tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Problems with SSL-enabled Tomcat 5.5
Date Thu, 30 Aug 2007 15:20:04 GMT
aah, now I think we are getting somewhere.
Is this not the keystore that was used to generate the CSR, and also 
contains the private key?
if not, then I don't know how it would work, you still need your private 
key in order to have a working SSL setup, the signed cert is only what 
tomcat sends to the browser, it needs the private key in order to 
decipher the stuff that the browser encrypts using the public key.

so if you deleted the original keystore that was used to create the key, 
then yes, you are screwed, you need to start over, generate another key, 
get another CSR, get another signed cert from verisign etc

Filip

Werner Schalk wrote:
> Hello Filip,
>
> thanks a lot for all your support. No, that's something I already 
> tried. When importing the Verisign root cert in my cacerts
> file and then importing the signed cert in my keystore, he seems to be 
> able to build a certificate chain because I am no
> longet being asked whether I would like to trust the certificate. 
> However when using that keystore then in Tomcat
> (which only contains my signed cert) I am getting the second error 
> ("No available certificate or key
>>> corresponds to the SSL cipher suites which are enabled.").
>
> Any more ideas?
>
> Bye,
> Seb
>
> ----- Original Message ----- From: "Filip Hanik - Dev Lists" 
> <devlists@hanik.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Thursday, August 30, 2007 5:05 PM
> Subject: Re: Problems with SSL-enabled Tomcat 5.5
>
>
>> looks like the keyAlias="root" is not taking into effect, as the 
>> container complains for not finding one named "tomcat"
>>
>> could be that it just looks for tomcat alias to be existent.
>> this is what I would try next, import the same certificate using the 
>> "tomcat" alias, leave the "root" alias in there.
>>
>> Filip
>>
>> Werner Schalk wrote:
>>> Hello,
>>>
>>> setting keyAlias="root" did not change anything. Then I downloaded 
>>> the latest version of Tomcat, added the Verisign cert to my cacerts 
>>> file
>>> and imported my Verisign-signed SSL certificate into a new keystore. 
>>> Unfortunately that does not change my situation: Either Tomcat is 
>>> unable to find
>>> my alias in the keystore file (if I specify a keyAlias) or there 
>>> appears to be a problem with the SSL ciphers or certificate itself 
>>> (if I don't specify a
>>> keyAlias).
>>>
>>> The two error message I am getting when attempting to start Tomcat 
>>> are (see further below):
>>>
>>> 1/with keyAlias directive:
>>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
>>> start
>>> SEVERE: Error starting endpoint
>>> java.io.IOException: Alias name tomcat does not identify a key entry
>>> at 
>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

>>>
>>>
>>> 2/without keyAlias directive:
>>> java.net.SocketException: SSL handshake
>>> errorjavax.net.ssl.SSLException: No available certificate or key 
>>> corresponds to the SSL cipher suites which are enabled.
>>> at 
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

>>>
>>>
>>> Any more ideas? Is the problem maybe caused because I am creating a 
>>> new keystore and the key of the Verisign-signed
>>> certificate is in a separate file (my colleague deleted the original 
>>> keystore file)? Are we screwed now?
>>>
>>> Thank you. Any input is greatly appreciated.
>>>
>>> Bye,
>>> Werner.
>>>
>>> ----- Original Message ----- From: "Filip Hanik - Dev Lists" 
>>> <devlists@hanik.com>
>>> To: "Tomcat Users List" <users@tomcat.apache.org>
>>> Sent: Wednesday, August 29, 2007 10:32 PM
>>> Subject: Re: Problems with SSL-enabled Tomcat 5.5
>>>
>>>
>>>> did you set
>>>> keyAlias="root" in server.xml
>>>>
>>>> Werner Schalk wrote:
>>>>> Hello,
>>>>>
>>>>> I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) 
>>>>> on a Sun Solaris 10 (Sparc) but it turns out that this appears not 
>>>>> to be an easy task.
>>>>> Hopefully you guys can shed some light on this. Basically I do 
>>>>> have a Verisign-signed SSL certificate which I would like to add 
>>>>> to my
>>>>> existing Tomcat config. Now after spending hours of tweaking the 
>>>>> config, I do face two problems: Either Tomcat is unable to find
>>>>> my alias in the keystore file or there appears to be a problem 
>>>>> with the SSL ciphers or certificate itself. Hopefully somebody 
>>>>> knows what to do, this
>>>>> is giving me a headache for many hours now.
>>>>>
>>>>> Here is what I did (steps taken from 
>>>>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing 
>>>>> the Certificate"), please
>>>>> note that I removed IPs, hostnames etc. to protect the innocent:
>>>>>
>>>>> 1) Import of the Verisign root cert into my keystore:
>>>>>
>>>>> $ keytool -import -alias root -keystore wstest -trustcacerts -file 
>>>>> verisign.crt
>>>>> Enter keystore password:  XXX
>>>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>>>> VeriSign, OU=VeriSign International Server CA - Class 3, 
>>>>> OU="VeriSign, Inc.", O=VeriSign Trust Network
>>>>>
>>>>> [ ... ]
>>>>>
>>>>> Certificate was added to keystore
>>>>>
>>>>> 2) Import of my Verisign-signed SSL certificate:
>>>>>
>>>>> $ keytool -import -alias tomcat -keystore wstest -trustcacerts 
>>>>> -file mysystem.crt
>>>>> Enter keystore password:  XXX
>>>>>
>>>>> [ ... ]
>>>>>
>>>>> Certificate was added to keystore
>>>>>
>>>>> 3) Change of my Tomcat configuration in server.xml to use the new 
>>>>> keystore and SSL cert:
>>>>>
>>>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>>>               address="myhostname" enableLookups="false"
>>>>>               disableUploadTimeout="true" acceptCount="100" 
>>>>> maxKeepAliveRequests="100"
>>>>>               scheme="https" secure="true" clientAuth="false"
>>>>>               compression="8192"
>>>>>               compressableMimeType="text/javascript,text/css"
>>>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>>>               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
>>>>> />
>>>>>
>>>>> 4) Restart of Tomcat and review of Tomcat log file:
>>>>>
>>>>> # svcadm disable tomcat
>>>>> # rm ../logs/catalina.out
>>>>> # svcadm enable tomcat
>>>>> # tail -f ../logs/catalina.out
>>>>>
>>>>> [...]
>>>>>
>>>>> INFO: Deploying web application archive help.war
>>>>> Aug 29, 2007 12:44:53 PM 
>>>>> org.apache.coyote.http11.Http11BaseProtocol start
>>>>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>>>>> Aug 29, 2007 12:44:53 PM 
>>>>> org.apache.coyote.http11.Http11BaseProtocol start
>>>>> SEVERE: Error starting endpoint
>>>>> java.io.IOException: Alias name tomcat does not identify a key entry
>>>>>        at 
>>>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)

