That is weird :( Maybe you can try to import chain as one file as described here: https://stackoverflow.com/questions/16062072/how-to-add-certificate-chain-to-keystore On Wed, Jul 18, 2018 at 8:08 PM Christian Wolf <christ...@wolf-stuttgart.net> wrote: > > Dear Maxim, > > > On my Ubuntu FF uses CAs from /etc/ssl/certs/, Chrome seems to use internal > > CAs > > Can you check with keytool your keystore contains full chain (including CA)? > > > > Example > > https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html > > > > keytool -list -v -keystore keystore.jks > My certificate chain is Root CA -> Intermediate CA from Let'e Encrypt -> > RMTPS certificate. > > When looking into the keystore, I see only the Intermediate CA -> RMTPS > certificate chain. The root CA is not included. Is it needed to be > present as well to make everything working? > > I used these commands on the keystore: > # keytool -importkeystore -srckeystore <tmp>/openmeetings.p12 > -srcstoretype PKCS12 -destkeystore /opt/openmeetings/conf/keystore.jmx > -alias red5 > # keytool -import -keystore /opt/openmeetings/conf/keystore.jmx > -trustcacerts -file /etc/letsencrypt/live/openmeetings/chain.pem -alias > letsencrypt > > When trying to add the root CA I got the message stating that that > certificate was already known in the global CA keystore. I force-added > it now to test out the effect. > The result is the same: Firefox cannot connect. I did not redo my > sniffing. I assume it will look similar. > > Thank you so far > Christian
-- WBR Maxim aka solomax