You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by je...@gmail.com on 2015/08/07 20:01:34 UTC
Replaced a self-signed key with a GoDaddy key
I’ve been using Tomcat for about fours years. I’ve developed websites and services that used certificates based upon SHA1. Today I purchased a new certificate from GoDaddy based upon using “-sigalg SHA256withRSA”.
So for this new service I executed the following commands in the directory of the keystore:
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore tomcat.keystore
sent the csr.txt to GoDadday and received the certificate files.
keytool -delete -alias tomcat -keystore tomcat.keystore
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file xxxxxxxxxxxxxx.crt
If I copy over the new tomcat.keystore with a backup of the original everything works.
My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in server.xml; the following is for the one with the GoDaddy certificate. I’m doing them one-at-time.
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Service name="System">
<Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore" keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS" />
<Engine name="System" defaultHost="xxxxxxxx.com">
<Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com" unpackWARs="true" autoDeploy="true" >
<Alias>www.xxxxxxxx.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common" />
</Host>
</Engine>
</Service>
….
</Server>
Each service is on a different IP address and I’ve been redirecting 80 to 8080 and 443 to 8443. This has been working fine until I replaced the key.
This is from the catalina.out file:
07-Aug-2015 12:43:02.493 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
java.io.IOException: Alias name tomcat does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
07-Aug-2015 12:43:02.496 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Then I used keytool to verify that the alias is in the tomcat.keystore. The following is a list from the keystore:
#keytool -list -v -keystore tomcat.keystore -alias tomcat
Enter keystore password:
Alias name: tomcat
Creation date: Aug 7, 2015
Entry type: trustedCertEntry
Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: xxxxxxxxxxxxxxxxxx
Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT 2016
Certificate fingerprints:
MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
SHA256: E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.godaddy.com/
,
accessMethod: caIssuers
accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l..
0010: B4 2C 80 CE .,..
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.godaddy.com/gdig2s1-105.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 .+http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: xxxxxxxx.com
DNSName: www.xxxxxxxx.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57 ;..\2........p.W
0010: C7 5A 97 88 .Z..
]
]
I would be grateful for any assistance.
Jeff Crump
Sent from Windows Mail
Re: Replaced a self-signed key with a GoDaddy key
Posted by je...@gmail.com.
Mark,
It turns out that the root certificate was a combination of g1 and g2, and that this causes a problem for keytool. I downloaded the single root certificate gdroot-g2.crt and used it to replace the root certificate. That fixed the problems.
Jeff
Sent from Windows Mail
From: Mark Thomas
Sent: Friday, August 7, 2015 1:40 PM
To: Tomcat Users List
On 7 August 2015 19:01:34 BST, jeffery.scott.crump@gmail.com wrote:
>I’ve been using Tomcat for about fours years. I’ve developed websites
>and services that used certificates based upon SHA1. Today I purchased
>a new certificate from GoDaddy based upon using “-sigalg
>SHA256withRSA”.
>
>
>So for this new service I executed the following commands in the
>directory of the keystore:
>
>
>keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
>SHA256withRSA -keystore tomcat.keystore
>keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
>tomcat.keystore
>
>
>sent the csr.txt to GoDadday and received the certificate files.
>
>
>keytool -delete -alias tomcat -keystore tomcat.keystore
You deleted the key at this point. There should be no need to do this.
Mark
>
>keytool -import -alias root -keystore tomcat.keystore -trustcacerts
>-file gd_bundle-g2-g1.crt
>keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts
>-file gdig2.crt
>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts
>-file xxxxxxxxxxxxxx.crt
>
>
>If I copy over the new tomcat.keystore with a backup of the original
>everything works.
>
>
>My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
>server.xml; the following is for the one with the GoDaddy certificate.
>I’m doing them one-at-time.
