You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ralph Grove <rf...@icloud.com.INVALID> on 2023/03/21 01:09:01 UTC
GoDaddy SSL certificate not working with Tomcat9
I'm having a problem installing a new SSL certificate on a GoDaddy-hosted server running Tomcat. Any suggestions for resolving it would be appreciated.
I set up the server last year and installed the SSL certificate with no problem. This year, after the original certificate expired, I downloaded the new certificate provided by GoDaddy, removed the old certificate files from the keystore, and installed the new ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore from scratch and requesting a new certificate, but am getting the same exception with that certificate.
These are the commands I used to obtain and install the certificate:
sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
(--request and obtain certificate files from GoDaddy--)
sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdcerts/gdroot-g2.crt
sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file gdcerts/gd_bundle-g2-g1.crt
sudo keytool -import -alias tomcat -keystore keystore.jks -file gdcerts/xxxxxxxxxxxx.crt
And this is the Tomcat configuration for the connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" certificateKeystorePassword="xxxxxx" />
</SSLHostConfig>
</Connector>
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Robert Turner <rt...@e-djuster.ca>.
Pressed send too quickly -- I see different aliases there. Ignore my
previous comments....
Using PEM files is much simpler to manage, I would go that route instead...
will make it easier. However, I can't offer any real advice on the specific
issue at this time...
Others will certainly be more helpful than I...sorry.
On Mon, Mar 20, 2023 at 9:14 PM Robert Turner <rt...@e-djuster.ca> wrote:
> I believe the default certificate alias used by Tomcat is "tomcat". I
> think you are creating your keystore with the alias "root".
>
> (see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
> Tomcat SSL configuration -- adjust for the version you are running)
>
> On Mon, Mar 20, 2023 at 9:09 PM Ralph Grove <rf...@icloud.com.invalid>
> wrote:
>
>> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted
>> server running Tomcat. Any suggestions for resolving it would be
>> appreciated.
>>
>> I set up the server last year and installed the SSL certificate with no
>> problem. This year, after the original certificate expired, I downloaded
>> the new certificate provided by GoDaddy, removed the old certificate files
>> from the keystore, and installed the new ones. Now Tomcat is throwing a
>> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to
>> open the HTTPS connector. I also tried rebuilding the keystore from scratch
>> and requesting a new certificate, but am getting the same exception with
>> that certificate.
>>
>> These are the commands I used to obtain and install the certificate:
>>
>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>>
>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
>> -keystore keystore.jks
>>
>> (--request and obtain certificate files from GoDaddy--)
>>
>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts
>> -file gdcerts/gdroot-g2.crt
>>
>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts
>> -file gdcerts/gd_bundle-g2-g1.crt
>>
>> sudo keytool -import -alias tomcat -keystore keystore.jks -file
>> gdcerts/xxxxxxxxxxxx.crt
>>
>>
>>
>> And this is the Tomcat configuration for the connector:
>>
>> <Connector port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>
>> maxThreads="150" SSLEnabled="true">
>>
>> <SSLHostConfig>
>>
>> <Certificate certificateKeystoreFile="conf/keystore.jks"
>>
>> type="RSA" certificateKeystorePassword="xxxxxx" />
>>
>> </SSLHostConfig>
>>
>> </Connector>
>>
>>
>
>
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Robert Turner <rt...@e-djuster.ca>.
I believe the default certificate alias used by Tomcat is "tomcat". I think
you are creating your keystore with the alias "root".
(see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
Tomcat SSL configuration -- adjust for the version you are running)
On Mon, Mar 20, 2023 at 9:09 PM Ralph Grove <rf...@icloud.com.invalid>
wrote:
> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted
> server running Tomcat. Any suggestions for resolving it would be
> appreciated.
>
> I set up the server last year and installed the SSL certificate with no
> problem. This year, after the original certificate expired, I downloaded
> the new certificate provided by GoDaddy, removed the old certificate files
> from the keystore, and installed the new ones. Now Tomcat is throwing a
> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to
> open the HTTPS connector. I also tried rebuilding the keystore from scratch
> and requesting a new certificate, but am getting the same exception with
> that certificate.
>
> These are the commands I used to obtain and install the certificate:
>
> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>
> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> -keystore keystore.jks
>
> (--request and obtain certificate files from GoDaddy--)
>
> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts
> -file gdcerts/gdroot-g2.crt
>
> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts
> -file gdcerts/gd_bundle-g2-g1.crt
>
> sudo keytool -import -alias tomcat -keystore keystore.jks -file
> gdcerts/xxxxxxxxxxxx.crt
>
>
>
> And this is the Tomcat configuration for the connector:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> maxThreads="150" SSLEnabled="true">
>
> <SSLHostConfig>
>
> <Certificate certificateKeystoreFile="conf/keystore.jks"
>
> type="RSA" certificateKeystorePassword="xxxxxx" />
>
> </SSLHostConfig>
>
> </Connector>
>
>
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Ralph Grove <rf...@icloud.com.INVALID>.
