Failed to generate a new SSL Certificate

HI

Im trying to get connected to new myopenhab.org and still could not see it comes online.

Here’s what I have done so far…

  1. Installed latest raspbian with PIXEL

  2. Installed openhab2-offline (also tried online too)

  3. Upgraded java to (tried java version 1.8.0_101 as well)
    java version "1.8.0_111"
    Java™ SE Runtime Environment (build 1.8.0_111-b14)
    Java HotSpot™ Client VM (build 25.111-b14, mixed mode)

  4. Created a new account at https://myopenhab.org/

  5. Confirmed email address

  6. Entered uuid and secret (tried new regenerated pairs as well)

  7. As some suggested, tried log-out and log in. Deleting account and re-creating etc.

Regardless of what I do to get this working, myopenhab.org is showing offline.

Only problem I see on the log is this:

2017-01-02 09:53:48.810 [ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.
java.security.cert.CertificateException: Failed to generate the new certificate.
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.generateCertificate(CertificateGenerator.java:202)[166:org.openhab.io.jetty.certificate:2.0.0$
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.start(CertificateGenerator.java:84)[166:org.openhab.io.jetty.certificate:2.0.0.201701011144]
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:771)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_111]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:764)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:721)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:941)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:318)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.doStart(Module.java:571)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.start(Module.java:439)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1582)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1562)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1533)[org.eclipse.osgi-3.10.101.v20150820-1432.jar$
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1476)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
Caused by: java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
        at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:218)[:1.8.0_111]
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.generateCertificate(CertificateGenerator.java:159)[166:org.openhab.io.jetty.certificate:2.0.0$
        ... 17 more
2017-01-02 09:53:54.137 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured cipher 'aes128-ctr' not available
2017-01-02 09:53:54.140 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured cipher 'arcfour128' not available
2017-01-02 09:53:54.141 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured cipher 'aes128-cbc' not available
2017-01-02 09:53:54.143 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured cipher '3des-cbc' not available
2017-01-02 09:53:54.144 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured cipher 'blowfish-cbc' not available
2017-01-02 09:53:54.152 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured keyexchange 'ecdh-sha2-nistp521' not available
2017-01-02 09:53:54.153 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured keyexchange 'ecdh-sha2-nistp384' not available
2017-01-02 09:53:54.155 [WARN ] [org.apache.karaf.shell.ssh.SshUtils ] - Configured keyexchange 'ecdh-sha2-nistp256' not available

I tried adding jdk.tls.disabledAlgorithms=EC,ECDHE,ECDH to jre/lib/security/java.security of the newly installed JDK path and still problem persists

Any help to get this resolved is highly appreciated.

Not that this is not related to myopenHAB at all - your runtime simply tries to generated a local SSL certificate that will be used when accessing it through HTTPS.

For some reason the EC key pair generator is missing in your JDK. From what I find on the web, this is usually always only a problem with OpenJDK. Are you really sure that openHAB does not use OpenJDK instead of OracleJDK? What is your $JAVA_HOME pointing to?

The problem is the same as had been reported here. Maybe @Flash has meanwhile found a solution for his problem?

Kai

Thanks for your reply. My $JAVA_HOME was empty.
For the sake of the rest who reads this article… I checked this with echo $JAVA_HOME command. Then I added following two lines to /etc/profile

export JAVA_HOME="path that you found"

export PATH=$JAVA_HOME/bin:$PATH

See here for the reference

Rebooted, and now $JAVA_HOME shows the new SDK I installed. Still the problem persists. I get the same error every time I start openhab. And that’s the only error I get in the log.

I have nothing else installed in my RPi3. Just to get things cleared, I installed a fresh copy of Raspbian with PIXEL, did a java upgrade, did an apt-get update and apt-get upgrade. Installed openhab2-offline. That’s it!

I understand this may not be an openhab issue. However, could you confirm if this is the reason why I dont see myopenhab.org online?

Problem resolved!!!

When upgrading java, I downloaded in to my PC and transferred to Raspberry Pi via WinSCP. Due to the permissions associated with pi account, I copied everything in to /home/pi and installed new jdk within the same folder. Permissions at /home/pi might have created this whole situation. I just moved my JDK files back to /opt/jdk and everything works as a charm!!!

I stumbled across this issue also and the failing generation of EC based certificates is indeed a problem of OpenJDK. Though I wasn’t able to hunt down where OpenHAB tries to generate this really. I had to install Oracle embedded Java on my NAS.

The problem is caused by OpenJDK missing the Java Cryptographic Extension. You can either install/copy the one from the Oracle JDK or use an open-source one from http://www.bouncycastle.org/java.html

See the follow thread on stackoverflow for more