Payara Server 4.1 fails with https Connections

Running an HTTPS request with Payara Server fails with javax.net.ssl.SSLHandshakeException

Problem Description

  • Lets-Encrypt Certificate is missing on Payara 4.1.x installations
  • URL: https://api.fachschaft.in/scrapi/meals/nbg-inselschuett.json

Exception Details


[2018-05-16T14:30:00.028+0200] [Payara 4.1] [INFO] [] [] [tid: _ThreadID=146 _ThreadName=__ejb-thread-pool5] [timeMillis: 1526473800028] [levelValue: 800] [[
  14:30:00.028 [__ejb-thread-pool5] ERROR d.t.i.i.s.datacollection.TaskRunner - Failed to execute reader FachschaftMealParser 
  because of de.thnuernberg.in.infohm.server.datacollection.parser.mensa.MealParserException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
]]

Download Lets-Encrypt Certificate

  • LetsEncrypt Download Page
  • Select Let’s Encrypt Authority X3 (IdenTrust cross-signed) auswählen
  • Save certificate as : lets-encrypt-x3-cross-signed.pem

File Locations for a Payara41 installation on Windows 10

  • keystore File : D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks
  • Keytool from JDK : D:\dev\jdk\jre1.8.0_162\bin\keytool.exe
  • PEM File : lets-encrypt-x3-cross-signed.pem
  • Keytool Password : changeit

Note: The cacerts.jks form the payara server is used – not the JDK one

Install the Lets-Encrypt Certificate

Show all already installed certificates before Installation

keytool.exe -v -list -storepass changeit -noprompt -keystore  D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks 

Install New certificate


keytool.exe -trustcacerts -keystore  D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks -storepass changeit -noprompt -importcert -file lets-encrypt-x3-cross-signed.pem 
 
Certificate was added to keystore

Verify certificate installation with -alias mykey


keytool.exe -v -list -storepass changeit -noprompt -keystore  D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks  -alias mykey
 
Alias name: mykey
Creation date: May 16, 2018
Entry type: trustedCertEntry

Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: a0141420000015385736a0b85eca708
Valid from: Thu Mar 17 17:40:46 CET 2016 until: Wed Mar 17 17:40:46 CET 2021
Certificate fingerprints:
         MD5:  B1:54:09:27:4F:54:AD:8F:02:3D:3B:85:A5:EC:EC:5D
         SHA1: E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
         SHA256: 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
...

Reboot Payara !

Reference