Follow-up to this thread:
I found the problem, which was my own mistake. I failed to enter the correct domain name when creating the keystone. After going back through the entire process again, with the correct domain name, the server is up and running again. Thanks, nevertheless, for the help.
Ralph
> On Mar 21, 2023, at 6:38 AM, Ralph Grove <rf...@icloud.com> wrote:
>
>>> I set up the server last year and installed the SSL certificate with no problem. This year, after the original certificate expired, I downloaded the new certificate provided by GoDaddy, removed the old certificate files from the keystore, and installed the new ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore from scratch and requesting a new certificate, but am getting the same exception with that certificate.
>>> These are the commands I used to obtain and install the certificate:
>>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
>>> (--request and obtain certificate files from GoDaddy--)
>>
>> Did you run the commands below on the same keystore file you created in the first command above?
>
> Yes - it was the same file. I went through the commands twice, just to be sure.
>>
>>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdcerts/gdroot-g2.crt
>>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file gdcerts/gd_bundle-g2-g1.crt
>>> sudo keytool -import -alias tomcat -keystore keystore.jks -file gdcerts/xxxxxxxxxxxx.crt
>>
>> What is the output of:
>> keytool -list -v -keystore keystore.jks
>
> > sudo keytool -list -v -keystore keystore.jks...
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Ralph,
On 3/21/23 06:38, Ralph Grove wrote:
>
> [snip]
>
> Alias name: tomcat
> Creation date: Mar 21, 2023
> Entry type: trustedCertEntry
You created a keystore with no keys.
Where is the key you used to generate the CSR? That key needs to be in
your keystore under the alias 'tomcat' alongside the cert.
If you have both cert and key, you'll get a single entry with a single
alias and type "PrivateKeyEntry".
-chris
> Owner: CN=personalitypad.org
> Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
> Serial number: afa46fd8c3404384
> Valid from: Sat Mar 18 17:26:57 EDT 2023 until: Sun Feb 04 12:48:29 EST 2024
> Certificate fingerprints:
> SHA1: 43:33:D4:48:91:12:E2:1C:F2:E9:1C:F1:84:94:D4:24:1C:8A:C9:B9
> SHA256: 68:9C:D5:0E:73:A4:37:3C:56:38:BA:89:ED:9B:53:71:F4:B8:C6:9B:16:B6:F5:37:5E:5E:41:85:0B:66:B1:88
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
> 0000: 04 82 01 6C 01 6A 00 76 00 EE CD D0 64 D5 DB 1A ...l.j.v....d...
> 0010: CE C5 5C B7 9D B4 CD 13 A2 32 87 46 7C BC EC DE ..\......2.F....
> 0020: C3 51 48 59 46 71 1F B5 9B 00 00 01 86 F6 9E 5A .QHYFq.........Z
> 0030: 53 00 00 04 03 00 47 30 45 02 20 6E 2F 52 3D 81 S.....G0E. n/R=.
> 0040: 1C 46 9A 90 BC A3 4E 2E 59 09 7A A9 10 42 04 82 .F....N.Y.z..B..
> 0050: 73 A7 DD D1 DC 7A F8 6C 7B 51 E2 02 21 00 AC 50 s....z.l.Q..!..P
> 0060: 33 31 C0 34 B5 6F D7 7C C4 41 39 29 A4 25 07 46 31.4.o...A9).%.F
> 0070: B7 48 C6 3E DE 2C 2E 19 CD 3A 65 A9 C0 0A 00 77 .H.>.,...:e....w
> 0080: 00 48 B0 E3 6B DA A6 47 34 0F E5 6A 02 FA 9D 30 .H..k..G4..j...0
> 0090: EB 1C 52 01 CB 56 DD 2C 81 D9 BB BF AB 39 D8 84 ..R..V.,.....9..
> 00A0: 73 00 00 01 86 F6 9E 5B 34 00 00 04 03 00 48 30 s......[4.....H0
> 00B0: 46 02 21 00 E7 46 1D A5 7C 83 89 09 EF 31 73 73 F.!..F.......1ss
> 00C0: 52 4C 0A BA 5A 8E BD 6B 7A 92 B8 19 5A 07 70 76 RL..Z..kz...Z.pv
> 00D0: BC 88 50 8C 02 21 00 A8 98 CB C7 86 B2 88 15 0E ..P..!..........
> 00E0: 81 06 89 8E 2C 00 B5 93 46 A6 DF F9 E8 33 B0 C3 ....,...F....3..
> 00F0: 36 17 9C 16 35 A8 FD 00 77 00 DA B6 BF 6B 3F B5 6...5...w....k?.
> 0100: B6 22 9F 9B C2 BB 5C 6B E8 70 91 71 6C BB 51 84 ."....\k.p.ql.Q.
