Problem while changing certificates on payara-server

[theirman]

Hello,

My company changed its name on January 1st and with it all our urls changed. Today, I updated the security certificate of my server by following this doc: https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate

But on reboot nothing works anymore, neither the administration web console nor my web services.

Here's what I did:

su payara

cd /apps/payara/appserver/glassfish/domains/production/config/

keytool -delete -alias production_certificate -keystore keystore.jks

keytool -delete -alias production_certificate -keystore cacerts.jks

openssl pkcs12 -export -in new_certificate.crt -inkey new_certificate.key -out new_certificate.p12 -name production_certificate

keytool -importkeystore -destkeystore keystore.jks -srckeystore new_certificate.p12 -srcstoretype PKCS12 -alias production_certificate

keytool -importcert -trustcacerts -destkeystore cacerts.jks -file new_certificate.crt -alias production_certificate

Then the Payara reboot traces:

[root@payara-server ~]$ sudo /apps/payara/appserver/bin/asadmin start-domain

Waiting for production to start ...........

Successfully started the domain : production

domain  Location: /data/apps/payara/appserver/glassfish/domains/production

Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log

Admin Port: 4848

Command start-domain executed successfully.

[root@payara-server ~]$ sudo /apps/payara/appserver/bin/asadmin stop-domain

NCLS-ADMIN-00010

NCLS-ADMIN-00010

CLI306: Warning - The server located at /data/apps/payara/appserver/glassfish/domains/production is not running.

No domains are currently running.

Command stop-domain failed.

Finally, the contents of the server.log file

[2020-01-10T17:25:30.473+0100] [] [INFOS] [NCLS-GFLAUNCHER-00005] [javax.enterprise.launcher] [tid: _ThreadID=1 _ThreadName=main] [timeMillis: 1578673530473] [levelValue: 800] [[

  JVM invocation command line:

/usr/lib/jvm/zulu-11/bin/java

-cp

/data/apps/payara/appserver/glassfish/modules/glassfish.jar

-XX:+UnlockDiagnosticVMOptions

--add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED

--add-opens=java.base/java.nio=ALL-UNNAMED

--add-opens=java.base/java.lang=ALL-UNNAMED

--add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED

--add-opens=java.management/sun.management=ALL-UNNAMED

--add-opens=java.base/jdk.internal.loader=ALL-UNNAMED

--add-opens=java.base/sun.nio.ch=ALL-UNNAMED

--add-exports=java.base/jdk.internal.ref=ALL-UNNAMED

-XX:MetaspaceSize=256m

-XX:+UseStringDeduplication

-XX:MaxMetaspaceSize=2g

-XX:+UseG1GC

-XX:MaxGCPauseMillis=500

-Xbootclasspath/a:/data/apps/payara/appserver/glassfish/lib/grizzly-npn-api.jar

-javaagent:/data/apps/payara/appserver/glassfish/lib/monitor/flashlight-agent.jar

-Djava.security.auth.login.config=/data/apps/payara/appserver/glassfish/domains/production/config/login.conf

-Djavax.net.ssl.trustStore=/data/apps/payara/appserver/glassfish/domains/production/config/cacerts.jks

-Dorg.glassfish.grizzly.DEFAULT_MEMORY_MANAGER=org.glassfish.grizzly.memory.HeapMemoryManager

-Djdk.tls.rejectClientInitiatedRenegotiation=true

-Djdk.corba.allowOutputStreamSubclass=true

-Dcom.sun.aas.instanceRoot=/data/apps/payara/appserver/glassfish/domains/production

-Dcom.sun.aas.installRoot=/data/apps/payara/appserver/glassfish

-Djava.security.policy=/data/apps/payara/appserver/glassfish/domains/production/config/server.policy

-Dorg.jboss.weld.serialization.beanIdentifierIndexOptimization=false

-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory-DANTLR_USE_DIRECT_CLASS_LOADING=true

-Djava.awt.headless=true

-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver

-Dorg.glassfish.grizzly.nio.DefaultSelectorHandler.force-selector-spin-detection=true

-Djavax.net.ssl.keyStore=/data/apps/payara/appserver/glassfish/domains/production/config/keystore.jks

-Djava.library.path=/data/apps/payara/appserver/glassfish/lib:/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib

com.sun.enterprise.glassfish.bootstrap.ASMain

-upgrade

false

-domaindir

/data/apps/payara/appserver/glassfish/domains/production

-read-stdin

true

-asadmin-args

--host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=false,,,--echo=false,,,--interactive=true,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,/data/apps/payara/appserver/glassfish/domains,,,production

-domainname

production

-instancename

server

-type

DAS

-verbose

false

-asadmin-classpath

/apps/payara/appserver/glassfish/lib/client/appserver-cli.jar

-debug

false

-asadmin-classname

com.sun.enterprise.admin.cli.AdminMain

-watchdog

false]]

Would someone mind telling me what the problem is that I'm having?

Thank you

Thierry

[Kanail Laurent]

I'm not expert so carefull but maybe by deleting the temp directory?

[Vincent Lee]

Hi Thierry,

Have u tried restoring the old cert and see if it works?

Vincent

[theirman]

Thank you Laurent for your answer,

Indeed, deleting the temp directory could have been the solution. I just tested it, it doesn't change anything.

[theirman]

Thank you Vincent for your answer, 

Seeing that the new certificate wasn't working, I went back and reapplied the old one. And it worked without a hitch... on our server's old URL. 

The new one, on the other hand, still appears to be " not secure"