tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <jeffery.scott.cr...@gmail.com>
Subject Replaced a self-signed key with a GoDaddy key
Date Fri, 07 Aug 2015 18:01:34 GMT
I’ve been using Tomcat for about fours years. I’ve developed websites and services that
used certificates based upon SHA1. Today I purchased a new certificate from GoDaddy based
upon using “-sigalg SHA256withRSA”.


So for this new service I executed the following commands in the directory of the keystore:


keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg SHA256withRSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore tomcat.keystore


sent the csr.txt to GoDadday and received the certificate files.


keytool -delete -alias tomcat -keystore tomcat.keystore

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file xxxxxxxxxxxxxx.crt


If I copy over the new tomcat.keystore with a backup of the original everything works.


My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in server.xml; the following
is for the one with the GoDaddy certificate. I’m doing them one-at-time.


<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />



  <Service name="System">
    <Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"  connectionTimeout="20000"
 redirectPort="8443" />
    <Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS" />
    <Engine name="System" defaultHost="xxxxxxxx.com">
      <Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com" unpackWARs="true" autoDeploy="true"
>
        <Alias>www.xxxxxxxx.com</Alias>
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="xxxxxxxx.com"
suffix=".log" pattern="common" />
      </Host>
    </Engine>
  </Service>




….



</Server>




Each service is on a different IP address and I’ve been redirecting 80 to 8080 and 443 to
8443. This has been working fine until I replaced the key.


This is from the catalina.out file:


07-Aug-2015 12:43:02.493 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize
end point associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
 java.io.IOException: Alias name tomcat does not identify a key entry
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)



07-Aug-2015 12:43:02.496 SEVERE [main] org.apache.catalina.core.StandardService.initInternal
Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)



Then I used keytool to verify that the alias is in the tomcat.keystore. The following is a
list from the keystore:



#keytool -list -v -keystore tomcat.keystore -alias tomcat


Enter keystore password:
Alias name: tomcat
Creation date: Aug 7, 2015
Entry type: trustedCertEntry



Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: xxxxxxxxxxxxxxxxxx
Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT 2016
Certificate fingerprints:
         MD5:  A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
         SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
         SHA256: E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
         Signature algorithm name: SHA256withRSA
         Version: 3



Extensions:



#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
,
   accessMethod: caIssuers
   accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]



#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]



#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]



#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdig2s1-105.crl]
]]



#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  .+http://certifi
0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/



]]  ]
]



#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]



#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]



#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: xxxxxxxx.com
  DNSName: www.xxxxxxxx.com
]



#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 7C A9 5C 32 FE F5 92   DB D1 C4 A6 F1 70 09 57  ;..\2........p.W
0010: C7 5A 97 88                                        .Z..
]
]


I would be grateful for any assistance.


Jeff Crump





Sent from Windows Mail
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message