Error after changing password of keystore and key

tomi992 · February 13, 2019, 9:51am

I have search the whoooole internet I think and didn’t find the answer, hope You guys can help me.

Platform information:
- Hardware: Raspberry pi 3 B+
- OS: openHABianPi 4.14.79-v7+
- Java Runtime Environment: Zulu Embedded 8.25.0.76
- openHAB version: openHAB 2.4.0-1

I tried to create my own SSL using openssl and everythink is going well as long as I use key and keystore password as default in openhab: “openhab”
When I change the password to my own, I get the error described in log below.
How do I do? Either I put new password when importing *.pkcs12 into keystore either with keytool using instructions below. I always make key password to be the same as keystore password (double checked it by changing and changing back, surely it worked).

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

https://www.ibm.com/support/knowledgecenter/en/SS4GSP_6.1.3/com.ibm.udeploy.doc/topics/keystore_change_password.html

Ofcourse I put new password in jetty.xml
I tried both ways - normal password and obfuscated one.

/srv/openhab2-sys/runtime/etc/jetty.xml

[...]
 <Set name="dumpAfterStart">false</Set>
        <Set name="dumpBeforeStop">false</Set>

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/etc/myKeystore" /></Set>
                <Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/etc/myKeystore" /></Set>
                <Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="EndpointIdentificationAlgorithm"></Set>
                <Set name="NeedClientAuth"><SystemProperty name="jetty.ssl.needClientAuth" default="false" /></Set>
                <Set name="WantClientAuth"><SystemProperty name="jetty.ssl.wantClientAuth" default="false" /></Set>
                <Set name="ExcludeCipherSuites">
                        <Array type="String">
                                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
[...]

ERROR LOG:

[ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.

java.security.KeyStoreException: Failed to load the keystore /var/lib/openhab2/etc/keystore

	at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:128) ~[182:org.openhab.io.jetty.certificate:2.4.0]

	at org.openhab.io.jetty.certificate.internal.CertificateGenerator.start(CertificateGenerator.java:84) [182:org.openhab.io.jetty.certificate:2.4.0]

	at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:779) [?:?]

	at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1) [?:?]

	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

	at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:772) [?:?]

	at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:729) [?:?]

	at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:933) [?:?]

	at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:309) [?:?]

	at org.eclipse.osgi.container.Module.doStart(Module.java:581) [?:?]

	at org.eclipse.osgi.container.Module.start(Module.java:449) [?:?]

	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1634) [?:?]

	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1614) [?:?]

	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1585) [?:?]

	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1528) [?:?]

	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1) [?:?]

	at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230) [?:?]

	at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340) [?:?]

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[?:?]

	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:?]

	at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:?]

	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:?]

	at java.security.KeyStore.load(KeyStore.java:1445) ~[?:?]

	at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:126) ~[?:?]

	... 17 more

Caused by: java.security.UnrecoverableKeyException: Password verification failed

	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[?:?]

	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:?]

	at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:?]

	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:?]

	at java.security.KeyStore.load(KeyStore.java:1445) ~[?:?]

	at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:126) ~[?:?]

	... 17 more

It’s important to notice that even with that error my https://openhabianpi:8443/ is available and it have my own SSL .