>
>
><Server port="8005" shutdown="SHUTDOWN">
><Listener className="org.apache.catalina.startup.VersionLoggerListener"
>/>
><Listener className="org.apache.catalina.core.AprLifecycleListener"
>SSLEngine="on" />
><Listener
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
><Listener
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>/>
><Listener
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
>/>
>
>
>
> <Service name="System">
><Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>connectionTimeout="20000" redirectPort="8443" />
><Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
>keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS"
>/>
> <Engine name="System" defaultHost="xxxxxxxx.com">
><Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com"
>unpackWARs="true" autoDeploy="true" >
> <Alias>www.xxxxxxxx.com</Alias>
><Valve className="org.apache.catalina.valves.AccessLogValve"
>directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common"
>/>
> </Host>
> </Engine>
> </Service>
>
>
>
>
>….
>
>
>
></Server>
>
>
>
>
>Each service is on a different IP address and I’ve been redirecting 80
>to 8080 and 443 to 8443. This has been working fine until I replaced
>the key.
>
>
>This is from the catalina.out file:
>
>
>07-Aug-2015 12:43:02.493 SEVERE [main]
>org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
> java.io.IOException: Alias name tomcat does not identify a key entry
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
>at
>org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
>at
>org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
>at
>org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
>
>
>
>07-Aug-2015 12:43:02.496 SEVERE [main]
>org.apache.catalina.core.StandardService.initInternal Failed to
>initialize connector [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Failed to initialize component
>[Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>
>
>Then I used keytool to verify that the alias is in the tomcat.keystore.
>The following is a list from the keystore:
>
>
>
>#keytool -list -v -keystore tomcat.keystore -alias tomcat
>
>
>Enter keystore password:
>Alias name: tomcat
>Creation date: Aug 7, 2015
>Entry type: trustedCertEntry
>
>
>
>Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
>Issuer: CN=Go Daddy Secure Certificate Authority - G2,
>OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
>L=Scottsdale, ST=Arizona, C=US
>Serial number: xxxxxxxxxxxxxxxxxx
>Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT
>2016
>Certificate fingerprints:
> MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
> SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
>SHA256:
>E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
> Signature algorithm name: SHA256withRSA
> Version: 3
>
>
>
>Extensions:
>
>
>
>#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>AuthorityInfoAccess [
> [
> accessMethod: ocsp
> accessLocation: URIName: http://ocsp.godaddy.com/
>,
> accessMethod: caIssuers
>accessLocation: URIName:
>http://certificates.godaddy.com/repository/gdig2.crt
>]
>]
>
>
>
>#2: ObjectId: 2.5.29.35 Criticality=false
>AuthorityKeyIdentifier [
>KeyIdentifier [
>0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0
>@..'..4.0.3..l..
>0010: B4 2C 80 CE .,..
>]
>]
>
>
>
>#3: ObjectId: 2.5.29.19 Criticality=true
>BasicConstraints:[
> CA:false
> PathLen: undefined
>]
>
>
>
>#4: ObjectId: 2.5.29.31 Criticality=false
>CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://crl.godaddy.com/gdig2s1-105.crl]
>]]
>
>
>
>#5: ObjectId: 2.5.29.32 Criticality=false
>CertificatePolicies [
> [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
>[PolicyQualifierInfo: [
> qualifierID: 1.3.6.1.5.5.7.2.1
>qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
>.+http://certifi
>0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F
>cates.godaddy.co
>0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
>
>
>
>]] ]
>]
>
>
>
>#6: ObjectId: 2.5.29.37 Criticality=false
>ExtendedKeyUsages [
> serverAuth
> clientAuth
>]
>
>
>
>#7: ObjectId: 2.5.29.15 Criticality=true
>KeyUsage [
> DigitalSignature
> Key_Encipherment
>]
>
>
>
>#8: ObjectId: 2.5.29.17 Criticality=false
>SubjectAlternativeName [
> DNSName: xxxxxxxx.com
> DNSName: www.xxxxxxxx.com
>]
>
>
>
>#9: ObjectId: 2.5.29.14 Criticality=false
>SubjectKeyIdentifier [
>KeyIdentifier [
>0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57
>;..\2........p.W
>0010: C7 5A 97 88 .Z..
