You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "nicksemailis@juno.com" <ni...@juno.com> on 2015/02/06 20:44:39 UTC
Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Good afternoon,​I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.Port 8443 is listening, selinux is disabled, and have tried it with 8443 enabled in firewall and with firewall off. After receiving the .crt file from GoDaddy: ran the 4 keytool -import commands: For the alias=root, I used gdroot-g2.crt(from repository) For the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the alias=cross, I used gdroot-g2_cross.crt(from repository) For the alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy)I see all the entries when I did the keytool -list I made this change in server.xml:<Connector port="8443" maxThreads="200" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to .keystore file" keystorePass="keystore password" /> I thenshutdown tomcatstartup tomcat When I go to the URL in the browser with the port 8443, I get this:Firefox:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) ​
Chrome:
A secure connection cannot be established because this site uses an unsupported protocol.Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Thank you
____________________________________________________________
NetZero now offers 4G mobile broadband. Sign up now.
http://www.netzero.net/?refcd=NZINTISP0512T4GOUT1
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Posted by Sean Dawson <se...@gmail.com>.
On Mon, Feb 9, 2015 at 10:13 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sean,
>
> On 2/9/15 9:46 AM, Sean Dawson wrote:
> > We've had customers who have had issues with Java and GoDaddy
> > certs.
> >
> >
> http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java
> >
> >
> >
> http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/
>
> Did
> >
> you read the OP? He's already installed the GoDaddy cross-signed
> certificate.
>
It's also not a Java client problem, since the client in this case is
> Google Chrome.
>
Oh ok sorry - I read it last week and forgot that it wasn't the same issue.
Just wanted to help out anyone else that might have run into the
GoDaddy/Java issue.
> - -chris
>
> > On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Nick,
> >
> > (The formatting was awful on the message and made it difficult to
> > read. I've adjusted it to make it readable and reply-able).
> >
> > On 2/6/15 2:44 PM, nicksemailis@juno.com wrote:
> >>>> I have a SHA2 certificate for a RHEL 6 server using tomcat
> >>>> 7.0.57.
> >
> > That's an x509 certificate for SSL/TLS, using a SHA2-based
> > signature algorithm, right?
> >
> >>>> Port 8443 is listening, selinux is disabled, and have tried
> >>>> it with 8443 enabled in firewall and with firewall off.
> >>>>
> >>>> After receiving the .crt file from GoDaddy: ran the 4
> >>>> keytool -import commands:
> >>>>
> >>>> For the alias=root, I used gdroot-g2.crt(from repository) For
> >>>> the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the
> >>>> alias=cross, I used gdroot-g2_cross.crt(from repository) For
> >>>> the alias= tomcat, I used the <the alphanumeric>.crt(from
> >>>> GoDaddy)
> >>>>
> >>>> I see all the entries when I did the keytool -list
> >
> > Good. Everything above looks good, except that you need to make
> > sure that the certificates you imported were all the correct
> > ones... thee days, CAs tend to have a variety of intermediate
> > certificates for various purposes: one for code-signing, one for
> > European certificates and another for American ones, an old one
> > with SHA1-based signature, new ones with SHA2-based signatures,
> > etc.
> >
> > Verifying the accuracy of the certificate chain should be a
> > priority.
> >
> >>>> I made this change in server.xml:
> >>>>
> >>>> <Connector port="8443" maxThreads="200" SSLEnabled="true"
> >>>> scheme="https" secure="true" clientAuth="false"
> >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> >>>> keystoreFile="path to .keystore file" keystorePass="keystore
> >>>> password" />
> >>>>
> >>>> I then shutdown tomcat; startup tomcat.
> >>>>
> >>>> When I go to the URL in the browser with the port 8443, I
> >>>> get this:Firefox: Cannot communicate securely with peer: no
> >>>> common encryption algorithm(s). (Error code:
> >>>> ssl_error_no_cypher_overlap)
> >>>>
> >>>> Chrome: A secure connection cannot be established because
> >>>> this site uses an unsupported protocol.Error code:
> >>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >
> > What version of Chrome are you using?
