVb9VE7zePQNcgjVSAAGNwNomkjKmxg8nrD
QaEyva1QQCdljrKRIsuWKrI8ShUxYqAAgHWEplOI+vfpByW1IZBt5Sc80hJBkTx0
bBxNYMez8Yw8fK1w3DWT9f/TsV0pg0CWBJcI3xYRuXy33Fb88HZO0fhC+V3GlPK2
RFmt4lx9vzHgogcPixCutm/KCZdZAgMBAAGjITAfMB0GA1UdDgQWBBTik/+6MnjQ
zotLSGbdAzCb+F+63zANBgkqhkiG9w0BAQsFAAOCAQEAgeno4pYLuStDsvLNGfky
5Ycf7zAhx3vZaD0dnpyBBVl2sTQXtjD+Z1CPaVNH55og+AlNZ2JJYjm7VItADmjc
08NVkHbUT3HAT4fUWe/CzaKzdesOj9icC4Tee0sELROYdKyV4lJT+4mRBkAnzYts
o/SCzwtMHq5p8qqFhA99KdfjwAcz2PQO+ss92jVDwaVg0buBPTSgXIVHQW73CMBe
gHNZBNCH/gDGZYSSRJGo0P8BbPX7n4UJNX+rLKy9RhKCCAxtX8WBoS07lIF2I8Xx
XnUFi8gxpOobuxzsv9dpB+9Y61CJX+dYxmZXZF+qpd4URso55oDJRXHV8HozTKBY
Bw==
-----END CERTIFICATE-----

 

[Harris]

Getting closer. Where did you get your certificate from?

See above image... I got it from SSLS.com

https://www.sslshopper.com/ssl-checker.html#hostname=comcrimewatch.com

This shows it is valid... Could it be my ccw.keystore I created???

 

[OliverA]

Looks like the Apache server that is serving https://comcrimewatch.com/ is set up correctly, but Jetty for your application is not.

 

[Harris]

You may have installed a wrong certificate when you created your keystore. This is what Firefox says about your certificate

I didn't create a self sign... All I did was create a keystore - cause it is needed? What is the alias name in creating it?

keytool -keystore ccw.keystore -alias jetty -genkey -keyalg RSA

What should I write into it? Tried my best...

 

[OliverA]

Could it be my ccw.keystore I created

Yes

 

[OliverA]

You need to import your certificate (the same that the Apache server is using) into your keystore. You'll have to do some googling for that or someone else can chime in on the howto.

 

[OliverA]

This may help: https://knowledge.digicert.com/solution/SO15252.html

 

[Harris]

You need to import your certificate (the same that the Apache server is using) into your keystore. You'll have to do some googling for that or someone else can chime in on the howto.

I have been reading for the past 2 days trying to figure this out - keystore.... Nothing seems to help.

 

[Harris]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ccw.keystore -destkeystore ccw.keystore -deststoretype pkcs12".
root@hwsrv-206966:/var/www# keytool -importkeystore -srckeystore ccw.keystore -destkeystore ccw.keystore -deststoretype pkcs12
Enter source keystore password:
Entry for alias jetty successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "ccw.keystore" to Non JKS/JCEKS. The JKS keystore is backed up as "ccw.keystore.old".

So, I migrated and rebooted... same thing Not Secure...

 

[OliverA]

Did you create a new ccw.keystore or just use the old one to import your cert? I would try creating a new one (move old one somewhere else).

 

[OliverA]

Plus it looks like you are importing your keystore instead of the certificate

 

[Harris]

Did you create a new ccw.keystore or just use the old one to import your cert? I would try creating a new one (move old one somewhere else).

The process created the new one - using the same name. It backup the original to ccw.keystore.old

 

[Harris]

Plus it looks like you are importing your keystore instead of the certificate

Seems the cert is all setup on the server. I don't follow "importing the keystore instead of cert"? Importing what to where?

 

[Harris]

All I know is that ABM required a keystore file, so I created one using keytool - as decribed previously. I don't know if that was done correctly (like the alias name - it is jetty right now) - what shout the allias name be? Doesn't say anywhere - so I went with default. I think this keystore process needs a better explanation - from a B4X perspective - a clear example. I am sure it is simple - when one knows what the heck they are doing...

 

[OliverA]

Seems the cert is all setup on the server.

The apache server on your site is configured to use your SSL certificate. Not the Jetty server that is serving you ABM applications. Each server needs to be configured separately. It would be nice if the server OS would be configured and then everything works, but that is not the nature of the beast. You should be able to download your certificate from where-ever you purchased it from. Use PKCS12 format.

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

In the above command, jetty.pkcs12 should be the certificate that you downloaded and keystore should be the name of the Java keystore you want to store it to. In your case, I would create a new keystore (rename the previously created one) and see how far you get. Make sure the new keystore is in the right place for your ABM application.

 

[Harris]

This says I created this cert - which I did not... All I did was (try) and create a keystore file... Sertigo issued the cert - which my VPS provider installed for me...

 

[OliverA]

Where are you getting this from? Accessing https://comcrimewatch.com or https://comcrimewatch.com:51047/ccwatch/HomePage

 

[OliverA]

https://sectigo.com/resources/install-certificates-java-based-web-servers-tomcat
Tomcat is similar to Jetty