>]
>]
>
>
>I would be grateful for any assistance.
>
>
>Jeff Crump
>
>
>
>
>
>Sent from Windows Mail
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Replaced a self-signed key with a GoDaddy key
Posted by je...@gmail.com.
>>keytool -delete -alias tomcat -keystore tomcat.keystore
>>
>You deleted the key at this point. There should be no need to do this.
>
>Mark
Mark,
I rekeyed my certificate from a newly created tomcat.keystore and imported in the root and immediate certificates, then I got this when I imported my certificate:
keytool error: java.lang.Exception: Failed to establish chain from reply
Jeff
Sent from Windows Mail
From: Mark Thomas
Sent: Friday, August 7, 2015 1:40 PM
To: Tomcat Users List
On 7 August 2015 19:01:34 BST, jeffery.scott.crump@gmail.com wrote:
>I’ve been using Tomcat for about fours years. I’ve developed websites
>and services that used certificates based upon SHA1. Today I purchased
>a new certificate from GoDaddy based upon using “-sigalg
>SHA256withRSA”.
>
>
>So for this new service I executed the following commands in the
>directory of the keystore:
>
>
>keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
>SHA256withRSA -keystore tomcat.keystore
>keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
>tomcat.keystore
>
>
>sent the csr.txt to GoDadday and received the certificate files.
>
>
>keytool -delete -alias tomcat -keystore tomcat.keystore
You deleted the key at this point. There should be no need to do this.
Mark
>
>keytool -import -alias root -keystore tomcat.keystore -trustcacerts
>-file gd_bundle-g2-g1.crt
>keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts
>-file gdig2.crt
>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts
>-file xxxxxxxxxxxxxx.crt
>
>
>If I copy over the new tomcat.keystore with a backup of the original
>everything works.
>
>
>My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
>server.xml; the following is for the one with the GoDaddy certificate.
>I’m doing them one-at-time.
>
>
><Server port="8005" shutdown="SHUTDOWN">
><Listener className="org.apache.catalina.startup.VersionLoggerListener"
>/>
><Listener className="org.apache.catalina.core.AprLifecycleListener"
>SSLEngine="on" />
><Listener
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
><Listener
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>/>
><Listener
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
>/>
>
>
>
> <Service name="System">
><Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>connectionTimeout="20000" redirectPort="8443" />
><Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
>keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS"
>/>
> <Engine name="System" defaultHost="xxxxxxxx.com">
><Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com"
>unpackWARs="true" autoDeploy="true" >
> <Alias>www.xxxxxxxx.com</Alias>
><Valve className="org.apache.catalina.valves.AccessLogValve"
>directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common"
>/>
> </Host>
> </Engine>
> </Service>
>
>
>
>
>….
>
>
>
></Server>
>
>
>
>
>Each service is on a different IP address and I’ve been redirecting 80
>to 8080 and 443 to 8443. This has been working fine until I replaced
>the key.
>
>
>This is from the catalina.out file:
>
>
>07-Aug-2015 12:43:02.493 SEVERE [main]
>org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
> java.io.IOException: Alias name tomcat does not identify a key entry
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
>at
>org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
>at
>org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
>at
>org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
>
>
>
>07-Aug-2015 12:43:02.496 SEVERE [main]
>org.apache.catalina.core.StandardService.initInternal Failed to
>initialize connector [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Failed to initialize component
>[Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>
>
>Then I used keytool to verify that the alias is in the tomcat.keystore.
>The following is a list from the keystore:
>
>
>
>#keytool -list -v -keystore tomcat.keystore -alias tomcat
>
>
>Enter keystore password:
>Alias name: tomcat
>Creation date: Aug 7, 2015
>Entry type: trustedCertEntry
>
>
>
>Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
>Issuer: CN=Go Daddy Secure Certificate Authority - G2,
>OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
>L=Scottsdale, ST=Arizona, C=US
>Serial number: xxxxxxxxxxxxxxxxxx
>Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT
>2016
>Certificate fingerprints:
> MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
> SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
>SHA256:
>E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
> Signature algorithm name: SHA256withRSA
> Version: 3
>
>
>
>Extensions:
>
>
>
>#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>AuthorityInfoAccess [
> [
> accessMethod: ocsp
> accessLocation: URIName: http://ocsp.godaddy.com/
>,
> accessMethod: caIssuers
>accessLocation: URIName:
>http://certificates.godaddy.com/repository/gdig2.crt
>]
>]
>
>
>
>#2: ObjectId: 2.5.29.35 Criticality=false
>AuthorityKeyIdentifier [
>KeyIdentifier [
>0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0
>@..'..4.0.3..l..
>0010: B4 2C 80 CE .,..
>]
>]
>
>
>
>#3: ObjectId: 2.5.29.19 Criticality=true
>BasicConstraints:[
> CA:false
> PathLen: undefined
>]
>
>
>
>#4: ObjectId: 2.5.29.31 Criticality=false
>CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://crl.godaddy.com/gdig2s1-105.crl]
>]]
>
>
>
>#5: ObjectId: 2.5.29.32 Criticality=false
>CertificatePolicies [
> [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
>[PolicyQualifierInfo: [
> qualifierID: 1.3.6.1.5.5.7.2.1
>qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
>.+http://certifi
>0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F
>cates.godaddy.co
>0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
>
>
>
>]] ]
>]
>
>
>
>#6: ObjectId: 2.5.29.37 Criticality=false
>ExtendedKeyUsages [
> serverAuth
> clientAuth
>]
>
>
>
>#7: ObjectId: 2.5.29.15 Criticality=true
>KeyUsage [
> DigitalSignature
> Key_Encipherment
>]
>
>
>
>#8: ObjectId: 2.5.29.17 Criticality=false
>SubjectAlternativeName [
> DNSName: xxxxxxxx.com
> DNSName: www.xxxxxxxx.com
>]
>
>
>
>#9: ObjectId: 2.5.29.14 Criticality=false
>SubjectKeyIdentifier [
>KeyIdentifier [
>0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57
>;..\2........p.W
>0010: C7 5A 97 88 .Z..
>]
>]
>
>
>I would be grateful for any assistance.
>
>
>Jeff Crump
>
>
>
>
>
>Sent from Windows Mail
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Replaced a self-signed key with a GoDaddy key
Posted by Mark Thomas <ma...@apache.org>.
On 7 August 2015 19:01:34 BST, jeffery.scott.crump@gmail.com wrote:
>I’ve been using Tomcat for about fours years. I’ve developed websites
>and services that used certificates based upon SHA1. Today I purchased
>a new certificate from GoDaddy based upon using “-sigalg
>SHA256withRSA”.
>
>
>So for this new service I executed the following commands in the
>directory of the keystore:
>
>
>keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
>SHA256withRSA -keystore tomcat.keystore
>keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
>tomcat.keystore
>
>
>sent the csr.txt to GoDadday and received the certificate files.
>
>
>keytool -delete -alias tomcat -keystore tomcat.keystore
You deleted the key at this point. There should be no need to do this.
Mark
>
>keytool -import -alias root -keystore tomcat.keystore -trustcacerts
>-file gd_bundle-g2-g1.crt
>keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts
>-file gdig2.crt
>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts
>-file xxxxxxxxxxxxxx.crt
>
>
>If I copy over the new tomcat.keystore with a backup of the original
>everything works.
>
>
>My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
>server.xml; the following is for the one with the GoDaddy certificate.
>I’m doing them one-at-time.
>
>
><Server port="8005" shutdown="SHUTDOWN">
><Listener className="org.apache.catalina.startup.VersionLoggerListener"
>/>
><Listener className="org.apache.catalina.core.AprLifecycleListener"
>SSLEngine="on" />
><Listener
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
><Listener
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>/>
><Listener
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
>/>
>
>
>
> <Service name="System">
><Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>connectionTimeout="20000" redirectPort="8443" />
><Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
>SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
>keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS"
>/>
> <Engine name="System" defaultHost="xxxxxxxx.com">
><Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com"
>unpackWARs="true" autoDeploy="true" >
> <Alias>www.xxxxxxxx.com</Alias>
><Valve className="org.apache.catalina.valves.AccessLogValve"
>directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common"
>/>
> </Host>
> </Engine>
> </Service>
>
>
>
>
>….