> >
> > Do you have access to an OpenSSL library? Can you run "openssl
> > -debug -showcerts s_client -connect https://host:8443/" and post
> > the (possibly sanitized) results?
> >
> > You could also grab and compile the source of this tool from the
> > tomcat-dev archives and run it against your server:
> > http://markmail.org/thread/tz4z44nfjl7sy2lj
> >
> > This will tell you what is and is not supported.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJU2M6yAAoJEBzwKT+lPKRYdo8QAKqyY87oXjHy4CkNc3fPjYQH
> IQMRzFrnH/Dgk2g1eO9WXlJXg+4drjmDtsHpRBsJR17nZaDBz282lgVh4x8OUEhW
> tK6eagXHHnwhA8HBCCey5f6EfCF7dMR6AbwLkbhTUN7aym4gYMmQM18q2Nt6jxz7
> qmtHW5GZ4OscqA6MQ5SVT6FckKR83570WakPQsl64JJwCUbC0uwOL9nU654nckNy
> hFiSznDugopfIICrmgHoX6HkAx7lChmCmfpexbUsDZkj/xpPriuvPMPu//sZ4zFc
> euqin0/gDMy76Qr+H0ExHaMKH734vXWgjXTakHg5D/V0C8U4iQEJSBsDWCaXqvDX
> kA+O2s/mYeiqqPVvA4nZ3JrNUQFgZPvOik8ubyCb2+/p7PLL9Hshikgl+sZ4cAW2
> +NfertfDZ483IQKCKN1LKnWZNQ2ofF+jJ1vEoceqV/ybFi8fKipbJ37aU6c7EltL
> h4zJFv86l/irYzVKweGuszX7xX9DwWUu7YdKx4wIVArncb+wrALx3NXF0bI8pMaC
> C5sUoM2EBrOIZZkrpPDPdgr5O+XvWEaARd6eDnCDvZ1xjHcQxiHuVrnglzH3LE2L
> rU6wfg4ZRaX5rMA++yetf4/qYOe+/+YW84zLK3VkL0jWdlldr6/QoActiUquI2OD
> 7fGjoyFAdo2GcZP1OloD
> =T8m8
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sean,
On 2/9/15 9:46 AM, Sean Dawson wrote:
> We've had customers who have had issues with Java and GoDaddy
> certs.
>
> http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java
>
>
> http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/
Did
>
you read the OP? He's already installed the GoDaddy cross-signed
certificate.
It's also not a Java client problem, since the client in this case is
Google Chrome.
- -chris
> On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Nick,
>
> (The formatting was awful on the message and made it difficult to
> read. I've adjusted it to make it readable and reply-able).
>
> On 2/6/15 2:44 PM, nicksemailis@juno.com wrote:
>>>> I have a SHA2 certificate for a RHEL 6 server using tomcat
>>>> 7.0.57.
>
> That's an x509 certificate for SSL/TLS, using a SHA2-based
> signature algorithm, right?
>
>>>> Port 8443 is listening, selinux is disabled, and have tried
>>>> it with 8443 enabled in firewall and with firewall off.
>>>>
>>>> After receiving the .crt file from GoDaddy: ran the 4
>>>> keytool -import commands:
>>>>
>>>> For the alias=root, I used gdroot-g2.crt(from repository) For
>>>> the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the
>>>> alias=cross, I used gdroot-g2_cross.crt(from repository) For
>>>> the alias= tomcat, I used the <the alphanumeric>.crt(from
>>>> GoDaddy)
>>>>
>>>> I see all the entries when I did the keytool -list
>
> Good. Everything above looks good, except that you need to make
> sure that the certificates you imported were all the correct
> ones... thee days, CAs tend to have a variety of intermediate
> certificates for various purposes: one for code-signing, one for
> European certificates and another for American ones, an old one
> with SHA1-based signature, new ones with SHA2-based signatures,
> etc.
