Add folder to maker edition webserver

Try replacing the ISGR X1 Root you have in that chain with this one.

You need to remove the previous one, not upload both.

java.security.KeyStoreException: Key protection algorithm not found: java.security.KeyStoreException: Certificate chain is not valid

at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(Unknown Source)

at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(Unknown Source)

at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(Unknown Source)

at java.base/java.security.KeyStore.setKeyEntry(Unknown Source)

at com.inductiveautomation.ignition.gateway.ssl.SslManager.toCaSignedCertificateInternal(SslManager.java:791)

at com.inductiveautomation.ignition.gateway.ssl.SslManager.toCaSignedCertificate(SslManager.java:813)

at com.inductiveautomation.ignition.gateway.ssl.SslConfigRoutes.toCaSignedCertificate(SslConfigRoutes.java:522)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:254)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:61)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:59)

at com.inductiveautomation.ignition.gateway.dataroutes.AbstractRouteGroupServlet.service(AbstractRouteGroupServlet.java:38)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1450)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)

at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at com.inductiveautomation.catapult.handlers.RemoteHostNameLookupHandler.handle(RemoteHostNameLookupHandler.java:116)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.Server.handle(Server.java:516)

at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)

at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)

at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)

at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: java.security.KeyStoreException: Certificate chain is not valid

... 52 common frames omitted

Didnt work, same error

Kevin and I agreed that these certs should work (we split them up into one cert per pem file for clarity): certs.zip (5.1 KB)

Upload them in this order:

  1. server-cert.pem
  2. first-intermediate-ca-cert.pem
  3. root-ca-cert.pem

Let us know if that works :crossed_fingers:

It works.

But im thinking on the settings, ignition is still on the default ports, but i port forward 80 and 443 to these ports. now i got redirected to 8043.

Nice, glad that worked.

There is a public address setting in the Config > Networking > Web Server page. Set the those accordingly.

For example: if public.example.com:443 forwards to private.example.com:8043, then update your public address to public.example.com and public port to 443. Same for the port 80 → 8088 (plain http) ports.

1 Like

Thanks. Now im setup, for 3 months :smiley:

1 Like

Check out the let’s encrypt guide that Phil posted earlier in this thread: Add folder to maker edition webserver - #2 by pturmel

That’s your best bet for getting you started on automating certificate renewal.

For posterity: if the OP had gone the route of using zero SSL instead of Let's Encrypt, the correct folder to drop the challenge file into is: $GATEWAY_HOME/.well-known/pki-validation/, NOT $GATEWAY_HOME/webserver/...

That guide leaves out alot of info.
Such as what are those $VARIABLES pointing at, the path where the certs was stored at did not match (for debian 10)

For me they ended up at:

lrwxrwxrwx 1 stefan stefan 46 Dec 6 20:00 cert.pem -> ../../archive//cert1.pem
lrwxrwxrwx 1 stefan stefan 47 Dec 6 20:00 chain.pem -> ../../archive//chain1.pem
lrwxrwxrwx 1 stefan stefan 51 Dec 6 20:00 fullchain.pem -> ../../archive//fullchain1.pem
lrwxrwxrwx 1 stefan stefan 49 Dec 6 20:00 privkey.pem -> ../../archive/ignition.gronberg.info/privkey1.pem
-rw-r--r-- 1 stefan stefan 692 Dec 6 20:00 README

But, i'll work around that when i get to it.

I ditched the zerosll and went with LE, which now is installed when we got the cert chain and bundles worked out.

I just went through the guide, and I believe we explained all of those dollar-sign variables / placeholders. Some examples:

When Certbot asks you for the path to your webroot, enter the path to your $IGNITION (root directory where the Gateway is installed)

Let’s reference the certificate chain in this document as $CERT_CHAIN and the private key as $PRIV_KEY .

As of the time of this writing, Let’s Encrypt is using DST Root CA X3 as the root CA cert. Copy its contents to a .pem file in a well-known location on your server and let’s reference it as $ROOT_CA_CERT in this document.

Could you point me to specific examples of where we may have missed explanations for these? I'd definitely like to get that corrected.

Sure, the purpose of that guide is to give an example or pattern for how one might integrate Let's Encrypt with Ignition by explaining some fundamental concepts and providing a concrete example of how one might set this up. The guide was posted on October 22, 2019 when Ignition was on v8.0.3 - at the time we used certbot version 0.31.0 on Ubuntu 18.04.2 LTS (mentioned in the doc) because those were probably the latest / greatest versions of those and the choice was personal preference. YMMV depending on which OS / distro you use, which version of certbot you use and how it is configured (you may even choose not to use certbot), etc. Guides like these also do tend to get "outdated" after a while as some of the software we used back then could have changed a bit (for example: maybe certbot changed which directories certs are dropped into). This is a good reminder for me to periodically check on this guide to make sure it is still useful at whatever date I am revisiting it, and to update it as necessary.

how can help me? I have same problem.. :smiling_face_with_tear: