4

I have recently switched to Let's Encrypt Private Beta for several of my domain names, and as a consequence several of my Java programs have stopped working because the certificate is not in the trust store I believe.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have attempted various things, such as going into Windows' Java configuration panel, or adding the root certificates to the cacerts.

How do we export/download a .csr or .p12 file from Let's Encrypt root CA in order to import it to the Java list of certificates, preferably in such a way that all Let's Encrypt secured domains are accepted, not just my domain?

I have tried downloading the root certificates at https://letsencrypt.org/certificates/ and adding them to the lists, but to no avail. I have also tried adding /etc/letsencrypt/live/<my_website>/cert.pem to the sites but it didn't work. I even tried to add it to the cacerts with keytool using this: https://stackoverflow.com/questions/2138940/import-pem-into-java-key-store No matter what I try, it doesn't work (the same error above appears).

Amongst the googling I've done, I've also found this: https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134/13 but was unable to make use of information inside it.

Improve this question
3
  • The Let's Encrypt CA is already in the certificate store since IE trusts it by default. There is something else going on.
    – Ramhound
    Commented Nov 27, 2015 at 16:05
  • I have found an answer on my own, but I'm still puzzled on why it wouldn't work. A friend has told me maybe it's because my web server does not deliver the intermediate certificates, but I tried it on helloworld.letsencrypt.org and it didn't work either.
    – Hay
    Commented Nov 27, 2015 at 23:47
  • Update: According to community.letsencrypt.org/t/… , DST Root CA X3 was added with versions 7u111+ and 8u101+ on 2016-07-19 therefore it may not be necessary to add the certificates on updated versions of JDK/JRE 7 and 8.
    – Hay
    Commented Oct 27, 2016 at 20:10

2 Answers 2

Reset to default
5

Download all the certificates on https://letsencrypt.org/certificates/ (choose the der format) and add them one by one with this kind of command (example for letsencryptauthorityx1.der):

keytool -import -keystore PATH_TO_JDK\jre\lib\security\cacerts -storepass changeit -noprompt -trustcacerts -alias letsencryptauthorityx1 -file PATH_TO_DOWNLOADS\letsencryptauthorityx1.der
Improve this answer
3

Update: According to https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394 , DST Root CA X3 was added with versions 7u111+ and 8u101+ on 2016-07-19 therefore it may not be necessary to add the certificates on updated versions of JDK/JRE 7 and 8.

I have fixed this by importing the Intermediate Certificates (https://letsencrypt.org/certificates/) onto the trust store (using keytool or portecle, see link below). Apparently, adding the "ISRG Root X1" root certificate did not work on its own, adding all of the certificates caused the errors to go away.

In order to achieve this I have followed this question's most popular answer: https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail but it should also work with https://stackoverflow.com/questions/2138940/import-pem-into-java-key-store

Improve this answer
3
  • Do you have simple instructions for this? I did sudo keytool -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -file ~/Downloads/isrgrootx1.pem for the certs here letsencrypt.org/certificates. Got errors on the two later: keytool error: java.lang.Exception: Certificate not imported, alias <mykey> already exists, but I notice now that I get that on the root as well if I try to add it iagain.
    – Viktor Hedefalk
    Commented Jan 10, 2016 at 21:27
  • I didn't go this route so if I were doing this over again I'd follow the answer at stackoverflow.com/questions/2138940/… , but looking at your command, where is the -alias argument?
    – Hay
    Commented Jan 10, 2016 at 22:29
  • Thanks. Yeah, I was missing the -alias argument. And then the .pem files didn't work with keytool but I could use the .der so problem solved.
    – Viktor Hedefalk
    Commented Jan 11, 2016 at 8:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .