For anyone with SSL problems, you are probably missing the let’s encrypt certificates in your java keystore.
I recently installed openhabian on my pi and got the
error when trying to access the widget gallery, so I’m probably not the only one that even now still bumps into this problem.
I got it fixed and made the following list of steps.
Alternatively, which is maybe more logical, you can skip step 1 to 5 and use curl.
Between step 6 and 7: curl https://letsencrypt.org/certs/isrgrootx1.pem.txt > letsencrypt-root.pem curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt > letsencrypt-int-1.pem curl https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > letsencrypt-int-2.pem
Import the .der certificates into the Java trustore :
(do NOT change the changeit password, this is the default one and I’m pretty sure you haven’t changed it)
I believe the problem can be more easily fixed by upgrading your JRE to a more recent version. Maybe the one packaged with Raspbian/openHABian is a little old?
Type java -version in your SSH session to check.
That’s true.
The version coming with openhabian is build 1.8.0_65-b17.
The root let’s encrypt certificate is included starting from version _66. At least, with the normal JRE, I don’t know if the ARM version includes it.
I’m also not sure if includes the intermediate certificates.
I’m a Java software engineer, so I developed a kind of hate for the oracle download pages, I think that’s why I didn’t bother.
I noticed a java_zulu_NEW() method that specifies a version (zulu8.33.0.134-jdk1.8.0_192) for the JDK.
Using this function should fix the SSL errors, somebody is working on it, it’s going to get fixed.
I’m not sure if there is already a released version including the fix. I installed my instance about a month ago.
Fixed the typo, copy-pasting… Always the same… Thanks for letting me know!
Did you get it fixed by now?
I need a bit more information to be able to really help you.
Have you restarted the java process?
Are you trying to load the widget gallery? Does everything else work as intended?
Are you behind a reverse proxy? And are you using ssl or not?
Can you provide me with the output of keytool -keystore $JAVA_TRUSTSTORE -storepass changeit -list | grep letsencrypt
Some more logs could be helpful.
Have you tried deleting the certificates and adding the again? sudo keytool -delete -alias letsencrypt_root -keystore $JAVA_TRUSTSTORE sudo keytool -delete -alias letsencrypt_int_1 -keystore $JAVA_TRUSTSTORE sudo keytool -delete -alias letsencrypt_int_2 -keystore $JAVA_TRUSTSTORE
Thanks @rdhaese.
I’ll need to get back to you on this. I am still having problems, and am pretty sure it isn’t from the typo: I noticed that before I implemented your solution.
I am using a Synology NAS so it isn’t running openhabian. I just thought if I found the keystores I could implement, even if they’re in a different place.
I’ll do some more digging, cheers!
I don’t have experience with a synology NAS. (I’m planning on getting one btw )
I’ve found this topic but couldn’t really make anything out of it:
Maybe it rings a bell to you?
@Richard_Searle apparently got it fixed, ask him if he can help.
You probably found this topic yourself, but maybe it can be helpful to others.
)