>
>
>
></Server>
>
>
>
>
>Each service is on a different IP address and I’ve been redirecting 80
>to 8080 and 443 to 8443. This has been working fine until I replaced
>the key.
>
>
>This is from the catalina.out file:
>
>
>07-Aug-2015 12:43:02.493 SEVERE [main]
>org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"]
> java.io.IOException: Alias name tomcat does not identify a key entry
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
>at
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
>at
>org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
>at
>org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
>at
>org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
>
>
>
>07-Aug-2015 12:43:02.496 SEVERE [main]
>org.apache.catalina.core.StandardService.initInternal Failed to
>initialize connector [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Failed to initialize component
>[Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>at
>org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>at
>org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>
>
>Then I used keytool to verify that the alias is in the tomcat.keystore.
>The following is a list from the keystore:
>
>
>
>#keytool -list -v -keystore tomcat.keystore -alias tomcat
>
>
>Enter keystore password:
>Alias name: tomcat
>Creation date: Aug 7, 2015
>Entry type: trustedCertEntry
>
>
>
>Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
>Issuer: CN=Go Daddy Secure Certificate Authority - G2,
>OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
>L=Scottsdale, ST=Arizona, C=US
>Serial number: xxxxxxxxxxxxxxxxxx
>Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT
>2016
>Certificate fingerprints:
> MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
> SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
>SHA256:
>E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
> Signature algorithm name: SHA256withRSA
> Version: 3
>
>
>
>Extensions:
>
>
>
>#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>AuthorityInfoAccess [
> [
> accessMethod: ocsp
> accessLocation: URIName: http://ocsp.godaddy.com/
>,
> accessMethod: caIssuers
>accessLocation: URIName:
>http://certificates.godaddy.com/repository/gdig2.crt
>]
>]
>
>
>
>#2: ObjectId: 2.5.29.35 Criticality=false
>AuthorityKeyIdentifier [
>KeyIdentifier [
>0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0
>@..'..4.0.3..l..
>0010: B4 2C 80 CE .,..
>]
>]
>
>
>
>#3: ObjectId: 2.5.29.19 Criticality=true
>BasicConstraints:[
> CA:false
> PathLen: undefined
>]
>
>
>
>#4: ObjectId: 2.5.29.31 Criticality=false
>CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://crl.godaddy.com/gdig2s1-105.crl]
>]]
>
>
>
>#5: ObjectId: 2.5.29.32 Criticality=false
>CertificatePolicies [
> [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
>[PolicyQualifierInfo: [
> qualifierID: 1.3.6.1.5.5.7.2.1
>qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
>.+http://certifi
>0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F
>cates.godaddy.co
>0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
>
>
>
>]] ]
>]
>
>
>
>#6: ObjectId: 2.5.29.37 Criticality=false
>ExtendedKeyUsages [
> serverAuth
> clientAuth
>]
>
>
>
>#7: ObjectId: 2.5.29.15 Criticality=true
>KeyUsage [
> DigitalSignature
> Key_Encipherment
>]
>
>
>
>#8: ObjectId: 2.5.29.17 Criticality=false
>SubjectAlternativeName [
> DNSName: xxxxxxxx.com
> DNSName: www.xxxxxxxx.com
>]
>
>
>
>#9: ObjectId: 2.5.29.14 Criticality=false
>SubjectKeyIdentifier [
>KeyIdentifier [
>0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57
>;..\2........p.W
>0010: C7 5A 97 88 .Z..
>]
>]
>
>
>I would be grateful for any assistance.
>
>
>Jeff Crump
>
>
>
>
>
>Sent from Windows Mail
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org