Openhab2 sign the ssl / tls certificate


By default openhab2 comes with a selfsigned certificate
I was looking at the possibility of signing the certificate with my own CA. The only instructions I could find were for openhab1

I could follow the instructions just fine until step 9. The command just fails to execute.
Anybody knows how to proceed ? As far as I understand I just need to configure the password for this jetty service for the new keystore and I am all set

jetty.xml is not located in /var/lib/openhab2/etc (or openhab2/userdata/etc for manual installs).

Given that OH 2 is now hosted on Karaf instead of Eclipse I’m not surprised that that those jar files do not exist. I don’t know what the Karaf equivalent is but I think you will need to research how to set the cert using Karaf documentation, not OH 1 documentation.

If you figure it out, a tutorial would be awesome!

Thanks for the reply Rich.

I can find jetty.xml in the openhab2/etc folder

pi@raspberrypi:~ $ sudo find / -name jetty.xml

As you can see it is there and it is also in runtime folder as well. If I check the latter I see that this is as part of the config

 <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/etc/myKeystore" /></Set>
                <Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/etc/myKeystore" /></Set>
                <Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="EndpointIdentificationAlgorithm"></Set>
                <Set name="NeedClientAuth"><SystemProperty name="jetty.ssl.needClientAuth" default="false" /></Set>
                <Set name="WantClientAuth"><SystemProperty name="jetty.ssl.wantClientAuth" default="false" /></Set>
                <Set name="ExcludeCipherSuites">

So there is a keystore configured (myKeystore) that I cannot seem to find anywhere. I also change the passwords to some random value and after restarting the openhab service I get errors about wrong password for the keystore. That tells me that they are used somehow.

I have also found the util that generated the password in obfuscated form, it is just a different version than the one documented for openhab1. I replace the keystore with mine and I change the password using the util but it still complains about a wrong password.

Obviously this is a very noob way of trying to figure things out since I have no idea what jetty is :slight_smile: I will try to check the docs to see if I can find anything more helpful

Jetty is the web server OH uses to host the UIs and REST API.

My keystore seems to be located in userdata/etc/keystore

You can check if the password is valid by using “keytool” (part of Java):

$ keytool -list -keystore /path/to/keystore -storepass [unencrypted-password]

That will list you the content of the keystore if the password is valid.

Btw, what is the name and location of the password tool you found?

Hello Alex,

My keystore is configured just fine. The problem I have is that I cannot seem to be able to tell the jetty service where the new keystore is and what is the password

I used this to convert my password to obfuscated form


I think you have to configure your keystore in the file:

$ grep -r keystore *

Which matches with my keystore, located in userdata/etc/keystore

Thanks Alex. I will try what you say once I am home today and will let you know

EDIT: That is already set to point to my newly created keystore so we are good.

I am still searching to find where I need to configure the password for the keystore

I progressed a bit. I modified the jetty.xml file located here


Initially I used a very complex password which apparently did not work. I used a simpler one and it seems that now the TLS on port 8443 presents my certificate.

this is what I did

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/var/lib/openhab2/etc/keystore" /></Set>
                <Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/var/lib/openhab2/etc/keystore" /></Set>
                <Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="EndpointIdentificationAlgorithm"></Set>

Basically I modified the password and the path to the keystore.
When I start the openhab2 service I see my certificate being presented but in the logs I get the following error during the initialization of the service

2017-02-26 14:49:17.525 [ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate. Failed to load the keystore /var/lib/openhab2/etc/keystore
        at org.eclipse.osgi.internal.framework.BundleContextImpl$[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl$[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at Method)[:1.8.0_65]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.start([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.doStart([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.start([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent([org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager$[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
Caused by: Keystore was tampered with, or password was incorrect
        ... 17 more
Caused by: Password verification failed
        ... 22 more

But I can confirm it works. Since what I did resulted pretty much from trial and error I assume that something else is impacted that I cannot see at the moment

Did you manage to fix this keystore error?
Seems that there is something else that uses wrong password.

No I had not pursued it further unfortunately.

If you want to get rid of the error “[ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.” you need to use default password which is “openhab”, in this case no need to change jetty.xml. This password is hard coded into the source, which is in my opinion big oversight on developers side, it should come from configuration file same as the path to a keystore.

If you think it is a security issue you can file it by following the instructions at If not you can file an issue at

1 Like

Thank you Rich, I don’t think that’s a really big security issue, more like just a functionality oversight, I’ll file an issue report.

Hey All,
I was following this post and soon after I stumbled upon this post.

I am now able to use Lets Encrypt certs for all my needs including openhab over SSL.

Hope that helps.

Update to my own post,

I have been using openhab for about 2 years now with LetsEncrypt certs.
here is a simple guide with minimal commands to run.
the only commands I have to run to update my certs are:

openssl pkcs12 -export -in /etc/letsencrypt/DOMAIN.TLD/fullchain.pem -inkey /etc/letsencrypt/DOMAIN.TLD/privkey.pem -out /tmp/DOMAIN.TLD.p12 -passout pass:openhab -name mykey

scp /tmp/DOMAIN.TLD root@openhab:/tmp/

ssh root@openhab "keytool -importkeystore -deststorepass openhab -destkeypass openhab -destkeystore /tmp/keystore -srckeystore /tmp/DOMAIN.TLD.p12 -srcstoretype pkcs12 -srcstorepass openhab -alias mykey"

ssh root@openhab "mv /var/lib/openhab/etc/keystore rm /var/lib/openhab/etc/keystore.bak"

ssh root@openhab "/tmp/keystore /var/lib/openhab/etc/"

ssh root@openhab "chown openhab:openhab /var/lib/openhab/etc/keystore"

ssh root@openhab "systemctl restart openhab.service"

NOTE: except for changing DOMAIN.TLD, you should not need to change anything.
Hope this helps