keytool error: java.lang.Exception: Failed to establish chain from reply

I created a set of procedures, using Wowza instructions: Request an SSL certificate from certificate authority … combined with our university’s site for acquiring an InCommon cert.

Another IT person here successfully got SSL working on a Windows Server 2012 R2 physical server; I’m trying to do the same on the same OS, but running as a VM (the university provides the VM service).

One thing that I’ve never understood, is the part where Wowza says to: “Execute one of the following commands to import the signed certificate that you received the from the certificate authority:” followed by instructions for a chain cert, and then for a new cert. The former pertains to Incommon v. 2 certs, and the latter to the PEM. Both refer to intermediate certs; the sha-2 certs mention the root cert.

I get the error “keytool error: java.lang.Exception: Failed to establish chain from reply” when I try the procedure for the new certificate.

My .jks file does not have all the entries that the .jks on the server that is working has.

In case any has any ideas:

–

Create (generate) private key (keystore)

keytool -genkey -keysize 2048 -alias wowzaprivatekey -keyalg RSA -keystore ourserver.fake1.edu.jks

ourserver.fake1.edu.jks

Create a CSR

keytool -certreq -file ourserver.fake1.edu.csr -alias wowzaprivatekey -keyalg RSA -keystore ourserver.fake1.edu.jks

ourserver.fake1.edu.csr

Submit the .csr to a certificate authority

Get “new InCommon certificate”.

Paste the contents of the .csr in the the “CSR (PEM)” field.

Etc.

Create PEM (Certificate of Authority) file (get contents from PEM cert provided in response to CSR request; InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.)

Save as: PEM-.crt (Replace with actual number.)

Obtain intermediate and root certificates.

Go to our cert acquiring url … then click the cert you’ve created. CLICK: “Add the InCommon intermediate certificates to your SSLCertificateChainFile.” copy sha-2 certificates. Grab everything inside the marque, i.e., starting with:

InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.

Paste into Notepad on the server.

Save as “incommonsha-2.crt” in …conf.

Execute one of the following commands to import the signed certificate that you received the from the certificate authority:

FOR A CHAIN CERTIFICATE:

keytool -import -alias incommonsha-2 -trustcacerts -file incommonsha-2.crt -keystore ourserver.fake1.edu.jks

“Your keystore contains 2 entries” (Some of the entry is human readable.)

FOR A NEW CERTIFICATE:

Import cert (the PEM file) to the keystore

keytool -import -alias wowzaprivatekey -trustcacerts -file PEM-11557.crt -keystore ourserver.fake1.edu.jks

keytool error: java.lang.Exception: Failed to establish chain from reply

One additional point. The .jks file (the .jks name, and all references to the server) for the server where SSL is working uses the server’s hostname. The .jks on the server where SSL is not working uses the server’s CNAME.

$ dig ourserver.fake1.edu

; <<>> DiG 9.8.3-P1 <<>> ourserver.fake1.edu

[…]

;; QUESTION SECTION:

;ourserver.fake1.edu. INA

;; ANSWER SECTION:

ourserver.fake1.edu. 86400IN CNAME v1454.fake1.edu.

v1454.fake1.edu.86400INA111.111.111.111

The CNAME works in all other situations (remote access, etc.), so I have no reason to believe a CNAME wouldn’t work, but I thought I’d mention this.