So we'll have to add the CA certificates to the Java TrustStore.
I use Apache Tomcat, so I'll need another step: configuring where to look for the truststore file, which I'll add to the CATALINA_OPTS, but you should use setenv.sh or whatever your deployment process forces you to. For some reason I haven't got the urge to look up, Tomcat does NOT pick up the truststore by default. Maybe it's just some PEBKAC in the setup somewhere else.
Align the cacerts file location to your needs.
-Djavax.net.ssl.trustStore=/opt/apps/jira/jdk/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Firstly, fetch the certificates we want to trust:
- https://certs.godaddy.com/repository/gd_bundle.crt
- https://certs.godaddy.com/repository/gdroot-g2.crt
- https://certs.godaddy.com/repository/gd-class2-root.crt
- https://certs.godaddy.com/repository/gdig2.crt
Sometimes they interleave (eg. gdig2 is an intermediate cert, connecting Class2 and G2), if it throws an error about already being imported, ignore the error.
Secondly, import the certs to trust them (do it on all four):
keytool -import -trustcacerts -alias gd_bundle -file gd_bundle.crt -keystore /opt/apps/jira/jdk/jre/lib/security/cacertsHere, I use the same alias as the filename. Again, align the cacerts's file location to your needs.
The keytool binary will ask for the password, which is changeit by default. If you change it, remember to change the tomcat parameter trustStorePassword also.
Lastly, restart Tomcat.
No comments :
Post a Comment