Setting up SSL in Dropwizard

[Sanchit Khattry]

I am trying to set up SSL in my Dropwizard server. I have got my SSL from GoDaddy and have received a couple of files from them namely:

1. gd_bundle-g2-g1.crt
   
2. b78*********.crt (basically a file named like a random string)
   

I have added the gd_bundle-g2-g1.crt certificate with alias root in my keystore and have added the other one with my domain alias.

My .yml configuration file looks like this: (I have just pasted the relevant section of the .yml file)

server:
  applicationConnectors:
  - type: http
    port: 8080
  - type: https
    port: 8443
    keyStorePath: keystore/myKeyStore.jks
    keyStorePassword: "myPassword"
    validateCerts: true

  adminConnectors:
  - type: http
    port: 8081

The problem is that whenever I am trying to launch my server I am receiving the following error:

java.lang.IllegalStateException: Unable to retrieve certificate chain

When I set the validateCerts as false in the .yml above then, for obvious reason, this error goes away but when I try to access the URL I get: Connection closed error when trying to access the URL 
I seem to be stuck real bad. My server is working perfectly with http but https just doesn't work! :( Given my end goal of making https work and my current scenario, I have the following questions:

1. Am I handling the certificate files incorrectly?
2. Is there something missing in my .yml file that needs to be added or is there something wrong there?
3. Or is it something that I am missing from this picture altogether?

Appreciate your help! :-)

PS: I have asked the same question in stackoverflow and followed the comment by Austin but even that didn't seem to work.

[Rishab R Bafna]

Hey sachit ! even i am facing the same issue my server is not listening on the port for https but runs perfect on the localhost. Any insights on it ?

[Douglas Patriarche]

My guess is that you didn't create the keystore file properly. I can't say what might have gone wrong there, but what I would suggest is to check your server config with a known-good keystore first, and then if you're really wedded to using the GoDaddy cert you can go back and try and fix that. I suggest you use a free LetsEncrypt cert first. Follow these instructions to convert your LE cert to a Java keystore file.

https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm

My company's servers use LE certs following the above process, so I can confirm that it works fine. Honestly, now that free SSL certs are available from LetsEncrypt, with a convenient command line renewal process, I can't see going back to paying for certs.

Good luck!

Doug

[Chris Charlton]

Hi Sachit,

I'd agree with Douglas - I tried to get SSL working with GoDaddys certs - and just couldn't get it working. When I went to LetsEncrypt it all worked much more cleanly and the instructions also worked. I'm now hosting successfully using SSL on an AWS instance using LetsEncrypt certs. The script I developed to process the certs into my keystore (if it helps) is as follows:

//download then run letsEncrypts's certbot to generate the certs. 

// Note that port 443 redirection needs to be switch off temporarily - this is a feature of my AWS instance and may not be required for you, but you might need to turn off

// any redirection if you have it enabled to allow certbot to work

sudo iptables -t nat -L --line-numbers (to list)

sudo iptables -t nat -D PREROUTING 2 (chosing the right line number to delete)

sudo iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443 (puts it back in after certbot has run)

./certbot-auto certonly -w . -d schej.co.uk -d www.schej.co.uk

//Will put the certs somewhere so read the logs. Copy the certs from that location to a new folder, and cd to it. 

//From there, run

openssl pkcs12 -export -in fullchain.pem  -inkey privkey.pem  -out fullchain_and_key.p12 -name dw -caname root

// the passwords asked for are new ones (passwords) to create and secure the store 

keytool -importkeystore -deststorepass YourMasterPassword -destkeypass YourMasterPassword -destkeystore MyKeystore.jks -srckeystore cert_and_ket.p12 -srcstoretype PKCS12 -alias dw

//this creates the new store - using the password from the first step above - change the 'MyKeystore' and YourMasterPassword' as necessary

keytool -import -trustcacerts -alias root -file fullchain.pem -keystore MyKeystore.jks

// this adds the cert chain back in - SSL should now be set up

Chris

[couto.gu...@gmail.com]

Hi, I have another way to solve in Linux. http://stackoverflow.com/a/43593650/1378817

For others that will come I solved this problem in Dropwizard/Linux in another way.

First generate your keys:

 keytool -genkey -alias <aliasname> -keyalg RSA -keystore keystore.jks -keysize 2048

Then generate tour CSR:

 keytool -certreq -alias <aliasname> -file csr.txt -keystore keystore.jks

Open your csr.txt and copy all content. Go to GoDaddy paste it and download the two .crt files as Others.

Then concatenate the contents of b78*********.crt and gd_bundle-g2-g1.crt (make sure that the contents of the b78*********.crt are before the other file). Let's refer to that file as all_combined.crt from now.

Finally combine your trust certs with your .jks:

keytool -import -trustcacerts -keystore keystore.jks -storepass <keystorepassword> -alias <aliasname> -file all_combined.crt

Then on your .yml file let this:

  applicationConnectors:
- type: http
  port: 8080
- type: https
  port: 8443

  keyStorePath: keystore.jks
  keyStorePassword: <keystorepassword>
  keyStoreType: JKS
  supportedProtocols: [TLSv1, TLSv1.1, TLSv1.2]

That is it, have fun!