tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Morris Jones <m...@whiteoaks.com>
Subject Re: Tomcat keeps breaking/SSL keystore troubles
Date Thu, 30 Aug 2007 16:24:26 GMT
Christoph, I hate these problems, they're always tough to work through, 
and keytool doesn't make it any easier.

Did you use keytool to create your key and certificate request?  If you 
created the key and request outside of keytool, then keytool won't have 
the private key and can't import the certificate.

In order to get your private key into the keystore, you need to use a 
bit of Java code.  See here:  <http://www.agentbob.info/agentbob/79.html>

There's no need for you to import the CA's root certificate.  It's 
already there.

Good luck!

Mojo
-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

Christoph Lechner wrote:
> Hi all,
> 
> I've been trying hard to enable the SSL connector in TomCat for a few
> days now. As I don't have very much experience with SSL, it's quite hard
> for me to figure out what's going wrong.
> I read a lot of different setup guides, but I'm getting the same error
> messages all the time:
> 
> 16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
> http-0.0.0.0
> -808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
> 16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
> config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
> HTTP/1.1 on http-0.0.0.0
> -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
> ServerSocket[addr=/0.0.0.0,p
> ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No available certificate or
> key corresponds t
> o the SSL cipher suites which are enabled.java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No avai
> lable certificate or key corresponds to the SSL cipher suites which are
> enabled.        at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
>         at
> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
>         at
> org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
>         at java.lang.Thread.run(Thread.java:595)
> 
> I've got a .crt file, a .csr file and a .key file for the domain and I
> also got the root cert from the CA. So I tried to set it up in the
> following way (output messages included):
> ---> Begin of keystore creation <---
> ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
> rapidssl_01.cer -keystore thekeystore
> Enter keystore password:  changeit
> Certificate already exists in system-wide CA keystore under alias
> <equifaxsecureglobalebusinessca1>
> Do you still want to add it to your own keystore? [no]:  yes
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
> www_mydomain_com.crt -keystore thekeystore
> Enter keystore password:  changeit
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -list -keystore thekeystore
> Enter keystore password:  changeit
> 
> Keystore type: jks
> Keystore provider: SUN
> 
> Your keystore contains 2 entries
> 
> root, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
> tomcat, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
> ---> End of keystore creation <---
> 
> In server.xml file, I added:
> <Connector port="8443" address="${jboss.bind.address}"
>             maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
>             emptySessionPath="true"
>             scheme="https" secure="true" clientAuth="false"
>             keystoreFile="/root/ssl/thekeystore"
>             keystorePass="changeit" sslProtocol = "TLS" />
> 
> 
> OTOH I've tried a self-signed certificate and it worked.
> 
> What's my fault?
> 
> TIA
> - C. Lechner
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message