Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 36530 invoked from network); 30 Aug 2007 15:23:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Aug 2007 15:23:11 -0000 Received: (qmail 98439 invoked by uid 500); 30 Aug 2007 15:22:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 98400 invoked by uid 500); 30 Aug 2007 15:22:46 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 98323 invoked by uid 99); 30 Aug 2007 15:22:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 08:22:46 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [72.22.94.67] (HELO virtual.halosg.com) (72.22.94.67) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Aug 2007 15:22:41 +0000 Received: (qmail 32323 invoked from network); 30 Aug 2007 10:21:26 -0500 Received: from 72-19-171-38.static.mesanetworks.net (HELO ?192.168.3.103?) (72.19.171.38) by halosg.com with SMTP; 30 Aug 2007 10:21:26 -0500 Message-ID: <46D6E0B0.60409@hanik.com> Date: Thu, 30 Aug 2007 09:22:24 -0600 From: Filip Hanik - Dev Lists User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Tomcat keeps breaking/SSL keystore troubles References: <46D6DE34.1030706@l-mx.de> In-Reply-To: <46D6DE34.1030706@l-mx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org my guess is that the keystore file doesn't contain your private key, Filip Christoph Lechner wrote: > Hi all, > > I've been trying hard to enable the SSL connector in TomCat for a few > days now. As I don't have very much experience with SSL, it's quite hard > for me to figure out what's going wrong. > I read a lot of different setup guides, but I'm getting the same error > messages all the time: > > 16:37:13,254 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on > http-0.0.0.0 > -808016:37:13,338 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009 > 16:37:13,346 INFO [JkMain] Jk running ID=0 time=0/24 > config=null16:37:13,360 INFO [Http11BaseProtocol] Starting Coyote > HTTP/1.1 on http-0.0.0.0 > -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL: > ServerSocket[addr=/0.0.0.0,p > ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL > handshake errorjavax.net.ssl.SSLException: No available certificate or > key corresponds t > o the SSL cipher suites which are enabled.java.net.SocketException: SSL > handshake errorjavax.net.ssl.SSLException: No avai > lable certificate or key corresponds to the SSL cipher suites which are > enabled. at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647) > at java.lang.Thread.run(Thread.java:595) > > I've got a .crt file, a .csr file and a .key file for the domain and I > also got the root cert from the CA. So I tried to set it up in the > following way (output messages included): > ---> Begin of keystore creation <--- > ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file > rapidssl_01.cer -keystore thekeystore > Enter keystore password: changeit > Certificate already exists in system-wide CA keystore under alias > > Do you still want to add it to your own keystore? [no]: yes > Certificate was added to keystore > ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file > www_mydomain_com.crt -keystore thekeystore > Enter keystore password: changeit > Certificate was added to keystore > ab-server1:~/ssl# keytool -list -keystore thekeystore > Enter keystore password: changeit > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 2 entries > > root, Aug 30, 2007, trustedCertEntry, > Certificate fingerprint (MD5): > 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC > tomcat, Aug 30, 2007, trustedCertEntry, > Certificate fingerprint (MD5): > C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4 > ---> End of keystore creation <--- > > In server.xml file, I added: > maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" > emptySessionPath="true" > scheme="https" secure="true" clientAuth="false" > keystoreFile="/root/ssl/thekeystore" > keystorePass="changeit" sslProtocol = "TLS" /> > > > OTOH I've tried a self-signed certificate and it worked. > > What's my fault? > > TIA > - C. Lechner > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org