[2.1.1 Scala] SSL certificates in production

[Byron Weber Becker]

I'm trying to put a Play app in production for the first time and am having trouble with the SSL certificates.  

I'm starting the application with 

sudo play -Dhttp.port=80 -Dhttps.port=443 \

        -Dhttps.keyStore="conf/blah.crt" \

        -Dhttps.keyStoreType="CRT" \

        start

I've also tried an absolute path for the keyStore.

Leaving off the keyStore parameters causes Play to generate a self-signed certificate when accessed using https.  That's good.  Adding the keyStore parameters causes Safari to say it "can't establish a secure connection" and Chrome to say "The connection to <server> was interrupted."  Play doesn't produce any error messages on the console or logs in spite of setting logger.play=DEBUG in the config files and there being some calls to the logger in NettyServer.scala (where the keyStore stuff is handled).  I can't even provoke an error by giving a blatantly wrong path to the keyStore.  All this suggests to me that the sslContext code in NettyServer isn't being executed when I add -Dhttps.keyStore to the command line. 

Any ideas on what I'm doing wrong?  

This is on a local machine running Ubuntu 12.04.

[Byron Weber Becker]

I'm making progress setting up SSL certificates with Play, but could still use help.

I've created a Java keyStore from my GlobalSign certificates:

#!/bin/bash

pass=aaaaaa

ksName=advising.jks

certs=advising-cert

cat $certs/foo.bar.ca.crt $certs/foo.bar.ca.key >advising-combined.crt

keytool -storepass $pass -importcert \

        -alias root -keystore $ksName \

        -file $certs/globalsign-root.crt

keytool -storepass $pass -importcert \

        -alias intermediate  -keystore $ksName \

        -file $certs/globalsign-intermediate.crt

keytool -storepass $pass -importcert \

        -alias advising -keystore $ksName \

        -file advising-combined.crt

I'm uneasy about simply catting the key and certificate together in the above script.  Saw it at http://help.register.com/app/answers/detail/a_id/3034/~/how-do-i-import-an-openssl-based-generated-private-key-and-certificate-into

Can anyone confirm the validity of that step?

I've put the resulting advising.jks file in conf/certs/advising.jks and start Play with 

sudo play -Dhttp.port=80 -Dhttps.port=443 \

-Dhttps.keyStore="conf/cert/advising.jks" \

-Dhttps.keyStoreType="jks" \

-Dhttps.keyStorePassword="aaaaaa" \

run

Previously Play silently ignored my blatantly wrong attempts, so I moved the loading of the keystore inside an existing try-catch block in NettyServer.scala (see pull #1236) and rebuilt Play.  It now complains if my keystore is blatantly wrong (ie my first attempts);  it does not complain about the keystore produced as above.

"keytool -list -keystore advising.jks" produces reasonable-looking output.

Nevertheless, Safari says it "can't establish a secure connection to the server", Chrome says "Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.", and Firefox says "Cannot communicate securely with peer: no common encryption algorithm(s).  (Error code: ssl_error_no_cypher_overlap)".

When I run "openssl s_client -showcerts -connect foo.bar.ca:443" it says

CONNECTED(00000003)

20056:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:602:

I have no clue what that means.

When I run "sslscan foo.bar.ca" it reports that every Supported Server Cipher it checks is rejected.

I ran sslscan and openssl with Play using its self-signed certificate.  They both returned reasonable output.

Any guidance on how to proceed would be very welcome.

[Tony Marjakangas]

Hi

Your way of importing the private and public keys will not work.

However you can create a PKCS #12 keystore with openssl and convert that to a java keystore.

See the answer on this stack overflow question: http://stackoverflow.com/questions/2685512/can-a-java-key-store-import-a-key-pair-generated-by-openssl

Cheers

Tony

[Byron Weber Becker]

Thanks for your pointer, Tony.  With its help I put together the following script, which does the trick:

#!/bin/bash

# password for the keystore.  This should definitely change and

# shouldn't be stored in the script itself.

pass=aaaaaa

# The name of the java keystore we're creating.

ksName=advising.jks

# Directory containing the certificates.

certs=advising-cert

# Remove old/temporary files

rm $ksName

rm advising.p12 advising_p12.jks

echo "Step 1"

# Convert the certificates to pks format.

openssl pkcs12 -export -in $certs/advising.uwaterloo.ca.crt \

        -inkey $certs/advising.uwaterloo.ca.key \

        -password pass:$pass \

        > advising.p12

echo "Step 2"

# Produces a "PrivateKeyEntry" keystore

keytool -importkeystore \

        -srckeystore advising.p12 \

        -srcstoretype pkcs12 \

        -srcstorepass $pass \

        -destkeystore advising_p12.jks \

        -deststorepass $pass

echo "Step 3"

# Import the root certificate.

keytool -importcert \

        -storepass $pass \

        -alias root -keystore $ksName \

        -file $certs/globalsign-root.crt

echo "Step 4"

# Import the intermediate certificate

keytool -importcert \

        -storepass $pass \

        -alias intermediate  -keystore $ksName \

        -file $certs/globalsign-intermediate.crt

echo "Step 5"

# Import our certificate

keytool -importkeystore \

        -srckeystore advising.p12 \

        -srcstoretype pkcs12 \

        -srcstorepass $pass \

        -destkeystore $ksName \

        -deststorepass $pass \

        -srcalias 1 -destalias advising

# Remove temporary files.

rm advising.p12 advising_p12.jks

echo "All done!"