You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by James Lampert <ja...@touchtonecorp.com> on 2012/01/18 23:46:36 UTC
More, Re: Problem bringing up SSL with a CA certificate
I've now got the CA certificates the customer representative is trying
to use here, and I'm attempting to test them on our box.
I followed these instructions:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO15518
rather than the ones here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate
which appear to be somewhat out of date, as Thawte calls for both
primary and secondary x.509 certificates to be loaded into the keystore.
With no explicit alias reference, and the three certificates placed in
the keystore, in the order specified by Thawte, I get:
> SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
> Throwable occurred: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:822)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:470)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
> �at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
> �at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
> �at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
> �at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
> �at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> �at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
> �at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
> �at java.lang.reflect.Method.invoke(Method.java:611)
> �at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> �at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
> Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
> �at com.ibm.jsse2.rc.a(rc.java:53)
> �at com.ibm.jsse2.rc.accept(rc.java:13)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:818)
> �... 20 more
> Jan 18, 2012 2:21:43 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> �at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
> �at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> �at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
> �at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
> �at java.lang.reflect.Method.invoke(Method.java:611)
> �at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> �at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:939)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �... 12 more
> Caused by: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:822)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:470)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
> �at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
> �at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
> �at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
> �at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)
> �... 13 more
> Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
> �at com.ibm.jsse2.rc.a(rc.java:53)
> �at com.ibm.jsse2.rc.accept(rc.java:13)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:818)
> �... 20 more
I haven't heard a single response to my earlier query, and none of this
makes any sense.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: More, Re: Problem bringing up SSL with a CA certificate
Posted by James Lampert <ja...@touchtonecorp.com>.
Ognjen Blagojevic wrote:
> You must find keystore with earlier generated key pair (the one you also
> used to generate CSR for CA), and import all three certificates into
> that keystore.
Dear Ognjen:
Thanks. That does sound vaguely like something we went through ourselves
some years ago, when we first got our jar-signing certificate working.
I've put in a request for the person responsible for the CSR to find it
and get it to me.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New development, Re: More, Re: Problem bringing up SSL with a
CA certificate
Posted by Ognjen Blagojevic <og...@gmail.com>.
James,
On 19.1.2012 18:05, James Lampert wrote:
>> You must find keystore with earlier generated key pair (the one you
>> also used to generate CSR for CA), and import all three certificates
>> into that keystore.
>
> At this point, I still don't have the keystore used to generate the CSR,
> but I *do* now have the CSR itself. Does that help?
No, it doesn't.
Assuming you are NOT using APR connector, the whole procedure goes like
this:
1. Generate key pair (public and private key) using keytool -genkeypair.
Both keys are kept in the keystore.
2. Export public key into CSR, and send it to the CA.
3. Receive signed public key (certificate) from CA, along with any other
necessary certificates forming keychain.
4. Import all received certificates to the keystore you used in step 1.
If you lost your keystore, that means that you lost private key. You
need to start from the beginning. Generate new keypair, and send it to
your CA. Before that, check the revocation procedure with your CA.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
New development, Re: More, Re: Problem bringing up SSL with a CA
certificate
Posted by James Lampert <ja...@touchtonecorp.com>.
Ognjen Blagojevic wrote:
> You must find keystore with earlier generated key pair (the one you also
> used to generate CSR for CA), and import all three certificates into
> that keystore.
Dear Ognjen:
At this point, I still don't have the keystore used to generate the CSR,
but I *do* now have the CSR itself. Does that help?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: More, Re: Problem bringing up SSL with a CA certificate
Posted by Ognjen Blagojevic <og...@gmail.com>.
James,
On 19.1.2012 1:41, James Lampert wrote:
>> secondary, Jan 18, 2012, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> EB:A3:71:66:38:5E:3E:F4:24:64:ED:97:52:E9:9F:1B
>> wintouch, Jan 18, 2012, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38
>> primary, Jan 18, 2012, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A
The order of the certificates listed is not important.
Assuming that "wintouch" is alias for your certificate, it seems that
you imported signed certificate into brand new keystore, instead of the
keystore which contains earlier generated key pair.
You must find keystore with earlier generated key pair (the one you also
used to generate CSR for CA), and import all three certificates into
that keystore.
