Post

2 followers Follow
1
Avatar

How to configure the CLI to trust an XL Deploy server with a self-signed certificate

If you configured your XL Deploy server to use a self-signed certificate (this is fine for development and testing environments, but for production use a properly signed certificate is recommended!), you will notice that trying to connect with a "vanilla" CLI configuration will fail:

C:...\xl-deploy-4.5.1-cli>bin\cli.cmd -secure

Username: admin

Password:

Exception in thread "main" java.lang.IllegalStateException: Could not contact the server at https://127.0.0.1:4517/deployit

   ...

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator

Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath

BuilderException: unable to find valid certification path to requested target

In order to get the CLI to trust the server's certificate, you will need to configure a truststore for the CLI. Usually, you don't want to modify the JRE's global truststore for this purpose, so we'll describe here how to create a dedicated truststore for your CLI:

Exporting the server certificate

Export the server’s self-signed cert, from SERVER_HOME/conf:

keytool -export -keystore keystore.jks -alias jetty -file XLDeployServerCert.cer

See here for more information on the keytool utility.

Importing the certificate as a trusted cert

Import the certificate as a trusted cert into a separate truststore for the CLI, so you don't have to mess with the JRE’s global truststore:

keytool -import -alias XLDeployServerCert -file XLDeployServerCert.cer -keystore myCliTruststore.jks

Moving the truststore to the CLI installation

Move myCliTruststore.jks from SERVER_HOME/conf to CLI_HOME/conf.

Configuring the CLI to use the truststore

Set the CLI options (or, equivalently, change CLI_HOME/bin/cli.sh or cli.cmd) to use the truststore. Use the password specified when creating the truststore in the step above:

set DEPLOYIT_CLI_OPTS=-Xmx512m -XX:MaxPermSize=256m -Djavax.net.ssl.trustStore=conf/myCliTruststore.jks -Djavax.net.ssl.trustStorePassword=secret

Starting the CLI

You can now start the CLI. Ensure that the hostname you use is the hostname that’s listed in the certificate:

C:...\xl-deploy-4.5.1-cli>bin\cli.cmd -secure -host localhost

Username: admin

Password:

Welcome to the XL Deploy Jython CLI!

Type 'help' to learn about the objects you can use to interact with XL Deploy.

Andrew Phillips

Please sign in to leave a comment.

2 comments

0
Avatar

If the CLI is running on a different machine, then you have to use the hostname in the certificate. Otherwise you get the following error:

Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <192.168.234.10> != <xldeploycentos>

    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:231)

Also the signed certificate created by XLDeploy during setup is only valid for localhost. Therefore not usable for XLDeploy clients like CLI or Jenkins outside XLDeploy server host. You have to create a new self signed certificate by yourself.

Levent Tutar 0 votes
0
Avatar

> If the CLI is running on a different machine, then you have to use the hostname in the certificate

Thanks, Levent! That's what I was trying to point out with "Ensure that the hostname you use is the hostname that’s listed in the certificate:", but that probably should have been clearer ;-)

> Therefore not usable for XLDeploy clients like CLI or Jenkins outside XLDeploy server host. You have to create a new self signed certificate by yourself.

Using hostname instead of localhost sounds like a good improvement suggestion. If you are creating a new self-signed cert with a different hostname (see the System Administration Manual for details), please remember to use the certificate alias "jetty" when importing it into the keystore!

Regards

Andrew

Andrew Phillips 0 votes