Glassfish ssl console handshake exception

Question

I'm running ubuntu 14.04 server.

I installed glassfish 4.1.

I want to acces the console from outside so I did

asadmin --host localhost --port 4848 enable-secure-admin

After that step calling www.myhost.com:4848/console/ is giving me a security exception in the browser because of self-signed certificate. Ok, it's normal. I can accept the exception and everything is ok.

Now I have a startssl certificated for www.myhost.com.

So I did

keytool -delete -alias s1as -keystore keystore.jks
keytool -importcert -keystore keystore.jks -storepass changeit -file www.myhost.com.crt -alias s1as
keytool -importcert -keystore keystore.jks -storepass changeit -file ca.crt -alias startcom.ca -trustcacerts
keytool -importcert -keystore keystore.jks -storepass changeit -file sub.class1.server.ca.crt -alias startcom.ca.sub -trustcacerts

But now asadmin start-domain gives me in the log

[2015-02-20T09:55:58.021+0100] [glassfish 4.1] [SEVERE] [] [] [tid: _ThreadID=57 _ThreadName=Thread-9] [timeMillis: 1424422558021] [levelValue: 1000] [[
  java.io.IOException: Cannot bind to URL [rmi://www.myhost.com.be:8686/jmxrmi]: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
        javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
        at javax.management.remote.rmi.RMIConnectorServer.newIOException(RMIConnectorServer.java:826)
        at javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:431)
        at org.glassfish.admin.mbeanserver.RMIConnectorStarter.start(RMIConnectorStarter.java:319)
        at org.glassfish.admin.mbeanserver.JMXStartupService$JMXConnectorsStarterThread.startConnector(JMXStartupService.java:313)
        at org.glassfish.admin.mbeanserver.JMXStartupService$JMXConnectorsStarterThread.run(JMXStartupService.java:350)
Caused by: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
        javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
        at com.sun.jndi.rmi.registry.RegistryContext.rebind(RegistryContext.java:159)
        at com.sun.jndi.toolkit.url.GenericURLContext.rebind(GenericURLContext.java:249)
        at javax.naming.InitialContext.rebind(InitialContext.java:427)
        at javax.naming.InitialContext.rebind(InitialContext.java:427)
        at javax.management.remote.rmi.RMIConnectorServer.bind(RMIConnectorServer.java:641)
        at javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:426)
        ... 3 more
Caused by: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
        javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
        at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:341)
        at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
        at com.sun.jndi.rmi.registry.RegistryContext.rebind(RegistryContext.java:157)
        ... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at java.io.DataOutputStream.flush(DataOutputStream.java:123)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
        ... 12 more]]

And my server is accessible on port 8080 but not on ssl 8181 and 4848.

Answer 1

my suggestion would be not to delete the initial s1as certificate and replace it with your own. keep in mind that there is another cacerts.jks keystone file which must be in sync... for a clean glassfish installation check this here: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu My tutorial tells you also how to create your own (self signed) s1as and glassfish-instace certificate (it's too long to post it here).

After that import the certificate for your domain into keystore.jks (if you have received an intermediate certificate from your CA as well then you might need to import that first). no need to add you domains cert to cacerts.jks Make sure to change your http-listener2 (=https) to use your cert alias instead of s1as and restart Glassfish. that should work...

Answer 2

Finally, after a lot of searches I found a solution working for me (see here)

So, after a fresh install, go to /opt/glassfish4/glassfish/domains/domain1/connfig and download the startssl certs

wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

Then concat those 2 certificates with my domain certificate

cat mydomain.crt ca.pem sub.class1.server.ca.pem > all.crt

And import in cacerts

keytool -import -trustcacerts -alias mycert -file all.crt -keystore cacerts.jks

Create a p12 file with my domain's private key

openssl pkcs12 -export -in all.crt -inkey mydomain.key -out mydomain.p12 -name mycert -CAfile ca.pem -caname immed

and import in keystore

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore mydomain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias mycert

and finally change all s1as occurrences by mycert in domain.xml

sed -i 's|s1as|mycert|' domain.xml

Ok, now it's working even if I don't understand what I'm doing !