I have search the whoooole internet I think and didn’t find the answer, hope You guys can help me.
- Platform information:
- Hardware: Raspberry pi 3 B+
- OS: openHABianPi 4.14.79-v7+
- Java Runtime Environment: Zulu Embedded 8.25.0.76
- openHAB version: openHAB 2.4.0-1
I tried to create my own SSL using openssl and everythink is going well as long as I use key and keystore password as default in openhab: “openhab”
When I change the password to my own, I get the error described in log below.
How do I do? Either I put new password when importing *.pkcs12 into keystore either with keytool using instructions below. I always make key password to be the same as keystore password (double checked it by changing and changing back, surely it worked).
https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
https://www.ibm.com/support/knowledgecenter/en/SS4GSP_6.1.3/com.ibm.udeploy.doc/topics/keystore_change_password.html
Ofcourse I put new password in jetty.xml
I tried both ways - normal password and obfuscated one.
/srv/openhab2-sys/runtime/etc/jetty.xml
[...]
<Set name="dumpAfterStart">false</Set>
<Set name="dumpBeforeStop">false</Set>
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/etc/myKeystore" /></Set>
<Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
<Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
<Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/etc/myKeystore" /></Set>
<Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><SystemProperty name="jetty.ssl.needClientAuth" default="false" /></Set>
<Set name="WantClientAuth"><SystemProperty name="jetty.ssl.wantClientAuth" default="false" /></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
[...]
ERROR LOG:
[ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.
java.security.KeyStoreException: Failed to load the keystore /var/lib/openhab2/etc/keystore
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:128) ~[182:org.openhab.io.jetty.certificate:2.4.0]
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.start(CertificateGenerator.java:84) [182:org.openhab.io.jetty.certificate:2.4.0]
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:779) [?:?]
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1) [?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:772) [?:?]
at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:729) [?:?]
at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:933) [?:?]
at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:309) [?:?]
at org.eclipse.osgi.container.Module.doStart(Module.java:581) [?:?]
at org.eclipse.osgi.container.Module.start(Module.java:449) [?:?]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1634) [?:?]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1614) [?:?]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1585) [?:?]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1528) [?:?]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1) [?:?]
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) [?:?]
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) [?:?]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[?:?]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:?]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:?]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:?]
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:126) ~[?:?]
... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[?:?]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:?]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:?]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:?]
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:126) ~[?:?]
... 17 more
It’s important to notice that even with that error my https://openhabianpi:8443/ is available and it have my own SSL .