tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruce Kostival <bkosti...@universallumpers.com>
Subject Re: GoDaddy SSL cert update from SHA1 to SHA2
Date Fri, 19 Dec 2014 11:49:44 GMT
And how do I get the Private Key back?  Its definitely not there.

________________________________________
From: Igor Cicimov <icicimov@gmail.com>
Sent: Thursday, December 18, 2014 17:52
To: Tomcat Users List
Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2

On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival <
bkostival@universallumpers.com> wrote:
>
> Thanks Igor I'll poke around based on your input.
> ________________________________________
> From: Igor Cicimov <icicimov@gmail.com>
> Sent: Thursday, December 18, 2014 15:49
> To: Tomcat Users List
> Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
>
> On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
> bkostival@universallumpers.com> wrote:
> >
> > Tomcat 6.0.x
> > Windows Server 2008
> > Running Java 7
> > Home grown app written in STS
> >
> > Running HTTPS with SHA1 cert
> > Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> > keystore.  Removed existing aliases from original keystore and loaded new
> > root and domain cert to keystore.
> > Trying to run up the new cert gives me this error:
> >
> > SEVERE: Error starting endpoint
> > java.io.IOException: jsse.invalid_ssl_conf
> >         at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> >         at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> >         at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> >         at
> > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> >         at
> > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> >         at
> > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> >         at
> > org.apache.catalina.connector.Connector.start(Connector.java:1196)
> >         at
> > org.apache.catalina.core.StandardService.start(StandardService.java:540)
> >         at
> > org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> >         at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> >         at java.lang.reflect.Method.invoke(Unknown Source)
> >         at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> >         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> > Caused by: javax.net.ssl.SSLException: No available certificate or key
> > corresponds to the SSL cipher suites which are enabled.
> >
> > I feel like I'm missing something basic in the keystore.  Any ideas?
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > Just guessing but based on the cause given in the above error you
> probably
> have ciphers set in your connector using 128 bit key, something like this:
>
>            ciphers="SSL_RSA_WITH_RC4_128_MD5,
>            SSL_RSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>            TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDH_RSA_WITH_RC4_128_SHA"
>
> In that case try to change that to match your new 256 bit key now. Of
> course take care of the proper cipher suit names for BIO/NIO or APR
> connector since they differ (the above example is for BIO/NIO connector).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> Another possibility is that you have removed the private key used to
generate the new CSR by removing the old aliases from the keystore.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message