B4J Question SSL Certificate

[Omar Moreno]

Hi.
based on this post: https://www.b4x.com/android/forum/threads/ssl-certificate.68591/

I have downloaded from godaddy the key certificates type TOMCAT ("CRT", "PEM"), charge them to the jetty.keystore with the command:

"C:\Program Files\Java\jdk-10.0.2\bin\keytool.exe" -import -trustcacerts -alias filexxxcrt -file filexxx.crt -keystore jetty.keystore

but when I run the server, this error occurs:

javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

 

[Erel]

Make sure that the password is correct.

 

[Omar Moreno]

Thanks for the reply.

I have deactivated this line:

'ssl.KeyManagerPassword = "xxxxxx"

Now there is no error:
"javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption"

But browsers show: ERR_SSL_PROTOCOL_ERROR

The steps I followed for SSL are:

1-Create a new key repository:

"C:\Program Files\Java\jdk-10.0.2\bin\keytool.exe" -genkey -alias jetty -keyalg RSA -keysize 2048 -keystore jetty.keystore

2-Create a certificate signing request (CSR):

"C:\Program Files\Java\jdk-10.0.2\bin\keytool.exe" -certreq -v -alias jetty -file jettycsr.pem -keystore jetty.keystore

Se le envio el archivo CSR a Goddaddy y retorno 3 archivos

20f54e1694c99999.crt
gd_bundle-g2-g1.crt
gdig2.crt.pem


3-Import the certificate (pem):

"C:\Program Files\Java\jdk-10.0.2\bin\keytool.exe" -import -trustcacerts -alias gdig2crtpem -file gdig2.crt.pem -keystore jetty.keystore

4-FIRMAR EL EJECUTABLE:

"C:\Program Files\Java\jdk-10.0.2\bin\jarsigner.exe" -verbose -keystore "C:\path\jetty.keystore" -tsa http://server.com/MaestraX.exe tsacert gdig2crtpem

Enter Passphrase for keystore: .....

this message comes out:

jarsigner: Certificate chain not found for: 20f54e1694c99999crt. 20f54e1694c99999crt must reference a valid KeyStore key entry containing a private key and cor
responding public key certificate chain.


I tried with the 3 files and the same goes out.
How should I fix this?

Thank you.

 

[Erel]

Try this: https://stackoverflow.com/a/39087173/971547

 

[Omar Moreno]

Execute the commands of this link: "Try this: https://stackoverflow.com/a/39087173/971547"

There was no error importing the file "pem".

When I run the program, the page works fine without "Https: //", but when I use the "Https: //", the browsers show: ERR_SSL_PROTOCOL_ERROR

For an additional track I have captured the LOG:

2018-10-16 11:00:19.338:INFO::main: Logging initialized @876ms to org.eclipse.jetty.util.log.StdErrLog

PORT SERVER WEB: 8081
POrt SSL: 443

2018-10-16 11:00:20.265:INFOejs.Server:main: jetty-9.4.z-SNAPSHOT; built: 2018-05-03T15:56:21.710Z; git: daa59876e6f384329b122929e70a80934569428c; jvm 10.0.2+13
2018-10-16 11:00:20.347:INFOejs.session:main: DefaultSessionIdManager workerName=node0
2018-10-16 11:00:20.347:INFOejs.session:main: No SessionScavenger set, using defaults
2018-10-16 11:00:20.351:INFOejs.session:main: node0 Scavenging every 660000ms
2018-10-16 11:00:20.477:INFOejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@1af2d44a{/,file:///C:/ServerWEB/www/,AVAILABLE}
2018-10-16 11:00:20.486:INFOejs.AbstractNCSARequestLog:main: Opened C:\ServerWEB\logs\b4j-2018_10_16.request.log
2018-10-16 11:00:20.533:INFOejs.AbstractConnector:main: Started ServerConnector@2e6a8155{HTTP/1.1,[http/1.1]}{0.0.0.0:8081}
2018-10-16 11:00:21.112:INFOejus.SslContextFactory:main: x509=X509@45d84a20(jetty,h=[server.com],w=[]) for SslContextFactory@52f27fbd[provider=null,keyStore=file:///C:/ServerWEB/jetty.keystore,trustStore=null]
2018-10-16 11:00:21.385:INFOejs.AbstractConnector:main: Started ServerConnector@f58853c{SSL,[ssl, http/1.1]}{0.0.0.0:443}
2018-10-16 11:00:21.386:INFOejs.Server:main: Started @2936ms

***
SERVIDOR INICIADO EL: 16/10/2018 11:00:21
CONNECTED TO THE DATABASE: OK
***

SERVER STARTED IN THE PROCESS: 6772

And when I try to navigate with "Https: //" this is in LOG:

2018-10-16 11:00:49.853:WARNejh.HttpParser:qtp2070529722-17: Illegal character 0x16 in state=START for buffer HeapByteBuffer@663efaf6[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03\x83\xEe\x1b\xE1\xAa\xFf\xE3...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2018-10-16 11:00:49.850:WARNejh.HttpParser:qtp2070529722-23: Illegal character 0x16 in state=START for buffer HeapByteBuffer@55665d5b[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03\x15^*\x0b\x89\xA1\x12...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>Extensions: perme...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
2018-10-16 11:00:49.947:WARNejh.HttpParser:qtp2070529722-27: Illegal character 0x16 in state=START for buffer HeapByteBuffer@55665d5b[p=1,l=216,c=8192,r=215]={\x16<<<\x03\x01\x00\xD3\x01\x00\x00\xCf\x03\x03\x7fm\xCe\xF9\x14\xA1\x96...\x17\x00\x18\x00\x1b\x00\x03\x02\x00\x02\x8a\x8a\x00\x01\x00>>>.1uP\x00\x00\x00\x0b\x00\x02\x01\x00\x003\x00+\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}

How should I fix this?

