tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Replaced a self-signed key with a GoDaddy key
Date Fri, 07 Aug 2015 18:40:51 GMT
On 7 August 2015 19:01:34 BST, jeffery.scott.crump@gmail.com wrote:
>I’ve been using Tomcat for about fours years. I’ve developed websites
>and services that used certificates based upon SHA1. Today I purchased
>a new certificate from GoDaddy based upon using “-sigalg
>SHA256withRSA”.
>
>
>So for this new service I executed the following commands in the
>directory of the keystore:
>
>
>keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg
>SHA256withRSA -keystore tomcat.keystore
>keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
>tomcat.keystore
>
>
>sent the csr.txt to GoDadday and received the certificate files.
>
>
>keytool -delete -alias tomcat -keystore tomcat.keystore

You deleted the key at this point. There should be no need to do this.

Mark


>
>keytool -import -alias root -keystore tomcat.keystore -trustcacerts
>-file gd_bundle-g2-g1.crt
>keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts
>-file gdig2.crt
>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts
>-file xxxxxxxxxxxxxx.crt
>
>
>If I copy over the new tomcat.keystore with a backup of the original
>everything works.
>
>
>My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
>server.xml; the following is for the one with the GoDaddy certificate.
>I’m doing them one-at-time.
>
>
><Server port="8005" shutdown="SHUTDOWN">
><Listener className="org.apache.catalina.startup.VersionLoggerListener"
>/>
><Listener className="org.apache.catalina.core.AprLifecycleListener"
>SSLEngine="on" />
><Listener
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
><Listener
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>/>
><Listener
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
>/>
>
>
>
>  <Service name="System">
><Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" 
>connectionTimeout="20000"  redirectPort="8443" />
><Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
>keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS"
>/>
>    <Engine name="System" defaultHost="xxxxxxxx.com">
><Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com"
>unpackWARs="true" autoDeploy="true" >
>        <Alias>www.xxxxxxxx.com</Alias>
><Valve className="org.apache.catalina.valves.AccessLogValve"
>directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common"
>/>
>      </Host>
>    </Engine>
>  </Service>
>
>
>
>
>….
>
>
>
></Server>
>
>
>
>
>Each service is on a different IP address and I’ve been redirecting 80
>to 8080 and 443 to 8443. This has been working fine until I replaced
>the key.
>
>
>This is from the catalina.out file:
>
>
>07-Aug-2015 12:43:02.493 SEVERE [main]
>org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
> java.io.IOException: Alias name tomcat does not identify a key entry
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
>   at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
>at
>org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
>  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
>at
>org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
>at
>org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>        at java.lang.reflect.Method.invoke(Method.java:606)
>      at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
>      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
>
>
>
>07-Aug-2015 12:43:02.496 SEVERE [main]
>org.apache.catalina.core.StandardService.initInternal Failed to
>initialize connector [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Failed to initialize component
>[Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>
>
>Then I used keytool to verify that the alias is in the tomcat.keystore.
>The following is a list from the keystore:
>
>
>
>#keytool -list -v -keystore tomcat.keystore -alias tomcat
>
>
>Enter keystore password:
>Alias name: tomcat
>Creation date: Aug 7, 2015
>Entry type: trustedCertEntry
>
>
>
>Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
>Issuer: CN=Go Daddy Secure Certificate Authority - G2,
>OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
>L=Scottsdale, ST=Arizona, C=US
>Serial number: xxxxxxxxxxxxxxxxxx
>Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT
>2016
>Certificate fingerprints:
>         MD5:  A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
>      SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
>SHA256:
>E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
>         Signature algorithm name: SHA256withRSA
>         Version: 3
>
>
>
>Extensions:
>
>
>
>#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>AuthorityInfoAccess [
>  [
>   accessMethod: ocsp
>   accessLocation: URIName: http://ocsp.godaddy.com/
>,
>   accessMethod: caIssuers
>accessLocation: URIName:
>http://certificates.godaddy.com/repository/gdig2.crt
>]
>]
>
>
>
>#2: ObjectId: 2.5.29.35 Criticality=false
>AuthorityKeyIdentifier [
>KeyIdentifier [
>0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0 
>@..'..4.0.3..l..
>0010: B4 2C 80 CE                                        .,..
>]
>]
>
>
>
>#3: ObjectId: 2.5.29.19 Criticality=true
>BasicConstraints:[
>  CA:false
>  PathLen: undefined
>]
>
>
>
>#4: ObjectId: 2.5.29.31 Criticality=false
>CRLDistributionPoints [
>  [DistributionPoint:
>     [URIName: http://crl.godaddy.com/gdig2s1-105.crl]
>]]
>
>
>
>#5: ObjectId: 2.5.29.32 Criticality=false
>CertificatePolicies [
>  [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
>[PolicyQualifierInfo: [
>  qualifierID: 1.3.6.1.5.5.7.2.1
>qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69 
>.+http://certifi
>0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F 
>cates.godaddy.co
>0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/
>
>
>
>]]  ]
>]
>
>
>
>#6: ObjectId: 2.5.29.37 Criticality=false
>ExtendedKeyUsages [
>  serverAuth
>  clientAuth
>]
>
>
>
>#7: ObjectId: 2.5.29.15 Criticality=true
>KeyUsage [
>  DigitalSignature
>  Key_Encipherment
>]
>
>
>
>#8: ObjectId: 2.5.29.17 Criticality=false
>SubjectAlternativeName [
>  DNSName: xxxxxxxx.com
>  DNSName: www.xxxxxxxx.com
>]
>
>
>
>#9: ObjectId: 2.5.29.14 Criticality=false
>SubjectKeyIdentifier [
>KeyIdentifier [
>0000: 3B 7C A9 5C 32 FE F5 92   DB D1 C4 A6 F1 70 09 57 
>;..\2........p.W
>0010: C7 5A 97 88                                        .Z..
>]
>]
>
>
>I would be grateful for any assistance.
>
>
>Jeff Crump
>
>
>
>
>
>Sent from Windows Mail



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message