Javalobby

Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container. Bill has posted 10 posts at DZone. You can read more from them at their website. View Full User Profile

Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

02.13.2013
| 1553 views |
  • submit to reddit

We Recommend These Resources

Using GoDaddy

Setup a GoDaddy account.

You have to change the size of the private key to 2048 as follows:

$ sudo openssl genrsa -des3 -out myprivate.key 2048
$ sudo openssl req -new -config openssl.cnf -key myprivate.key -out CA_request.csr

The above creates a request file. You can take this request file to any certificate authority. You give them money. Wait 2 to 24 hours and then they give you a certificate.

Go to https://certs.godaddy.com/ to find out more information.

(This is not an endorsement of GoDaddy. I mainly picked it because it was the cheapest.)


You have to cut & paste the file CA_request.csr into the godaddy.com text box associated with creating a new SSL certificate.

Wait for two days and argue with GoDaddy tech support that I am in fact a real person, and I am not in fact going to use SSL certificate to bludgeon baby seals with Louisville slugger.

With any luck, the GoDaddy certificate shows up into my account under the domain I registered. www.mydomain.com.

Stick the zip file with the certificates somewhere where you can get it. Upload certificate zip to server.

$ unzip mydomain.com.zip

There should be two files in here:

$ ls
go_bundle.crt
mydomain.com.crt

You need to move these where Resin can find them.

$ sudo mv gd_bundle.crt /etc/resin/keys
$ sudo mv mydomain.info.crt /etc/resin/keys
$ cd /etc/resin/keys
$ ls
CA_request.csr  mydomain.info.crt  my-self-signed-certificate.crt
gd_bundle.crt   myprivate.key       openssl.cnf

You should back these file up in a safe place.

Now we need to modify Resin to take an SSL chain file.

You can specify the certificate-chain-file as follows:

<http port="443">
  <openssl>
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
    <certificate-file>keys/your_domain.crt</certificate-file>        
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
    <password>test123</password>
  </openssl>
</http>

By default openssl is setup by resin.properties and cluster-default.xml.

Here is a snippet from /etc/resin/cluster-default.xml

      <resin:when test="${openssl_file != null}">
        <http address="${http_address?:'*'}" port="${https}">
          <openssl>
            <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file>
            <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file>
            <password>
              <resin:Password>${openssl_password}</resin:Password>
            </password>
          </openssl>
        </http>
      </resin:when>

The problem is that it does not specify the chain file, which might be a fairly common thing, but not common enough to make it into resin.properties by default. (If you were using Verisign or a more well known CA authority, you would only need the chain file, this is mostly to support GoDaddy and other lesser known authorities, full explanation at bottom on this entry.)


Try this. Modify /etc/resin/cluster-default.xml as follows:

      <resin:when test="${openssl_file != null}">
        <http address="${http_address?:'*'}" port="${https}">
          <openssl>
            <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file>
            <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file>
            <certificate-chain-file>${file_lookup(openssl_chain_file,__DIR__)}</certificate-chain-file>

              <password>
              <resin:Password>${openssl_password}</resin:Password>
            </password>
          </openssl>
        </http>
      </resin:when>

Notice that I added <certificate-chain-file> to the cluster-default and I point it to the property openssl_chain_file.


If you were using Verisign or a more well known CA authority, you would only need this:

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_password : password

You would not need the chain file with Verisign.

But for this example, we do need the chain file so let's try to configure it.

Then modify your /etc/resin/resin.properties as follows (this configuration is wrong, but from the docs it sounds like this is what they are telling you to do):

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_chain_file : keys/gd_bundle.crt                                      
openssl_password : password

The above did not work from the browser so let's debug it, but it does work from the command line tools from openssl.

$ sudo openssl s_server -accept 9999 -key myprivate.key -cert javaeefun.info.crt -CAfile gd_bundle.crt 

$ openssl s_client -connect localhost:9999

That does work. So now we know we need to add mydomain.com.crt to the chain. (Ok that was a pretty big leap so let me explain what a chain.txt file is right after I show you how to create it properly.)

The test client and server did work so lets cat the mydomain.com.crt to the chain as follows:

$ sudo cat mydomain.com.crt  gd_bundle.crt  > chain.txt

The gd_bundle.crt file is a complete chain of SSL certificates from GoDaddy but it does not contain our certificate which we need. We used cat to add gd_bundle.crt after our mydomain.com.crt.

Now retest with the openssl tools as follows:

$ sudo openssl s_server -accept 9999 -key myprivate.key -cert mydomain.com.crt -CAfile chain.txt

$ openssl s_client -connect localhost:9999

The openssl tools likes our new setup. We can connect from the client.

Now configure resin to use the chain.txt file instead of just our file.

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_chain_file : keys/chain.txt                                      
openssl_password : password

Now retest from the browser.

https://mydomain.com:8443/resin-admin/

All should be well.

Note: if you see a ' T_CLIENT_HELLO:no shared cipher ' on the server side, please make sure that you properly included mydomain.com.crt and gd_bundle.crt into chain.txt.

  {resin-port-443-46} BadRequestException: java.io.IOException: errno=0 openssl='139770598954752:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1230:

___________________________________________________

Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container.

Caucho's Resin OpenSource Servlet Container

Java EE Web Profile Servlet Container

Caucho's Resin 4.0 JCache blog post

Published at DZone with permission of its author, Bill Digman.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

"Starting from scratch" is seductive but disease ridden
-Pithy Advice for Programmers