Skip to first unread message
Ulrich Mayring
Jul 12, 2017, 5:39:58 PM7/12/17
to Payara Forum
I've noticed that Payara comes with its own cacerts file located in {domaindir}/config/cacerts.jks
I've listed the contents of this file and found that it contains neither the Letsencrypt CA nor the Identrust CA, which cross-signs the intermediate certificates for Letsencrypt:
No output here. Whereas if I list the cacerts file that is included in the JDK 1.8.0_131-b12:
So Payara trusts different CAs than the JDK. What is the recommended course of action here? I don't really want to add all missing CAs from the JDK to Payara, rather I'd prefer to tell Payara to trust whoever the JDK trusts. Is that possible?
I did a quick test and replaced Payara's file with the JDK one and found that I can then connect to an SSL server that uses a Letsencrypt certificate, which wasn't possible before. However, I also lose the ability to log in to the Payara admin console, most likely because Payara's own CA is not included in the JDK.
Many thanks in advance for any pointers,
Ulrich
I've listed the contents of this file and found that it contains neither the Letsencrypt CA nor the Identrust CA, which cross-signs the intermediate certificates for Letsencrypt:
keytool -keystore /opt/payara-4.1.2.172/glassfish/domains/domain1/config/cacerts.jks -storepass changeit -list|grep -iE 'identrust|isrg'
No output here. Whereas if I list the cacerts file that is included in the JDK 1.8.0_131-b12:
keytool -keystore /etc/pki/java/cacerts -storepass changeit -list|grep -iE 'identrust|isrg'
isrgrootx1, Jun 30, 2017, trustedCertEntry,
identrustcommercialrootca1, Jun 30, 2017, trustedCertEntry,
identrustpublicsectorrootca1, Jun 30, 2017, trustedCertEntry,
So Payara trusts different CAs than the JDK. What is the recommended course of action here? I don't really want to add all missing CAs from the JDK to Payara, rather I'd prefer to tell Payara to trust whoever the JDK trusts. Is that possible?
I did a quick test and replaced Payara's file with the JDK one and found that I can then connect to an SSL server that uses a Letsencrypt certificate, which wasn't possible before. However, I also lose the ability to log in to the Payara admin console, most likely because Payara's own CA is not included in the JDK.
Many thanks in advance for any pointers,
Ulrich
Mike Croft
Jul 18, 2017, 10:24:15 AM7/18/17
to Payara Forum
Hi Ulrich,
Just to let you know, we're looking at this now under internal issue PAYARA-1864.
Peter Ondruška
Jul 18, 2017, 1:11:29 PM7/18/17
to Payara Forum
Well, I think it is matter of personal/policy preference. In my case I rather start with an empty certificate store for application server and adding only those I explicitly trust. p.
--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/ac2eb452-440d-4324-9c3f-679be48f31f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Peter Ondruška
kaibo, s.r.o., ID 28435036, registered with the commercial register administered by the Municipal Court in Prague, section C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická 379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu
Jérôme Ky
Sep 8, 2017, 2:07:05 AM9/8/17
to Payara Forum
Hi Mike,
Any news about that ?
I also have the same issue.
Regards,
Jerome.
Reply all
Reply to author
Forward
0 new messages