Once you do that, keytool -list should return:
secondary, ... trustedCertEntry,
...
wintouch, ... PrivateCertEntry,
...
primary, ... trustedCertEntry,
...
It should say "PrivateKeyEntry" next to "wintouch".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: More, Re: Problem bringing up SSL with a CA certificate
Posted by James Lampert <ja...@touchtonecorp.com>.
Dear Igor (et al):
Thanks for getting back to me. To answer the questions (and pose a few
more):
Igor Cicimov wrote:
> Are you sure you have downloaded the correct intermediate certs?
I didn't download them myself; neither did I place the order. But I'll
pass this on to the fellow who did.
> *Note:* When executing the command to import the SSL certificate, you must
> specify the actual *Alias* used when you initially created the keystore. If
The results are exactly the same whether I specify the alias (and yes,
it's the correct one; this I did set myself) or not.
One thing I noticed: the Thawte instructions call for importing first
the primary, then the secondary, then the purchased certificate. Yet
when I do a keytool -list on the keystore, it comes up in a different
sequence:
> secondary, Jan 18, 2012, trustedCertEntry,
> Certificate fingerprint (MD5): EB:A3:71:66:38:5E:3E:F4:24:64:ED:97:52:E9:9F:1B
> wintouch, Jan 18, 2012, trustedCertEntry,
> Certificate fingerprint (MD5): 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38
> primary, Jan 18, 2012, trustedCertEntry,
> Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A
Would this be a reason to suspect that the person who got the certs
either (a) got the wrong secondary for the certificate purchased, (b)
purchased the wrong kind of certificate for HTTPS, or (c) both?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: More, Re: Problem bringing up SSL with a CA certificate
Posted by Igor Cicimov <ic...@gmail.com>.
>
> Caused by: java.io.IOException: SSL configuration is invalid due to No
> available certificate or key corresponds to the SSL cipher suites which are
> enabled.
Are you sure you have downloaded the correct intermediate certs?
*Note:* When executing the command to import the SSL certificate, you must
specify the actual *Alias* used when you initially created the keystore. If
you are unsure of this, run the following sample command to see the
contents of your keystore: *keytool -list -v -keystore keystorefile.kdb*
*
*
Did you use the same alias as the alias you used to create the keystore
when you imported the certificate? Is your tomcat connector config pointing
to the correct keysore file location?
Igor
On Thu, Jan 19, 2012 at 9:46 AM, James Lampert <ja...@touchtonecorp.com>wrote:
> I've now got the CA certificates the customer representative is trying to
> use here, and I'm attempting to test them on our box.
>
> I followed these instructions:
>
> https://search.thawte.com/**support/ssl-digital-**certificates/index?page=
> **content&actp=CROSSLINK&id=**SO15518<https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO15518>
>
> rather than the ones here:
>
> http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.html#**
> Importing_the_Certificate<http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate>
>
> which appear to be somewhat out of date, as Thawte calls for both primary
> and secondary x.509 certificates to be loaded into the keystore.
>
> With no explicit alias reference, and the three certificates placed in the
> keystore, in the order specified by Thawte, I get:
>
> SEVERE: Failed to initialize end point associated with ProtocolHandler
>> ["http-bio-8443"] Throwable
>> occurred: java.io.IOException: SSL configuration is invalid due to No
>> available certificate or key corresponds to the SSL cipher suites which are
>> enabled.
