Cerbot SSL
Brought to you by:
mguessan
Menu
▾
▴
#294 Cerbot SSL
Hello I'm having some trouble with ssl certs.
I would like to know if the problem is with the client to davmail cert or the davmail to exchange cert.
I'm using certbot certs, these are the commands that I'm using to translate the certs into p12 and jke formats:
openssl pkcs12 -export -in /etc/letsencrypt/live/davmail.juan-carlos.info/cert.pem \ -inkey /etc/letsencrypt/live/davmail.juan-carlos.info/privkey.pem \ -certfile /etc/letsencrypt/live/davmail.juan-carlos.info/chain.pem \ -out /usr/lib/ssl/certs/davmail.juan-carlos.info.p12 \ -password pass:PASSWORD
JKS
keytool -import -alias davmail.juan-carlos.info \ -keystore /usr/lib/ssl/certs/keystore.jks -trustcacerts \ -file /etc/letsencrypt/live/davmail.juan-carlos.info/cert.pem \ -storepass PASSWORD -noprompt
These are the errors that I get when trying to connect:
2017-02-28 03:35:06,242 DEBUG [davmail.pop.PopServer] davmail - Connection from /209.85.223.131 on port 995
2017-02-28 03:35:06,561 INFO [PopConnection-33391] org.apache.commons.httpclient.auth.AuthChallengeProcessor - ntlm authentication scheme selected
2017-02-28 03:35:06,569 INFO [PopConnection-33391] org.apache.commons.httpclient.HttpMethodDirector - No credentials available for NTLM <any realm>@sync.ait.ac.at:443
2017-02-28 03:35:06,570 DEBUG [PopConnection-33391] davmail.exchange.ExchangeSession - Test configuration status: 401
2017-02-28 03:35:06,572 DEBUG [PopConnection-33391] davmail - > +OK DavMail 4.7.2-2427 POP ready at Tue Feb 28 03:35:06 CET 2017
2017-02-28 03:35:06,602 ERROR [PopConnection-33391] davmail - no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:291)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1007)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:724)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at davmail.AbstractConnection.sendClient(AbstractConnection.java:182)
at davmail.pop.PopConnection.sendOK(PopConnection.java:293)
at davmail.pop.PopConnection.run(PopConnection.java:98)
2017-02-28 03:35:06,612 DEBUG [PopConnection-33391] davmail - > -ERR no cipher suites in common
2017-02-28 03:35:06,614 DEBUG [PopConnection-33391] davmail - Exception sending error to client Connection has been shutdown: javax.net.ssl.SSLHandshakeException: no cipher suites in common
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1509)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1521)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at davmail.AbstractConnection.sendClient(AbstractConnection.java:182)
at davmail.pop.PopConnection.sendERR(PopConnection.java:305)
at davmail.pop.PopConnection.run(PopConnection.java:282)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:291)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1007)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:724)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at davmail.AbstractConnection.sendClient(AbstractConnection.java:182)
at davmail.pop.PopConnection.sendOK(PopConnection.java:293)
at davmail.pop.PopConnection.run(PopConnection.java:98)
2017-02-28 03:35:06,628 DEBUG [PopConnection-33391] davmail - Exception closing client output stream Socket is closed
java.net.SocketException: Socket is closed
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1500)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1521)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.close(FilterOutputStream.java:158)
at davmail.AbstractConnection.close(AbstractConnection.java:258)
at davmail.pop.PopConnection.run(PopConnection.java:287)
2017-02-28 03:50:40,830 DEBUG [davmail.caldav.CaldavServer] davmail - Connection from /139.162.34.160 on port 1080
2017-02-28 03:50:56,211 DEBUG [davmail.caldav.CaldavServer] davmail - Connection from /139.162.34.160 on port 1080
2017-02-28 03:50:56,217 DEBUG [CaldavConnection-42356] davmail - <
I found the solution.
To correctly import certs from certbot into the java keystore you have to follow this procedure:
https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm
Application server like Jetty, Glassfish or Tomcat need a keystore (.jks) in order to properly handling the certificates. These three simple steps will create a valid keystore file for your application server using the Let's Encrypt service. Have fun, be encrypted!
1) Create keys
./letsencrypt-auto certonly --standalone -d DOMAIN.TLD -d DOMAIN_2.TLD --email EMAIL@EMAIL.TLD
Change to the directory (probably /etc/letsencrypt/live/DOMAIN.tld) where the certificates were created.
2) Create a PKCS12 file containing full chain and private key
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name NAME3) Convert PKCS12 to Keystore
The STORE_PASS is the password which was entered in step 2) as a password for the pkcs12 file.
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAMEIf you happen to get a java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded, you have probably forgotten to enter the correct password from step 2.
References
https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677
http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
Thanks for your feedback.