Thank you.

 

[OliverA]

I'm confused. What are you trying to accomplish? Secure a web site so you can use the HTTPS protocol? Or sign an EXE file? What are you configuring? And I think there are two passwords, one for the store and one for they key.

 

[Omar Moreno]

I'm confused. What are you trying to accomplish? Secure a web site so you can use the HTTPS protocol? Or sign an EXE file? What are you configuring? And I think there are two passwords, one for the store and one for they key.

Yes.

I'm very new to this SSL, I want the website to say in browser taht the site is safe.

The MaestraX.jar file was converted into MaestraX.exe with this:

https://www.b4x.com/android/forum/threads/create-windows-native-executables-exe-files.35863/#content

 

[OliverA]

In your code you should have a keystore and a keymanager password. Do not get them mixed up (try flipping them). You don't sign the executable. Also make sure that you are actually using the same jetty.keystore file in each command you execute. In the above examples, you sometimes use jetty.keystore and sometimes C:\path\jetty.keystore. You may actually be working on two separate keystores instead of one. Some certificate providers use intermediate certificates in their chain and all of those need to be imported too (as explained here: https://www.b4x.com/android/forum/t...installing-ssl-certificate.55194/#post-346876).

 

[OliverA]

See https://au.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 and https://serverfault.com/a/578027
According to them, you should have imported

gd_bundle-g2-g1.crt
gdig2.crt.pem
20f54e1694c99999.crt

in that order. Idk why gdig2.crt has the pem extension, but the other two do not.

The import steps for the certificates are provided by the GoDaddy link under the "To Install You SSL In Tomcat" section. Only steps 1 through 3 are relevant, since everything else is handled with coding in B4J (instead of XML files). You need to adjust the commands to reflect your keystore name/location and your certificate names.

 

[Omar Moreno]

See https://au.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 and https://serverfault.com/a/578027
According to them, you should have imported

gd_bundle-g2-g1.crt
gdig2.crt.pem
20f54e1694c99999.crt

in that order. Idk why gdig2.crt has the pem extension, but the other two do not.

The import steps for the certificates are provided by the GoDaddy link under the "To Install You SSL In Tomcat" section. Only steps 1 through 3 are relevant, since everything else is handled with coding in B4J (instead of XML files). You need to adjust the commands to reflect your keystore name/location and your certificate names.

I'm going to take those steps and I'll comment
Thank you.

 

[Omar Moreno]

The suggested steps were followed:

1-All routes were included "c: / path / ...."
2-The 3 files were imported in the correct order
Note: when importing the second "pem" file, the command gives a warning: The certificate already exists in the keystore with the alias <gd_bundle-g2-g1crt>
one test was accepted and the other was not.
3-Nothing is signed.

If I browse like this: https://server.com:8081
this error occurs: ERR_SSL_PROTOCOL_ERROR

If I browse like this: https://server.com
This error occurs: NET :: ERR_CERT_COMMON_NAME_INVALID

If I browse like this: http://server.com:8081
The page is shown, but the browser says that it is not safe

Private Sub ConfigurarSSL(SslPuerto As Int)
    '
    Dim ssl As SslConfiguration
    ssl.Initialize
    'Log(File.DirApp)
    ssl.SetKeyStorePath(File.DirApp & "\ssl","jetty.keystore") 'ruta al archivo keystore
    'ssl.SetKeyStorePath(File.DirApp,"jetty.keystore") 'ruta al archivo keystore
    ssl.KeyStorePassword = "xxx"
    'ssl.KeyManagerPassword = ""
    '
    ServerX.SetSslConfiguration(ssl,SslPuerto)
    '
    'añadir filtro para  redireccionar todo el trafico desde http a https (opcional)
    'ServerX.AddFilter("/*", "HttpsFilter",False)
    '
End Sub

 

[OliverA]

What is SslPuerto set to?

 

[OliverA]

Did you register the certificate for www.server.com?

 

[Omar Moreno]

The port that is used is: 443.
If you register the correct domain, server.com is an example.
When we paste the CSR file into Goddaddy, the correct domain name appears but the (www) was not used in the creation of the domain, that is, www is never used in any step.

 

[Omar Moreno]

It occurred to me to verify the advanced configuration of the browser and this came out:
This server could not prove that your domain is server.com,
your security certificate comes from server2.com.
This problem may be due to incorrect configuration or
that an attacker has intercepted the connection.

I asked the administrator and it turns out that with a single IP they are configuring several domains and their respective SSL certificates
they will verify the outputs by IP or SNI.

Well, I'll wait to see if that was the problem.

Thank you.

 

[OliverA]

The port that is used is: 443

That’s why port 8081 gives you an error. For Jetty, only one port at a time can do SSL. All other ports are non-SSL.