Sunday, June 23, 2013

Installing Godady SSL Certificate keytool error: java.lang.Exception: Failed to establish chain from reply - fixed



Problem: keytool error: java.lang.Exception: Failed to establish chain from reply 

error while importing Godaddy SSL certificate into the keystore file


Server: Tomcat 7

Solution: Make sure all the certificates from the chain are imported into the keystore. You 

can identify the certificates from the chain by opening the certificate received from the 

CA. Double click the file and go to the certification path tab. You should be able to get 

the path chain from there. Check https://certs.godaddy.com/anonymous/repository.pki 

in order to obtain the individual certificates.


Details:


1) Open the certificate issued by Godaddy, which is named after your domain name



2) The chain is that you need to install "Go Daddy Root Certificate Authority - G2" root 


certificate & then "Go Daddy Secure Certificate Authority - G2" intermediate certificate 

and then finally install "test.co.in" certificate.


3) The Question where do we find the first two certificates. Go to https://certs.godaddy.com/anonymous/repository.pki, check for the above two certificates as in below image








4) You need to follow the following command line instructions to install the standard 

certificate issued by Go Daddy with the files (or) procedure mentioned above.


keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt


keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt


keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file test.co.in


The above process completely resolved the Chain exception and was able to install the SSL certificate into tomcat successfully.

4 comments:

  1. How are you getting the test.co.in file? I understand you can just download the gdroot-g2.crt from https://certs.godaddy.com/anonymous/repository.pki. But how do you get the text file for your own personal certificate to import into keytool? I tried downloading the PEM file from my account, but I still get the "Incomplete certificate chain in reply" error. The documentation on GoDaddy's site just skips the details on this step (http://support.godaddy.com/help/article/4780/signing-java-code)

    ReplyDelete
  2. I have changed it to test.co.in while writing this blog as I don't want to disclose for which website I was setting up the SSL certificate.

    The steps that you need to follow is open the certificate issued by GoDady and then see the certification path and then use keytool to import the certificates

    ReplyDelete
  3. Thanks, we were working on this problema for the whole day and finally it worked thanks for your help.

    Regards

    ReplyDelete
  4. Bluehost is ultimately one of the best website hosting company with plans for all of your hosting requirments.

    ReplyDelete