>> at org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
>> checkConfig(JSSESocketFactory.**java:822)
>> at org.apache.tomcat.util.net.**jsse.JSSESocketFactory.init(**JSSESocketFactory.java:470)
>> at
>> org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**createSocket(**JSSESocketFactory.java:158)
>> at org.apache.tomcat.util.net.**
>> JIoEndpoint.bind(JIoEndpoint.**java:369)
>> at org.apache.tomcat.util.net.**
>> AbstractEndpoint.init(**AbstractEndpoint.java:553)
>> at org.apache.coyote.**
>> AbstractProtocol.init(**AbstractProtocol.java:369)
>> at org.apache.coyote.http11.**
>> AbstractHttp11JsseProtocol.**init(**AbstractHttp11JsseProtocol.**java:119)
>> at org.apache.catalina.connector.**
>> Connector.initInternal(**Connector.java:937)
>> at org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:102)
>> at
>> org.apache.catalina.core.**StandardService.initInternal(**StandardService.java:559)
>> at org.apache.catalina.util.**
>> LifecycleBase.init(**LifecycleBase.java:102)
>> at org.apache.catalina.core.**
>> StandardServer.initInternal(**StandardServer.java:781)
>> at org.apache.catalina.util.**
>> LifecycleBase.init(**LifecycleBase.java:102)
>> at org.apache.catalina.startup.**
>> Catalina.load(Catalina.java:**573)
>> at org.apache.catalina.startup.**
>> Catalina.load(Catalina.java:**598)
>> at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native
>> Method) at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**60)
>> at sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:37)
>> at java.lang.reflect.Method.**invoke(Method.java:611)
>> at
>> org.apache.catalina.startup.**Bootstrap.load(Bootstrap.java:**281)
>> at
>> org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**449)
>> Caused by:
>> javax.net.ssl.SSLException: No available certificate or key corresponds to
>> the SSL cipher suites which are enabled.
>> at com.ibm.jsse2.rc.a(rc.java:53)
>> at
>> com.ibm.jsse2.rc.accept(rc.**java:13)
>> at
>> org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
>> checkConfig(JSSESocketFactory.**java:818)
>> ... 20 more
>> Jan 18, 2012 2:21:43 PM
>> org.apache.catalina.core.**StandardService initInternal
>> SEVERE: Failed to initialize connector
>> [Connector[HTTP/1.1-8443]]
>> Throwable occurred: org.apache.catalina.**LifecycleException: Failed
>> to initialize component [Connector[HTTP/1.1-8443]]
>> at org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:106)
>> at org.apache.catalina.core.
>> **StandardService.initInternal(**StandardService.java:559)
>> at org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:102)
>> at org.apache.catalina.core.
>> **StandardServer.initInternal(**StandardServer.java:781)
>> at org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:102)
>> at
>> org.apache.catalina.startup.**Catalina.load(Catalina.java:**573)
>> at org.apache.catalina.startup.
>> **Catalina.load(Catalina.java:**598)
>> at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native
>> Method) at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**60)
>> at sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:37) at
>> java.lang.reflect.Method.**invoke(Method.java:611)
>> at org.apache.catalina.startup.
>> **Bootstrap.load(Bootstrap.java:**281)
>> at org.apache.catalina.startup.**
>> Bootstrap.main(Bootstrap.java:**449)
>> Caused by: org.apache.catalina.**LifecycleException:
>> Protocol handler initialization failed at
>> org.apache.catalina.connector.**Connector.initInternal(**Connector.java:939)
>> at
>> org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:102)
>> ... 12 more
>>
>> Caused by: java.io.IOException:
>> SSL configuration is invalid due to No available certificate or key
>> corresponds to the SSL cipher suites which are enabled.
>> at org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
>> checkConfig(JSSESocketFactory.**java:822)
>> at org.apache.tomcat.util.net.**jsse.JSSESocketFactory.init(**JSSESocketFactory.java:470)
>> at
>> org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**createSocket(**JSSESocketFactory.java:158)
>> at org.apache.tomcat.util.net.**
>> JIoEndpoint.bind(JIoEndpoint.**java:369)
>> at org.apache.tomcat.util.net.**
>> AbstractEndpoint.init(**AbstractEndpoint.java:553)
>> at org.apache.coyote.**
>> AbstractProtocol.init(**AbstractProtocol.java:369)
>> at org.apache.coyote.http11.**
>> AbstractHttp11JsseProtocol.**init(**AbstractHttp11JsseProtocol.**java:119)
>> at org.apache.catalina.connector.**
>> Connector.initInternal(**Connector.java:937)
>> ... 13 more
>>
>> Caused by: javax.net.ssl.SSLException: No available certificate or
>> key corresponds to the SSL cipher suites which are enabled. at
>> com.ibm.jsse2.rc.a(rc.java:53)
>> at
>> com.ibm.jsse2.rc.accept(rc.**java:13)
>> at
>> org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
>> checkConfig(JSSESocketFactory.**java:818)
>> ... 20 more
>>
>>
>
> I haven't heard a single response to my earlier query, and none of this
> makes any sense.
>
> --
> JHHL
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>