Invalid login issue with the URL https://DNS:8443 in browser after self-signed certificate update with company certfifcate

[usharaniyerra]

Hi Team,

We are using Mirth connect in our organisation. We have one issue while updating the mirth self-signed certificate to a certfifcate from our CA.

After updating the certificate, the login console from the browser with the url https://DNS:8443 showing invalid credentials. But if we revert the cert with self-signed we are able to properly logging in.

Could you please help us whether we are missing any step when updating the self-signed certs with our company's certs? or Please provide some solution to the above issue.

[jonbartels]

Mirth Connect expects the keypair to be stored in the alias mirthconnect

Can you show the contents of your keystore? Use keytool -list -keystore keystore.jks -v or similar.

Please also show which certificate https://DNS:8443 is presenting.

Did you also update your keystore.keypass and keystore.storepass settings in mirth.properties to be able to read and load your keystore?

[usharaniyerra]

Hi @jonbartels,

Mirth Connect expects the keypair to be stored in the alias mirthconnect - We have kept the alias name the same(mirthconnect) in our server.

Please also show which certificate https://DNS:8443 is presenting. - This is a GoDaddy CA certificate. Apologies, can't reveal the domain due to security issues.

Did you also update your keystore.keypass and keystore.storepass settings in mirth.properties to be able to read and load your keystore? -- Yes

[jonbartels]

showing invalid credentials

Can you get more specific with what error message you received?

https://docs.nextgen.com/search?bundle=Mirth_User_Guide_41&q=keystore may be a good reference. Good luck.

[pacmano1]

How to using KeyStore Explorer (KSE)

You will need:

• keystore.storepass = asdfasdf // will be used to open the JKS
• keystore.keypass = ertertert // will be used as the secret for the keypair you will be replacing
• Your new server cert and private key. KSE supports a few import format.

Download the JKS file from your appdata directory, it is called keystore.jks
Open the file with KSE using "Open an existing KeyStore", it will prompt you for a password, use the keystore.storepass value from mirth.properties
Delete the current mirthconnect entry:

Using Import Key Pair in KSE, import your cert and private key and set the password to the same value as keystore.keypass from mirth.properties. Make sure the alias (called "Entry Name in KSE) is mirthconnect.

Save the jks after editing in KSE
Upload the jks file replacing the current one.
Restart Mirth Server.

I would check the cert in a browser first, it should look like:

[pacmano1]

P.S. GoDaddy is a ripoff.

[usharaniyerra]

Hi @pacmano1 ,

We have done the same process as you mentioned above with KSE. We have also tried the same steps with portecle tool as well.

Our certificate has been replaced successfully and we have seen no issue/error in the browser and we can see secure certificate symbol in the browser too.

Now our issue is after this new certificate update, when we try to login mirth console with the same old credentials it's giving us "invalid login credentials".

Need one more clarification please..
Our certificate is single domain certificate it's not wild card one. this could be cause for our issue?

[pacmano1]

Are you using the mirth admin launcher to launch the admin tool or are you downloading the jnlp and using something like open webstart? The latter will give you login failures. The only other thing I can think of is that the admin tool does not trust the full chain of the new cert. Try a different cert for a test. I used a free-but-real letsencrypt cert. I assume the cert you use from godaddy fully matches the FQDN that you are using to launch the admin tool. so https://mirth.domain.com:8443. not just https://mirth:8443/.

[RunnenLate]

I'm having a similar issue. The console outputs this error when trying to login

com.mirth.connect.client.core.ClientException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.mirth.connect.client.core.ServerConnection.executeSync(ServerConnection.java:277)
	at com.mirth.connect.client.core.ServerConnection.apply(ServerConnection.java:166)
	at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:255)
	at org.glassfish.jersey.client.JerseyInvocation$3.call(JerseyInvocation.java:722)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:228)
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:444)
	at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:718)
	at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:459)
	at org.glassfish.jersey.client.proxy.WebResourceFactory.invoke(WebResourceFactory.java:379)
	at com.sun.proxy.$Proxy13.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.mirth.connect.client.core.Client$2.invoke(Client.java:266)
	at com.sun.proxy.$Proxy13.login(Unknown Source)
	at com.mirth.connect.client.core.Client.login(Client.java:331)
	at com.mirth.connect.client.ui.LoginPanel$8.doInBackground(LoginPanel.java:429)
	at com.mirth.connect.client.ui.LoginPanel$8.doInBackground(LoginPanel.java:416)
	at javax.swing.SwingWorker$1.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at javax.swing.SwingWorker.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

[RunnenLate]

Got it to work, the CA that issued the cert is not a public CA it's internal. Thus had to add the CA to the Java cacerts

keytool –import –noprompt –trustcacerts –alias ALIASNAME -file /PATH/TO/YOUR/DESKTOP/CertificateName.cer -keystore /PATH/TO/YOUR/JDK/jre/lib/security/cacerts -storepass changeit

[HassanBosha]

Would you tell me a bit more in detail about what you did here I'm facing the same error with invalid login credentials
it shows this error
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Input not an X.509 certificate

[RunnenLate]

You're adding the the root CA that signed the certificate to your JDK that is installed on your machine that is launching Mirth connect.

In my case for Windows the is the keystore location:
/PATH/TO/YOUR/JDK/jre/lib/security/cacerts

'changeit' is the default password for that keystore.

what is sounds like is that this file /PATH/TO/YOUR/DESKTOP/CertificateName.cer is not a X.509 certificate. You'll need to export it in that format.

[sbalakrishnan700]

Illegal option: –import
in openssl verion 3.1.4

[usharaniyerra]

Hi All,

Our issue has been resolved. Thanks for all your support.

In our case also, its cert issue. We took new certs and replaced thus issue has been resolved.