>
> Verifying the accuracy of the certificate chain should be a
> priority.
>
>>>> I made this change in server.xml:
>>>>
>>>> <Connector port="8443" maxThreads="200" SSLEnabled="true"
>>>> scheme="https" secure="true" clientAuth="false"
>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>>> keystoreFile="path to .keystore file" keystorePass="keystore
>>>> password" />
>>>>
>>>> I then shutdown tomcat; startup tomcat.
>>>>
>>>> When I go to the URL in the browser with the port 8443, I
>>>> get this:Firefox: Cannot communicate securely with peer: no
>>>> common encryption algorithm(s). (Error code:
>>>> ssl_error_no_cypher_overlap)
>>>>
>>>> Chrome: A secure connection cannot be established because
>>>> this site uses an unsupported protocol.Error code:
>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> What version of Chrome are you using?
>
> Do you have access to an OpenSSL library? Can you run "openssl
> -debug -showcerts s_client -connect https://host:8443/" and post
> the (possibly sanitized) results?
>
> You could also grab and compile the source of this tool from the
> tomcat-dev archives and run it against your server:
> http://markmail.org/thread/tz4z44nfjl7sy2lj
>
> This will tell you what is and is not supported.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU2M6yAAoJEBzwKT+lPKRYdo8QAKqyY87oXjHy4CkNc3fPjYQH
IQMRzFrnH/Dgk2g1eO9WXlJXg+4drjmDtsHpRBsJR17nZaDBz282lgVh4x8OUEhW
tK6eagXHHnwhA8HBCCey5f6EfCF7dMR6AbwLkbhTUN7aym4gYMmQM18q2Nt6jxz7
qmtHW5GZ4OscqA6MQ5SVT6FckKR83570WakPQsl64JJwCUbC0uwOL9nU654nckNy
hFiSznDugopfIICrmgHoX6HkAx7lChmCmfpexbUsDZkj/xpPriuvPMPu//sZ4zFc
euqin0/gDMy76Qr+H0ExHaMKH734vXWgjXTakHg5D/V0C8U4iQEJSBsDWCaXqvDX
kA+O2s/mYeiqqPVvA4nZ3JrNUQFgZPvOik8ubyCb2+/p7PLL9Hshikgl+sZ4cAW2
+NfertfDZ483IQKCKN1LKnWZNQ2ofF+jJ1vEoceqV/ybFi8fKipbJ37aU6c7EltL
h4zJFv86l/irYzVKweGuszX7xX9DwWUu7YdKx4wIVArncb+wrALx3NXF0bI8pMaC
C5sUoM2EBrOIZZkrpPDPdgr5O+XvWEaARd6eDnCDvZ1xjHcQxiHuVrnglzH3LE2L
rU6wfg4ZRaX5rMA++yetf4/qYOe+/+YW84zLK3VkL0jWdlldr6/QoActiUquI2OD
7fGjoyFAdo2GcZP1OloD
=T8m8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Posted by Sean Dawson <se...@gmail.com>.
We've had customers who have had issues with Java and GoDaddy certs.
http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java
http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/
On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nick,
>
> (The formatting was awful on the message and made it difficult to
> read. I've adjusted it to make it readable and reply-able).
>
> On 2/6/15 2:44 PM, nicksemailis@juno.com wrote:
> > I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.
>
> That's an x509 certificate for SSL/TLS, using a SHA2-based signature
> algorithm, right?
>
> > Port 8443 is listening, selinux is disabled, and have tried it
> > with 8443 enabled in firewall and with firewall off.