>>>>>
>>>>>        at 
>>>>> org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)

>>>>>
>>>>>        at 
>>>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
>>>>>        at 
>>>>> org.apache.catalina.connector.Connector.start(Connector.java:1089)
>>>>>        at 
>>>>> org.apache.catalina.core.StandardService.start(StandardService.java:459)

>>>>>
>>>>>        at 
>>>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

>>>>>
>>>>>        at 
>>>>> org.apache.catalina.startup.Catalina.start(Catalina.java:551)
>>>>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>        at 
>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

>>>>>
>>>>>        at 
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>>>>>
>>>>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>>>>        at 
>>>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
>>>>>        at 
>>>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
>>>>>
>>>>> However my keystore DOES contain my two keys (Verisign's key as 
>>>>> well as my SSL cert):
>>>>>
>>>>> # keytool -list --keystore wstest -v
>>>>> Enter keystore password:  XXX
>>>>>
>>>>> Keystore type: jks
>>>>> Keystore provider: SUN
>>>>>
>>>>> Your keystore contains 2 entries
>>>>>
>>>>> Alias name: root
>>>>> Creation date: Aug 29, 2007
>>>>> Entry type: trustedCertEntry
>>>>>
>>>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>>>> VeriSign, OU=VeriSign International Server CA - Class 3, 
>>>>> OU="VeriSign, Inc.", O=VeriSign Trust Network
>>>>>
>>>>> [...]
>>>>>
>>>>> *******************************************
>>>>> *******************************************
>>>>>
>>>>> Alias name: tomcat
>>>>> Creation date: Aug 29, 2007
>>>>> Entry type: trustedCertEntry
>>>>>
>>>>> Owner: CN=myhostname, ...
>>>>>
>>>>> [...]
>>>>>
>>>>> *******************************************
>>>>> *******************************************
>>>>>
>>>>> Here is the first problem: Why does my alias "tomcat" not identify 
>>>>> a key entry in the keystore? It does exist, doesn't it?
>>>>>
>>>>> 5) Now to get around this problem, I removed the "keyAlias" 
>>>>> directive from the Tomcat config which now like like this:
>>>>>
>>>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>>>               address="myhostname" enableLookups="false"
>>>>>               disableUploadTimeout="true" acceptCount="100" 
>>>>> maxKeepAliveRequests="100"
>>>>>               scheme="https" secure="true" clientAuth="false"
>>>>>               compression="8192"
>>>>>               compressableMimeType="text/javascript,text/css"
>>>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>>>               keystorePass="XXX" sslProtocol="TLS"
>>>>> />
>>>>>
>>>>> 6) Then I restarted Tomcat and here is what I get in the logs:
>>>>>
>>>>> # svcadm disable tomcat
>>>>> # rm ../logs/catalina.out
>>>>> # svcadm enable tomcat
>>>>> # tail -f ../logs/catalina.out
>>>>>
>>>>> [...]
>>>>>
>>>>> java.net.SocketException: SSL handshake 
>>>>> errorjavax.net.ssl.SSLException: No available certificate or key 
>>>>> corresponds to the SSL cipher suites which are enabled.
>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)

>>>>>
>>>>>        at 
>>>>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

>>>>>
>>>>>        at java.lang.Thread.run(Thread.java:595)
>>>>> Aug 29, 2007 12:47:28 PM 
>>>>> org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
>>>>> WARNING: Reinitializing ServerSocket
>>>>>
>>>>> Another problem. Any ideas?
>>>>>
>>>>> 7) Then I tried to change the sslProtocol to SSL (rather than TLS) 
>>>>> but that didn't change anything. The file permissions of the certs 
>>>>> are okay,
>>>>> they are all world-readable.
>>>>>
>>>>> So guys any ideas on how to solve this? Has anyone ever 
>>>>> encountered this problem? I searched on Google but I really was 
>>>>> unable to
>>>>> find a proper solution.
>>>>>
>>>>> Any input is greatly appreciated. Thank you very much.
>>>>>
>>>>> Best regards,
>>>>> Werner.
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org 
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message