Quote:
Originally Posted by shamijohn123
could use a little help. I am taking an internship for AWS Certified DevOps Engineer - Professional in one of a company. I was pushed into a DevOps / sys-admin role in a 150 person business when our DevOps guy quit with a week's notice. Our internal company.org sites are down because our go daddy SSL certs expired. I am trying to restore everything and having a bit of trouble understanding the process everything is requiring here.
|
Sounds like your company should consider hiring a consultant to help you
and someone else understand the setup.
(A business that size with
any piece of knowledge inside a single head is asking for trouble.)
Quote:
What I do know is that these renewed cert files from go daddy need to be imported into tomcat, then tomcat needs to be restarted. The servers are AWS Linux. I think how this all goes down is I take the 3 .crt files from GoDaddy, cat them into a .pem file, then using openssl export that and our private key to a p12(I’m sure it’s p12), then using keytool import that into tomcat. Then restart tomcat. This is where I’m at.
openssl pkcs12 -export -in company.pem -inkey /usr/local/bin/backups/privatekey.pem -out company.p12
No certificate matches private key
where company.pem is all the godaddy certs merged using cat.
|
I haven't done certs with Tomcat, and don't use GoDaddy for anything, but what I use for Jetty + Let's Encrypt is the following:
Code:
pkpass=p
storepass=storep
openssl pkcs12 -export \
-inkey privkey.pem -in fullchain.pem \
-out jetty.pkcs12 -passout "pass:$pkpass"
keytool -importkeystore -noprompt \
-srckeystore jetty.pkcs12 -srcstoretype PKCS12 -srcstorepass "$pkpass" \
-destkeystore keystore -deststorepass "$storepass"
The openssl command is equivalent to yours except for the passout param - which is needed because keytool can't handle files without passwords - but from memory the openssl command itself worked without it, so if that's where your error is, that suggests maybe your company.pem is not equivalent to the fullchain.pem which Let's Encrypt produces.
If GoDaddy doesn't provide an already-merged fullchain for you, there's probably a suitable guide somewhere, but if not then checking how
Certbot combines them might help.