> >
> > After receiving the .crt file from GoDaddy: ran the 4 keytool
> > -import commands:
> >
> > For the alias=root, I used gdroot-g2.crt(from repository) For the
> > alias=intermed, I used gd_ig2.crt(from GoDaddy) For the
> > alias=cross, I used gdroot-g2_cross.crt(from repository) For the
> > alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy)
> >
> > I see all the entries when I did the keytool -list
>
> Good. Everything above looks good, except that you need to make sure
> that the certificates you imported were all the correct ones... thee
> days, CAs tend to have a variety of intermediate certificates for
> various purposes: one for code-signing, one for European certificates
> and another for American ones, an old one with SHA1-based signature,
> new ones with SHA2-based signatures, etc.
>
> Verifying the accuracy of the certificate chain should be a priority.
>
> > I made this change in server.xml:
> >
> > <Connector port="8443" maxThreads="200" SSLEnabled="true"
> > scheme="https" secure="true" clientAuth="false"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to
> > .keystore file" keystorePass="keystore password" />
> >
> > I then shutdown tomcat; startup tomcat.
> >
> > When I go to the URL in the browser with the port 8443, I get
> > this:Firefox: Cannot communicate securely with peer: no common
> > encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
> >
> > Chrome: A secure connection cannot be established because this
> > site uses an unsupported protocol.Error code:
> > ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> What version of Chrome are you using?
>
> Do you have access to an OpenSSL library? Can you run "openssl -debug
> - -showcerts s_client -connect https://host:8443/" and post the
> (possibly sanitized) results?
>
> You could also grab and compile the source of this tool from the
> tomcat-dev archives and run it against your server:
> http://markmail.org/thread/tz4z44nfjl7sy2lj
>
> This will tell you what is and is not supported.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc
> 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp
> PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT
> HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi
> 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md
> /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK
> 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+
> LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS
> XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E
> n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K
> uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO
> 2CA9DwlS0hMtRDLuPvAl
> =sJsq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nick,
(The formatting was awful on the message and made it difficult to
read. I've adjusted it to make it readable and reply-able).
On 2/6/15 2:44 PM, nicksemailis@juno.com wrote:
> I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.
That's an x509 certificate for SSL/TLS, using a SHA2-based signature
algorithm, right?
> Port 8443 is listening, selinux is disabled, and have tried it
> with 8443 enabled in firewall and with firewall off.
>
> After receiving the .crt file from GoDaddy: ran the 4 keytool
> -import commands:
>
> For the alias=root, I used gdroot-g2.crt(from repository) For the
> alias=intermed, I used gd_ig2.crt(from GoDaddy) For the
> alias=cross, I used gdroot-g2_cross.crt(from repository) For the
> alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy)
>
> I see all the entries when I did the keytool -list
Good. Everything above looks good, except that you need to make sure
that the certificates you imported were all the correct ones... thee
days, CAs tend to have a variety of intermediate certificates for
various purposes: one for code-signing, one for European certificates
and another for American ones, an old one with SHA1-based signature,
new ones with SHA2-based signatures, etc.
Verifying the accuracy of the certificate chain should be a priority.
> I made this change in server.xml:
>
> <Connector port="8443" maxThreads="200" SSLEnabled="true"
> scheme="https" secure="true" clientAuth="false"
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to
> .keystore file" keystorePass="keystore password" />
>
> I then shutdown tomcat; startup tomcat.
>
> When I go to the URL in the browser with the port 8443, I get
> this:Firefox: Cannot communicate securely with peer: no common
> encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
>
> Chrome: A secure connection cannot be established because this
> site uses an unsupported protocol.Error code:
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
What version of Chrome are you using?
Do you have access to an OpenSSL library? Can you run "openssl -debug
- -showcerts s_client -connect https://host:8443/" and post the
(possibly sanitized) results?
You could also grab and compile the source of this tool from the
tomcat-dev archives and run it against your server:
http://markmail.org/thread/tz4z44nfjl7sy2lj
This will tell you what is and is not supported.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc
4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp
PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT
HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi
7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md
/TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK
6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+
LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS
XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E
n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K
uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO
2CA9DwlS0hMtRDLuPvAl
=sJsq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org