You seem to be using a self-signed certificate, I've not tried this before,
but at first glance you seem to have taken all the steps. Not sure I see
the signing certificate being imported, not sure if you need to.
SSL debugging is a pain in java, you can increase the Jvm logging using
either -Djavax.net.debug=all or e.g..
-Djavax.net.debug=ssl:handshake:verbose on the jetty command line. Check
https://stackoverflow.com/questions/23659564/limiting-java-ssl-debug-logging
for the possible options.
Also worth reading: https://dzone.com/articles/how-analyze-java-ssl-errors
Mark
Op 28 aug. 2017 12:34 schreef "Ian Turton" <ijtur...@gmail.com>:
did you include the strong cryptography jars? http://docs.geoserver.
org/latest/en/user/production/java.html#installing-unlimited-strength-
jurisdiction-policy-files
I have no real idea if they are involved in this part of the chain but it
might help
Ian
On 28 August 2017 at 09:03, <m.v.vlij...@purmerend.nl> wrote:
> Goodday,
>
>
>
> I want to set up Geoserver 2.10.2 with SSL and a CA certificate on CentOS 7
>
> Went through all the config steps but keep on getting:
>
> …
>
> java.io.IOException: Keystore was tampered with, or password was incorrect
>
> …
>
> …
>
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
>
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.
> java:778)
>
> ... 30 more
>
>
>
> I’m pretty sure that the password is correct so the problem must be
> elsewhere…..
>
>
>
> These are the steps I took:
>
>
>
> 1. *Made a PKCS12 file from a KEY and a CRT file:*
>
> openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
>
> 1. *Put the PKCS in the keystore:*
>
> # keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12
> -destkeystore keystore
>
> Enter destination keystore password: <abc123>
>
> Re-enter new password: <abc123>
>
> Enter source keystore password: <correctpassword>
>
> Entry for alias 1 successfully imported.
>
> Entry for alias le-30311f8f-1100-46ef-afc7-a83bec2806e2 successfully
> imported.
>
> Import command completed: 2 entries successfully imported, 0 entries
> failed or cancelled
>
> 1. *Enabled SSL in server.ini:*
>
> ]# java -jar start.jar --add-to-start=ssl
>
> INFO: ssl initialised in ${jetty.base}/start.ini
>
> INFO: ssl enabled in ${jetty.base}/start.ini
>
> INFO: ssl enabled in <transitive>
>
> INFO: server initialised in ${jetty.base}/start.ini
>
> INFO: server enabled in ${jetty.base}/start.ini
>
> INFO: server enabled in <transitive>
>
> INFO: resources initialised in ${jetty.base}/start.ini
>
> INFO: resources enabled in ${jetty.base}/start.ini
>
> INFO: resources enabled in <transitive>
>
> 1. *obfuscate password abc123:*
>
> # java -cp jetty-util-9.2.13.v20150730.jar
> org.eclipse.jetty.util.security.Password
> abc123
>
> 2017-08-24 16:23:47.147:INFO::main: Logging initialized @107ms
>
> abc123
>
> OBF:1igd1igf1igh1idp1idr1idt
>
> MD5:e99a18c428cb38d5f260853678922e03
>
> 1. *Edit jetty-ssl.xml:*
>
> <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
>
> <Set name="KeyStorePassword"><Property name="jetty.keystore.password"
> default=" OBF:1igd1igf1igh1idp1idr1idt
>
> "/></Set>
>
> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password"
> default=" OBF:1igd1igf1igh1idp1idr1idt"/></Set>
>
> <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
>
> <Set name="TrustStorePassword"><Property name="jetty.truststore.password"
> default=" OBF:1igd1igf1igh1idp1idr1idt"/></Set>
>
> 1. *Start geo server via startup.sh but nogo*.
> 2. *Check password in keystore*
>
>
>
> root@datalab [/opt/geoserver/geoserver-2.10.2]# keytool -list -keystore
> /root/certificaat/keystore
>
> Enter keystore password:
>
>
>
> Keystore type: JKS
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 2 entries
>
>
>
> 1, Aug 24, 2017, PrivateKeyEntry,
>
> Certificate fingerprint (SHA1): ##:##:##:##:##:##:##:##:##:##:
> ##:##:##:##:##:##:##:##:##:##:##
>
> le-3476114f-1100-46ef-afc7-a83bec2806e2, Aug 24, 2017, PrivateKeyEntry,
>
> Certificate fingerprint (SHA1): ##:##:##:##:##:##:##:##:##:##:
> ##:##:##:##:##:##:##:##:##:##:##
>
>
>
>
>
> U ontvangt dit mailbericht van de gemeente Purmerend.
> De gemeente Purmerend voert ook werkzaamheden uit voor en namens de gemeente
> Beemster.
>
>
> ------------------------------------------------------------------
> Disclaimer :
>
> Aan de inhoud van dit bericht kunnen geen rechten worden ontleend.
> De informatie is uitsluitend bestemd voor de geadresseerde.
> Gebruik door anderen is verboden.
> Openbaarmaking, vermenigvuldiging en verstrekking van deze
> informatie aan derden is niet toegestaan.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
Ian Turton
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to
this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/
userlist-guidelines.html
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
