Let's Encrypt SSL Certificate Failing

I have been following the previous forum posts and have managed to get through all the steps needed to upload my SSL certificate into the gateway.

The problem is when I press the continue button the following error comes up:

The following is from the gateway wrapper:

INFO   | jvm 1    | 2020/07/02 16:24:44 | E [g.SslConfigRoutes             ] [20:24:44]: Unable to transition to ca-signed certificate state route-group=config, route-path=/ssl/transition/ca-signed-certificate
INFO   | jvm 1    | 2020/07/02 16:24:44 | java.security.KeyStoreException: Key protection  algorithm not found: java.security.KeyStoreException: Certificate chain is not valid
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(Unknown Source)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(Unknown Source)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(Unknown Source)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at java.base/java.security.KeyStore.setKeyEntry(Unknown Source)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.ssl.SslManager.toCaSignedCertificateInternal(SslManager.java:791)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.ssl.SslManager.toCaSignedCertificate(SslManager.java:813)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.ssl.SslConfigRoutes.toCaSignedCertificate(SslConfigRoutes.java:520)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:252)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:61)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:54)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at com.inductiveautomation.ignition.gateway.dataroutes.AbstractRouteGroupServlet.service(AbstractRouteGroupServlet.java:38)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1391)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:547)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.Server.handle(Server.java:500)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2020/07/02 16:24:44 | Caused by: java.security.KeyStoreException: Certificate chain is not valid
INFO   | jvm 1    | 2020/07/02 16:24:44 | 	... 50 common frames omitted

Any guidance would be appreciated. I am using the default ports of 8088 and 8043. I used the certbot to generate the certificates.

Brandon

How did you upload the certificates in your certificate chain? Did you upload one at a time or did you upload one bundle? If the latter: do you have any duplicate certs in the bundle?

One at a time. And I seen errors about duplicates and so could not actually get the continue button to be active until I had all the unique chains entered.

I pasted them in because of how lets encrypt duplicated some information in different PEM files.

EDIT:
This is the post I followed to get to this point

Based on the exception you posted, I believe you may have a duplicate certificate in the chain that you uploaded. If you believe that not to be the case, DM me the certificate chain (without the private key) and I’ll take a look.

Alright. I just sent you a zip file with the fullchain and the chain PEM files that came from Let’s Encrypt.

I replied back with details about your specific certs. For posterity, one pem file had the intermediary CA cert and the other pem file had a chain containing the end-entity cert and the same intermediary CA cert in the other file. Between these two files alone, I am not sure how you were able to get past the continue button on the certificate wizard UI, since the root CA cert should be required and I did not see that cert in the files you sent me.

Ah. Well I had to find that on the lets encrypt site. You will see a link to it on the other post I referenced.

Alright where I messed up was going to the wrong location for the root certificate:

Here is the location of the root certificate I needed:
https://www.identrust.com/dst-root-ca-x3

Thanks for the help

1 Like