Mantis - Resin
Viewing Issue Advanced Details
6103 minor always 10-09-17 14:18 10-09-17 14:33
ferg  
ferg  
normal  
closed 4.0.54  
fixed  
none    
none 4.0.55  
0006103: openssl with missing password
(rep by Steffen Busch)

I struggle to get Resin-Pro 4.0.53 working with Let's Encypt certificates issued through Certbot.

Certbot provided me with:

`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
                 without reading further documentation (see link below).


My configuration was like this:

      <http address="*" port="8443">
         <openssl>
            <certificate-file>/home/resin/resin-pro-4.0.53/keys/chain.pem</certificate-file>
            <certificate-key-file>/home/resin/resin-pro-4.0.53/keys/privkey.pem</certificate-key-file>
            <certificate-chain-file>/home/resin/resin-pro-4.0.53/keys/fullchain.pem</certificate-chain-file>
            <honor-cipher-order>true</honor-cipher-order>
            <compression>false</compression>
            <cipher-suite>ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256::AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA</cipher-suite>
          </openssl>
        </http>


But this failed with the following Error Message:

<password> is expected.

<openssl> syntax: ( (@ca-certificate-file | <ca-certificate-file>)?
                  & (@ca-certificate-path | <ca-certificate-path>)?
                  & (@ca-revocation-file | <ca-revocation-file>)?
                  & (@ca-revocation-path | <ca-revocation-path>)?
                  & (@certificate-file | <certificate-file>)
                  & (@certificate-chain-file | <certificate-chain-file>)?
                  & (@certificate-key-file | <certificate-key-file>)?
                  & (@cipher-suite | <cipher-suite>)?
                  & (@compression | <compression>)?
                  & (@crypto-device | <crypto-device>)?
                  & (@honor-cipher-order | <honor-cipher-order>)?
                  & (@password | <password>)
                  & (@protocol | <protocol>)?
                  & (@session-cache | <session-cache>)?
                  & (@session-cache-timeout | <session-cache-timeout>)?
                  & (@unclean-shutdown | <unclean-shutdown>)?
                  & (@verify-client | <verify-client>)?
                  & (@verify-depth | <verify-depth>)?)
        at com.caucho.xml.DOMBuilder.error(DOMBuilder.java:603)
...


But neither the certificate nor the private key generated by Certbot have a password.

See also:
https://community.letsencrypt.org/t/is-the-generated-certificate-password-protected/23402 [^]

<quote>
The certificate generated by Certbot and used by your webserver is not password protected - it only contains non-secret material and can be shared widely :slight_smile:

The private key generated by Certbot that goes alongside the certificate is also not password protected. It is protected only by filesystem permissions and shouldn't be shared.

You might wonder why the private key doesn't have a password on it - the answer is that your webserver and any other software that needs to use the private key would have to ask you for the password first when it was started up, or restarted. I'm not aware of any webserver software that supports that. It would also make automation very difficult and that's a primary goal for Let's Encrypt and Certbot.
</quote>



So I've tried to add an an empty password element to the <openssl> like this:
      <http address="*" port="8443">
         <openssl>
             ...
            <password></password>
          </openssl>
        </http>


I still get an Error - this time OpenSSL complaining it can't open the key file:

com.caucho.config.ConfigException: OpenSSL can't open key file '/home/resin/resin-pro-4.0.53/keys/privkey.pem' or the password does not match.
   at com.caucho.vfs.OpenSSLFactory.nativeInit(Native Method)
   at com.caucho.vfs.OpenSSLFactory.initSSL(OpenSSLFactory.java:451)
   at com.caucho.vfs.OpenSSLFactory.create(OpenSSLFactory.java:410)
   at com.caucho.network.listen.TcpPort.bind(TcpPort.java:1122)
   at com.caucho.cloud.network.NetworkListenSystem.start(NetworkListenSystem.java:226)
   at com.caucho.env.service.ResinSystem.startServices(ResinSystem.java:544)
   at com.caucho.env.service.ResinSystem.start(ResinSystem.java:511)
   at com.caucho.server.resin.Resin.start(Resin.java:875)
   at com.caucho.server.resin.Resin.initMain(Resin.java:1008)
   at com.caucho.server.resin.Resin.main(Resin.java:1467)



At this time I don't know how to run Resin with Let's Encrypt Certifiates issued through Certbot.
I'm also not sure right now if my mapping for <certificate-file> => chain.pem and <certificate-chain-file> => fullchain.pem are correct but I won't find out as long as Resin's OpenSSL requires a password.


Any Idea if Resin will be able to work with the Let's Encrypt certs generated through Certbot using the .pem format for OpenSSL?


-- Steffen



Just FYI:
It is possible to create a Java Keystore (.JKS) from Let's Encrypt Certificates which can be used with the JSSE configuration.
This might be interesting for people reading this, although I don't like it that much due to the manuel steps


I've been using some of the steps from this tutorial.
https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm [^]

I have skipped Step 1 as I already had the above mentioned .pem files with the certificates and private key from a previous certbot run.


2) Create a PKCS12 file containing full chain and private key

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name resin -password pass:test


3) Convert PKCS12 to Keystore

In this example the "test111" will be password that is then used in the <jsse-ssl> configuration:

keytool -importkeystore -deststorepass test111 -destkeypass test111 -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass test -alias resin

This will create a file named "keystore.jks" which is then used in the Resin XML configuration


        <jsse-ssl>
          <key-store-file>/home/resin/resin-pro-4.0.53/keys-jsse-from-pem/keystore.jks</key-store-file>
          <password>test111</password>
          <protocol>TLSv1,TLSv1.1,TLSv1.2</protocol>
          <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</cipher-suites>
          <honor-cipher-order>true</honor-cipher-order>
        </jsse-ssl>
        






There are no notes attached to this issue.