Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 27111 invoked from network); 30 Aug 2007 15:16:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Aug 2007 15:16:08 -0000 Received: (qmail 68297 invoked by uid 500); 30 Aug 2007 15:15:52 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 68276 invoked by uid 500); 30 Aug 2007 15:15:52 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 68265 invoked by uid 99); 30 Aug 2007 15:15:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 08:15:51 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of werner_schalk@gmx.de designates 213.165.64.20 as permitted sender) Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 30 Aug 2007 15:15:47 +0000 Received: (qmail invoked by alias); 30 Aug 2007 15:15:26 -0000 Received: from p54B26967.dip.t-dialin.net (HELO odeon) [84.178.105.103] by mail.gmx.net (mp034) with SMTP; 30 Aug 2007 17:15:26 +0200 X-Authenticated: #15379541 X-Provags-ID: V01U2FsdGVkX1+UHnxExSSUcoAP3PPgDOmlCgbuSWtlratFbh09gU d1f0Vd940EL2xU Message-ID: <005301c7eb18$b67a4f80$1801a8c0@odeon> From: "Werner Schalk" To: "Tomcat Users List" References: <46D6DE34.1030706@l-mx.de> Subject: Re: Tomcat keeps breaking/SSL keystore troubles Date: Thu, 30 Aug 2007 17:16:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Y-GMX-Trusted: 0 X-Virus-Checked: Checked by ClamAV on apache.org Hello Christoph, welcome to the club, I am having the same problem. See my thread "Problems with SSL-enabled Tomcat 5.5". Bye, Werner. ----- Original Message ----- From: "Christoph Lechner" To: Sent: Thursday, August 30, 2007 5:11 PM Subject: Tomcat keeps breaking/SSL keystore troubles > Hi all, > > I've been trying hard to enable the SSL connector in TomCat for a few > days now. As I don't have very much experience with SSL, it's quite hard > for me to figure out what's going wrong. > I read a lot of different setup guides, but I'm getting the same error > messages all the time: > > 16:37:13,254 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on > http-0.0.0.0 > -808016:37:13,338 INFO [ChannelSocket] JK: ajp13 listening on > /0.0.0.0:8009 > 16:37:13,346 INFO [JkMain] Jk running ID=0 time=0/24 > config=null16:37:13,360 INFO [Http11BaseProtocol] Starting Coyote > HTTP/1.1 on http-0.0.0.0 > -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL: > ServerSocket[addr=/0.0.0.0,p > ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL > handshake errorjavax.net.ssl.SSLException: No available certificate or > key corresponds t > o the SSL cipher suites which are enabled.java.net.SocketException: SSL > handshake errorjavax.net.ssl.SSLException: No avai > lable certificate or key corresponds to the SSL cipher suites which are > enabled. at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647) > at java.lang.Thread.run(Thread.java:595) > > I've got a .crt file, a .csr file and a .key file for the domain and I > also got the root cert from the CA. So I tried to set it up in the > following way (output messages included): > ---> Begin of keystore creation <--- > ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file > rapidssl_01.cer -keystore thekeystore > Enter keystore password: changeit > Certificate already exists in system-wide CA keystore under alias > > Do you still want to add it to your own keystore? [no]: yes > Certificate was added to keystore > ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file > www_mydomain_com.crt -keystore thekeystore > Enter keystore password: changeit > Certificate was added to keystore > ab-server1:~/ssl# keytool -list -keystore thekeystore > Enter keystore password: changeit > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 2 entries > > root, Aug 30, 2007, trustedCertEntry, > Certificate fingerprint (MD5): > 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC > tomcat, Aug 30, 2007, trustedCertEntry, > Certificate fingerprint (MD5): > C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4 > ---> End of keystore creation <--- > > In server.xml file, I added: > maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" > emptySessionPath="true" > scheme="https" secure="true" clientAuth="false" > keystoreFile="/root/ssl/thekeystore" > keystorePass="changeit" sslProtocol = "TLS" /> > > > OTOH I've tried a self-signed certificate and it worked. > > What's my fault? > > TIA > - C. Lechner > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org