SSL error: How to import the Let's Encrypt certificates in the Java truststore

I posted this in another thread (HABPanel Widget Gallery), @vzorglub asked me to post it in the solutions category.

For anyone with SSL problems, you are probably missing the let’s encrypt certificates in your java keystore.
I recently installed openhabian on my pi and got the

{“error”:{“message”:“java.lang.IllegalStateException”,“http-code”:500,“exception”: {“class”:“javax.net.ssl.SSLException”,“message”:“java.lang.IllegalStateException”,“localized-message”:“java.lang.IllegalStateException”,“cause”:“javax.net.ssl.SSLException”}}}

error when trying to access the widget gallery, so I’m probably not the only one that even now still bumps into this problem.

I got it fixed and made the following list of steps.

Alternatively, which is maybe more logical, you can skip step 1 to 5 and use curl.
Between step 6 and 7:
curl https://letsencrypt.org/certs/isrgrootx1.pem.txt > letsencrypt-root.pem
curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt > letsencrypt-int-1.pem
curl https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > letsencrypt-int-2.pem

  1. Save https://letsencrypt.org/certs/isrgrootx1.pem.txt as letsencrypt-root.pem
  2. Save https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt as letsencrypt-int-1.pem
  3. Save https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt as letsencrypt-int-2.pem
  4. Use WinSCP (https://winscp.net/eng/download.php) or similar and place the 3 files in /home
  5. SSH into your raspberry with Putty (https://putty.org/) or similar
  6. Navigate to /home:

cd /home

  1. Transform the .pem certificates in .der ones: `

sudo openssl x509 -in letsencrypt-root.pem -inform pem -out letsencrypt-root.der -outform der
sudo openssl x509 -in letsencrypt-int-1.pem -inform pem -out letsencrypt-int-1.der -outform der
sudo openssl x509 -in letsencrypt-int-2.pem -inform pem -out letsencrypt-int-2.der -outform der

  1. Locate Java truststore and keep the path in an environment variable for easy re-use:

JAVA_TRUSTSTORE=$(sudo find / -wholename *jre/lib/security/cacerts)

  1. Import the .der certificates into the Java trustore :
    (do NOT change the changeit password, this is the default one and I’m pretty sure you haven’t changed it)

sudo keytool -importcert -alias letsencrypt_root -keystore $JAVA_TRUSTSTORE -storepass changeit -file letsencrypt-root.der
-
sudo keytool -importcert -alias letsencrypt_int_1 -keystore $JAVA_TRUSTSTORE -storepass changeit -file letsencrypt-int-1.der
-
sudo keytool -importcert -alias letsencrypt_int_2 -keystore $JAVA_TRUSTSTORE -storepass changeit -file letsencrypt-int-2.der

  1. Test if the certificates are added, you should see them outputted:
    (Again, do not change the changeit password)

keytool -keystore $JAVA_TRUSTSTORE -storepass changeit -list | grep letsencrypt

  1. Restart Openhab, a fresh java process is needed:

sudo service openhab2 restart

I hope this could help!

4 Likes

I think there’s a typo @rdhaese … the file names don’t match.
Thanks for sharing this!

I am still having some trouble with the handshake error:

Error: Received fatal alert: handshake_failure

I have oracle java on a synology nas. @ysc suggested another user had troubles as using open-jdk…
I’ve installed the certs as you outlined. Any ideas?

1 Like

I believe the problem can be more easily fixed by upgrading your JRE to a more recent version. Maybe the one packaged with Raspbian/openHABian is a little old?
Type java -version in your SSH session to check.

1 Like

That’s true.
The version coming with openhabian is build 1.8.0_65-b17.
The root let’s encrypt certificate is included starting from version _66. At least, with the normal JRE, I don’t know if the ARM version includes it.
I’m also not sure if includes the intermediate certificates.

I’m a Java software engineer, so I developed a kind of hate for the oracle download pages, I think that’s why I didn’t bother. :sweat_smile:

Edit: Now after thinking about it, using apt-get you would have to bother with the download pages. :expressionless:
There is some more work involved than normally, for anyone interested, check https://linoxide.com/debian/install-java-8-debian-gnulinux-9-stretch/


I’ve checked the code for openhabian to see if I could add an issue for this.

The problem lies in the java_zulu() function in https://github.com/openhab/openhabian/blob/master/functions/java-jre.sh.

I noticed a java_zulu_NEW() method that specifies a version (zulu8.33.0.134-jdk1.8.0_192) for the JDK.
Using this function should fix the SSL errors, somebody is working on it, it’s going to get fixed.

I’m not sure if there is already a released version including the fix. I installed my instance about a month ago.

Fixed the typo, copy-pasting… Always the same… Thanks for letting me know!

Did you get it fixed by now?

I need a bit more information to be able to really help you.
Have you restarted the java process?
Are you trying to load the widget gallery? Does everything else work as intended?
Are you behind a reverse proxy? And are you using ssl or not?
Can you provide me with the output of keytool -keystore $JAVA_TRUSTSTORE -storepass changeit -list | grep letsencrypt
Some more logs could be helpful.

Have you tried deleting the certificates and adding the again?
sudo keytool -delete -alias letsencrypt_root -keystore $JAVA_TRUSTSTORE
sudo keytool -delete -alias letsencrypt_int_1 -keystore $JAVA_TRUSTSTORE
sudo keytool -delete -alias letsencrypt_int_2 -keystore $JAVA_TRUSTSTORE

Thanks @rdhaese.
I’ll need to get back to you on this. I am still having problems, and am pretty sure it isn’t from the typo: I noticed that before I implemented your solution.
I am using a Synology NAS so it isn’t running openhabian. I just thought if I found the keystores I could implement, even if they’re in a different place.
I’ll do some more digging, cheers!

@marklavercombe

I don’t have experience with a synology NAS. (I’m planning on getting one btw :grin:)
I’ve found this topic but couldn’t really make anything out of it:


Maybe it rings a bell to you?
@Richard_Searle apparently got it fixed, ask him if he can help.
You probably found this topic yourself, but maybe it can be helpful to others.

1 Like