Applies to:
OpenHAB 4 on Debian 12 with OpenJDK 17.
I guess it may work similarly for other combinations.
What’s the matter?
So every time you update your Java Runtime, your Trust store gets reset and you scream into the void, because your manually updated Trust store is missing your custom CA Certificate or your self-signed certificates. argghhh…
The not-that-smart solution
Of course you can do it this way and remember to issue
keytool -import -cacerts -file /path/to/your-awesome-certificate.crt each time after the update. And you need to remember that the default password for the trust store is changeit.
The smart solution
Or you can do it that way:
- install the ca-certificates packages:
apt install ca-certificates ca-certificates-java(ca-certificates may already be there) - place your self-signed certificate or custom CA certificate in:
/usr/share/ca-certificates/<your-awesome-certificate.crt> - issue a
dpkg-reconfigure ca-certificatesand activate <your-awesome-certificate.crt> - edit
/etc/default/openhaband add the following toEXTRA_JAVA_OPTS:
-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts.
The complete line will look like that (or may have additional options, if you have any):EXTRA_JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts" - restart OpenHAB:
sudo systemctl restart openhab
Each and every time I updated the JRE I was wondering, why openhab.log would throw tons of errors. Since I have InfluxDB running with TLS secured by a certificate from a custom CA, OpenHAB would run into sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, because trust store was empty after update.
I share this solution in hope it will help somebody else, who had similar problems… or at least myself, next time I run into it 