By: Evan Kohout user 30 Oct 2017 at 4:25 p.m. CDT

4 Responses
Evan Kohout gravatar
Hi, I am trying to update gluu server httpd certificates with real CA signed certs. However, the documentation references some /etc/certs directory which does not exist. I am logging in with root as well, 'sudo su -' and i still don't see the /etc/certs directory. Where are these files stored and how to I update the self signed cert on Gluu Server CE 3.1.1? thanks

By Aliaksandr Samuseu staff 30 Oct 2017 at 4:38 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Evan. `/etc/certs` directory does exist, it's within the chroot container of your Gluu instance, the one you move to on running `# service gluu-server-3.1.1 login`

By Evan Kohout user 30 Oct 2017 at 4:50 p.m. CDT

Evan Kohout gravatar
Ah ok, that did it. I can see it now. However, when i go to remove the old cert from the keystore, it tells me: keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore cacerts keytool error: java.lang.Exception: Keystore file does not exist: cacerts I am following the instructions found here: https://gluu.org/docs/ce/3.1.1/admin-guide/certificate/ Which keystore is used for httpd? There is no .jks for the httpd labeled keys. Here is what my /etc/certs directory lists: root@auth:/etc/certs# ls asimba.crt cert_creds.json httpd.key.orig idp-signing.csr openldap.key oxauth-keys.json shibIDP.csr asimba.csr duo_creds.json idp-encryption.crt idp-signing.key openldap.key.orig passport-rp.jks shibIDP.jks asimba.key gplus_client_secrets.json idp-encryption.csr idp-signing.key.orig openldap.pem passport-rp.pem shibIDP.key asimba.key.orig httpd.crt idp-encryption.key openldap.crt openldap.pkcs12 passport-rs.jks shibIDP.key.orig asimba.pkcs12 httpd.csr idp-encryption.key.orig openldap.csr otp_configuration.json scim-rs.jks shibIDP.pkcs12 asimbaIDP.jks httpd.key idp-signing.crt openldap.jks oxauth-keys.jks shibIDP.crt super_gluu_creds.json

By Sahil Arora staff 31 Oct 2017 at 7:19 a.m. CDT

Sahil Arora gravatar
Evan, You will need to specify full path to cacerts `/etc/ssl/certs/java/cacerts`

By Aliaksandr Samuseu staff 31 Oct 2017 at 9:32 a.m. CDT

Aliaksandr Samuseu gravatar
I believe the correct path for 3.1.1 will look like this `/opt/jdk1.8.0_112/jre/lib/security/cacerts`. To be sure, you can first search for `cacerts` within container: `# find / -ipath "*cacerts"` There will be several files in results. To make sure you found the correct one, grep for `_httpd` while listing its contents: `# /opt/jre/bin/keytool -list -v -keystore /opt/jdk1.8.0_112/jre/lib/security/cacerts -storepass changeit | grep '_httpd'`