After almost 3 years (see previous post) I revisit the topic this time using the latest version og Glassfish 3.1.2 and GoDaddy as certificate provider. I created a certificate for a sub-domain (sub.whateverdomain.com) this time and make use of the extremly cheap 5.99 U$/year offer (no wildcard included)
Let me summarize the key steps here:
- Get yourself a GoDaddy account
- Order a standard SSL
- After payment you get 1 credit to use. Before we create the certificate we need to create a certificate request with the keytools for our glassfish domain
- Change domain masterpassword (not the admin password)
The default password is ‘changeit’, better change that with /bin$ ./asadmin change-masterpassword yourdomain - Go to you domain config folder ~/glassfish/domains/yourdomain/config$
- We will use the default keystore file in the config folder keystore.jks
- Optional: List the existing certifcates, there should be 2.
keytool -list -keystore keystore.jks or keytool -list -v -keystore keystore.jks (more info)
You should get something like thisKeystore type: JKS Keystore provider: SUN Your keystore contains 2 entries glassfish-instance, Mar 28, 2011, PrivateKeyEntry, Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:BD:9D:85:5B:CF:AA:AA:86:BA:49:50:AA:AA:AA s1as, Mar 28, 2011, PrivateKeyEntry, Certificate fingerprint (SHA1): 95:B4:E4:55:7F:F6:AA:AA:AA:AA:3D:65:21:D1:1B:AA:AA:AA:AA:AA
- Create a key
keytool -genkey -keysize 2048 -genkey -alias sub.whateverdomain.com -keyalg RSA -keystore keystore.jks
This differs from the previous command, you dont use the -dname option any longer, but the keytool will ask interactivelyImportant: It asks for your last and first name, this is the CN tag. You MUST use the domain name you register for (sub.whateverdomain.com). The alias I would choose the same. - Create a certificate request file
keytool -certreq -alias sub.whateverdomain.com -keystore keystore.jks -file whateverdomain.csr - Open the file with the editor
- Now we need to go back to GoDaddy to create our certificate with the request string
- Enter the request string from the above file
- Choose validation method
If you are the contact in the whois record, email verification is the easiest option. - Confirm the email
- Go to the SSL admin page
Download the certificate
Choose ‘other’
- Upload the 2 cert files from the zip to the domain config folder
gd_bundle.crt
sub.whateverdomain.com.crt
and import them
keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks
keytool -import -trustcacerts -alias demo.airtilus.net -file sub.whateverdomain.com.crt -keystore keystore.jks - Go to the Glassfish admin console
and adjust nickname (alias, here sub.whateverdomain.com) and the keystore file (here keystore.jks)
- Restart is not required but I recommend.
- Optionally you can disable the http port 8080.
- Open any of your web applications at port 8181
- Voila !
Pingback: Getting started with Glassfish V3 and SSL | The JavaDude Weblog
Pingback: Glassfish and https running secure applications | The JavaDude Weblog
Hello,
first thanks for this nice blog!
I followed exactly the steps above, with the difference that I got my certificate from thawte, send per Email. I copied in crt file and added it to the keystore.
Unfortunately it doesn’t work for me, even after restarting Glassfish many times. Trying a secure page end up with: “SSL connection error”.
Any help?
Thanks
I’m having the same “SSL connection error” issue. Any suggestions from people who have solved this problem?
I had the same issue. I tried re-installing various certificate types from GoDaddy and each time encountered the same SSL connection error. I followed the instructions above over and again. Just today I got it working. All I remember changing was deleting HTTP Listener 2 and recreating it using the command line tool asadmin. Also, I did ensure the response from keytool during certificate installation was “certificate reply installed” not just “certificate installed”. Here’s the command line commands I used for the recreation of HTTP listener 2:
asadmin> delete-ssl –type http-listener http-listener-2
asadmin> create-ssl –type http-listener –certname http-listener-2
I found these commands in the guide: https://glassfish.java.net/docs/4.0/administration-guide.pdf
Hope it helps! Took me days to get it working finally.
Rob
Thank you very much for this tutorial. I had the exact same requirement as you : my server was moved to a subdomain and I had to implement the new ssl certificate for it. After many unsuccessful tries, I found your blog. I was missing the very last part : to tell glassfish to use the new certificate alias in keystore.jks. As soon as I did this, everything worked! I would also suggest this excellent tutorial on installing GF : http://www.nabisoft.com/tutorials/glassfish/installing-glassfish-311-on-ubuntu. It works for all versions (3.x – 4.1).
I configured Glassfish 4.0 using these settings. The non-ssl port works but the ssl port gives a connection error. I don’t see any error messages in the log.