java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 10 16:58:18 EST 2015

[Jonathan Anctil]

Hi,

I'm not a certificate expert, but it looks like this morning the certificates in our environment (DDF 2.6.1) have expired! 

Which tool are you using to generate those certificates? And how to replace/refresh it?

Thanks

[Keith Wire]

We are working on getting some new certs generated that should suffer from this issue for a while.  Expect some information from Scott shortly.

In the meantime you could use the CertNew.sh & CertSwap.sh scripts to create a new certificate to replace the existing one.

You can find more information here on how to generate new certificates as well: http://artifacts.codice.org/service/local/repositories/releases/content/ddf/docs/2.8.0/docs-2.8.0-Managing.html#_certificate_management

—Keith

From: <ddf-dev...@googlegroups.com> on behalf of Jonathan Anctil <jonatha...@gmail.com>
Date: Friday, December 11, 2015 at 8:29 AM
To: ddf-developers <ddf-dev...@googlegroups.com>
Subject: java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 10 16:58:18 EST 2015

Hi,

I'm not a certificate expert, but it looks like this morning the certificates in our environment have expired! 

Which tool are you using to generate those certificates? And how to replace/refresh it?

Thanks

--
You received this message because you are subscribed to the Google Groups "ddf-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ddf-developer...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aaron Hoffer]

Here are some quickie instructions to get you up and running in the short-term. It puts a valid certificate for "localhost" into your keystore.

1. Copy the attached file (localhost.jks) to your etc/keystores directory under your DDF home directory.
2. Open a terminal and change the etc/keystores directory
3. Execute this command: 

   keytool -importkeystore -srckeystore  localhost.jks -destkeystore serverKeystore.jks  -deststoretype JKS -alias localhost -srcstorepass changeit -deststorepass changeit

   
   

4. When promptged to overwrite exiting key, select yes.

5. Start DDF.

6. You are ready to go. Try logging into the admin console to verify it worked.

[Jonathan Anctil]

Thanks Aaron,

What do you mean by «Open a terminal and change the etc/keystores directory»?

On Friday, December 11, 2015 at 10:52:17 AM UTC-5, Aaron Hoffer wrote:

Here are some quickie instructions to get you up and running in the short-term. It puts a valid certificate for "localhost" into your keystore.

1. Copy the attached file (localhost.jks) to your etc/keystores directory under your DDF home directory.
2. Open a terminal and change the etc/keystores directory

1. Execute this command: 
   keytool -importkeystore -srckeystore serverKeystore.jks -destkeystore localhost.jks  -deststoretype JKS -alias localhost -srcstorepass changeit -deststorepass changeit

   
   

   
   

2. Start DDF

[Aaron Hoffer]

See attached image. "Terminal" could also be called "console", "shell" or "command shell", or "prompt".

Also, thanks to Steve Majeski for pointing out a copy and paste error in the command. I have edited my earlier post to correct the error.
I had the keystores reversed on the command line. It would have corrupted the localhost file you downloaded.

[Jonathan Anctil]

hahaha I know what is a console, it was just not clear if I need to execute the command in the etc/keystores directory.

I tried the steps you gave to me but I still have the same error.

[Aaron Hoffer]

Yes, execute the command the etc/keystores directory.

Also, it seems I'm having a bit of a bad morning. 

I uploaded a bad localhost.jks file. 

I have updated my original post with the correct file. 

Please download it. 

[Keith Wire]

To be clear the path would be $DDF_HOME/etc/keystores. Those directories reside under the root DDF directory.

—Keith

From: <ddf-dev...@googlegroups.com> on behalf of Aaron Hoffer <aaron....@connexta.com>
Date: Friday, December 11, 2015 at 9:50 AM
To: ddf-developers <ddf-dev...@googlegroups.com>

--

[Scott Tustison]

I'm currently running through the DDF itests and expect to be pushing up some new certs to master within the next hour or so. As soon as that is done, you can simply pull them down for any 2.8.x release that you're trying to run. I will also be looking into back porting them to 2.8.x, but it impacts many unit/itests so we will see how that goes.

Scott

[Jonathan Anctil]

Aaron,

Finally, it works. I've restarted from scratch my ddf installation and I've re-execute the steps.

Thanks a lot!

[Sunny Sun]

Hello,

I am using Window 7 command console.

I have same "Certification Error" issue. I followed the steps and I got  the 'keytool' is not recognized as an internal or external command, operable program or batch file after trying to run "keytool -importkeystore -srckeystore  localhost.jks -destkeystore serverKeystore.jks  -deststoretype JKS -alias localhost -srcstorepass changeit -deststorepass changeit".

Did I miss any step?

Please advise. Thanks.

Sunny

[R.A. Porter]

Sunny,

The certificates in DDF were updated on Friday. If you pull the latest from master, you'll have the updated certificates.

-Richard

[Jeff Vettraino]

Hi Sunny, just wanted to provide you some insight on the keytool error you were getting below.  As mentioned before if you download the latest certs you won’t need to do this step.

 

You are having this problem because keytool is not in your path (this command lives in the JAVA_HOME/bin directory).  So you can add JAVA_HOME/bin to your path, or if JAVA_HOME is set as an env variable  you can do $JAVA_HOME/bin/keytool from the command line, or  you can just put the complete path in the command line when you execute the keytool command.

 

From: ddf-dev...@googlegroups.com [mailto:ddf-dev...@googlegroups.com] On Behalf Of Sunny Sun
Sent: Monday, December 14, 2015 1:53 PM
To: ddf-developers <ddf-dev...@googlegroups.com>
Subject: Re: java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 10 16:58:18 EST 2015

 

Hello,

 

I am using Window 7 command console.

 

I have same "Certification Error" issue. I followed the steps and I got  the 'keytool' is not recognized as an internal or external command, operable program or batch file after trying to run "keytool -importkeystore -srckeystore  localhost.jks -destkeystore serverKeystore.jks  -deststoretype JKS -alias localhost -srcstorepass changeit -deststorepass changeit".

 

Did I miss any step?

 

Please advise. Thanks.

 

Sunny

On Friday, December 11, 2015 at 10:52:17 AM UTC-5, Aaron Hoffer wrote:

Here are some quickie instructions to get you up and running in the short-term. It puts a valid certificate for "localhost" into your keystore.

1. Copy the attached file (localhost.jks) to your etc/keystores directory under your DDF home directory.
2. Open a terminal and change the etc/keystores directory
3. Execute this command: 

keytool -importkeystore -srckeystore  localhost.jks -destkeystore serverKeystore.jks  -deststoretype JKS -alias localhost -srcstorepass changeit -deststorepass changeit

 

4.      When promptged to overwrite exiting key, select yes.

5.      Start DDF.

6.      You are ready to go. Try logging into the admin console to verify it worked.