Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Add letsencrypt CA to the keystore #6420

Closed
rlfnb opened this issue Sep 27, 2023 · 4 comments
Closed

Enhancement: Add letsencrypt CA to the keystore #6420

rlfnb opened this issue Sep 27, 2023 · 4 comments
Assignees
@felixif

Comments

@rlfnb
Copy link

rlfnb commented Sep 27, 2023

Brief Summary

Letsencrypt is widely used for securing TLS connections. Unfortunately, its not part of the keystore being distributed in the payara distribution (at least for community edition).

Expected Outcome

each, via letsencrypt secured TLS service can be consumed from inside payara without having to deal with CAs.

Current Outcome

no via letsencrypt secured TLS service can be consumed from inside payara without having to deal with adding the CA to the keystore.

Alternatives

At least describe how to make letsencrypt secured services work in payara:

Context

doing this once is not a big thing, but taking care of correct keystores in zip file, in docker images and so on is getting quite fast annoying?

`
RUN /usr/lib/jvm/zulu17/bin/keytool -import -alias letsencrypt -file /letsencrypt.pem -keystore /opt/payara/appserver/glassfish/domains/domain1/config/cacerts.p12 -storepass changeit -noprompt

`
@rlfnb rlfnb added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request labels Sep 27, 2023
@felixif
Copy link

felixif commented Oct 10, 2023

Hello @rlfnb,

I have checked the cacerts.p12 file bundled with Payara Server 6.2023.9, and I can see that we already bundle the letsencrypt to the CA store, under the name letsencryptisrgx1, so you shouldn't need to manually add it.

@felixif felixif added Status: Pending Waiting on the issue requester to give more details or share a reproducer and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels Oct 10, 2023
@github-actions github-actions bot added Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back and removed Type: Enhancement Label issue as an enhancement request Status: Pending Waiting on the issue requester to give more details or share a reproducer labels Oct 16, 2023
@github-actions
Copy link

Greetings,
It's been more than 5 days since we requested more information or an update from you on the details of this issue. Could you provide an update soon, please?
We're afraid that if we do not receive an update, we'll have to close this issue due to inactivity.

@github-actions
Copy link

Greetings,
It's been more than 5 days since this issue was identified as abandoned.
We have closed this issue due to inactivity, please feel free to re-open it if you have more information to share.

@github-actions github-actions bot removed the Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back label Oct 22, 2023
@rlfnb
Copy link
Author

rlfnb commented Oct 23, 2023

I have checked the cacerts.p12 file bundled with Payara Server 6.2023.9, and I can see that we already bundle the letsencrypt to the CA store, under the name letsencryptisrgx1, so you shouldn't need to manually add it.

Seems like thw wrong one? I'm forced to add the following cert to the keystore to access a webservice secured by letsencrypt. Otherwise it will fail. Maybe you have a look?

https://letsencrypt.org/de/certificates/ ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
for completeness

@rlfnb rlfnb mentioned this issue Oct 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felixif felixif

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rlfnb @felixif