> 0110: 85 34 BD A4 3D 30 48 D7 FB AB 00 00 01 86 F6 9E .4..=0H.........
> 0120: 5B E3 00 00 04 03 00 48 30 46 02 21 00 D1 45 86 [......H0F.!..E.
> 0130: 4E 62 EB 88 9A 4C 79 B9 39 8E 60 E3 8B 35 5A 95 Nb...Ly.9.`..5Z.
> 0140: 23 B2 22 E4 BC 70 A2 6E 29 61 83 66 CA 02 21 00 #."..p.n)a.f..!.
> 0150: E9 89 87 3B F6 26 67 B4 52 E7 E5 39 98 2A 0F 46 ...;.&g.R..9.*.F
> 0160: 5C F6 E7 34 84 87 64 BC 03 9D 7E 6A C3 75 30 70 \..4..d....j.u0p
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
> AuthorityInfoAccess [
> [
> accessMethod: ocsp
> accessLocation: URIName: http://ocsp.godaddy.com/
> ,
> accessMethod: caIssuers
> accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
> ]
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l..
> 0010: B4 2C 80 CE .,..
> ]
> ]
>
> #4: ObjectId: 2.5.29.19 Criticality=true
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #5: ObjectId: 2.5.29.31 Criticality=false
> CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://crl.godaddy.com/gdig2s1-5359.crl]
> ]]
>
> #6: ObjectId: 2.5.29.32 Criticality=false
> CertificatePolicies [
> [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
> [PolicyQualifierInfo: [
> qualifierID: 1.3.6.1.5.5.7.2.1
> qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 .+http://certifi
> 0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
> 0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
>
> ]] ]
> [CertificatePolicyId: [2.23.140.1.2.1]
> [] ]
> ]
>
> #7: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
>
> #8: ObjectId: 2.5.29.15 Criticality=true
> KeyUsage [
> DigitalSignature
> Key_Encipherment
> ]
>
> #9: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> DNSName: personalitypad.org
> DNSName: www.personalitypad.org
> ]
>
> #10: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: A3 F9 3A E5 38 6D 62 89 75 E8 98 E1 08 75 72 8E ..:.8mb.u....ur.
> 0010: FB 54 55 2C .TU,
> ]
> ]
>
>
>
> *******************************************
> *******************************************
>
>
>
>>
>>> And this is the Tomcat configuration for the connector:
>>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> maxThreads="150" SSLEnabled="true">
>>> <SSLHostConfig>
>>> <Certificate certificateKeystoreFile="conf/keystore.jks"
>>> type="RSA" certificateKeystorePassword="xxxxxx" />
>>> </SSLHostConfig>
>>> </Connector>
>>
>> The connector configuration looks OK.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Ralph Grove <rf...@icloud.com.INVALID>.
> On Mar 21, 2023, at 4:25 AM, Mark Thomas <ma...@apache.org> wrote:
>
> On 21/03/2023 01:09, Ralph Grove wrote:
>> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted server running Tomcat. Any suggestions for resolving it would be appreciated.
>> I set up the server last year and installed the SSL certificate with no problem. This year, after the original certificate expired, I downloaded the new certificate provided by GoDaddy, removed the old certificate files from the keystore, and installed the new ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore from scratch and requesting a new certificate, but am getting the same exception with that certificate.
>> These are the commands I used to obtain and install the certificate:
>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
>> (--request and obtain certificate files from GoDaddy--)
>
> Did you run the commands below on the same keystore file you created in the first command above?
Yes - it was the same file. I went through the commands twice, just to be sure.
>
>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdcerts/gdroot-g2.crt
>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file gdcerts/gd_bundle-g2-g1.crt
>> sudo keytool -import -alias tomcat -keystore keystore.jks -file gdcerts/xxxxxxxxxxxx.crt
>
> What is the output of:
> keytool -list -v -keystore keystore.jks
> sudo keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: inter
Creation date: Mar 21, 2023
Entry type: trustedCertEntry
Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 03:00:00 EDT 2011 until: Sat May 03 03:00:00 EDT 2031
Certificate fingerprints:
SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.godaddy.com/
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6 EF F6 BD 05 41 6E 20 C1 :....g(.....An .
0010: 94 DA 0F DE ....
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 25 68 74 74 70 73 3A 2F 2F 63 65 72 74 73 2E .%https://certs.
0010: 67 6F 64 61 64 64 79 2E 63 6F 6D 2F 72 65 70 6F godaddy.com/repo
0020: 73 69 74 6F 72 79 2F sitory/
]] ]
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l..
0010: B4 2C 80 CE .,..
]
]
*******************************************
*******************************************
Alias name: root
Creation date: Mar 21, 2023
Entry type: trustedCertEntry
Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Mon Aug 31 20:00:00 EDT 2009 until: Thu Dec 31 18:59:59 EST 2037
Certificate fingerprints:
SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6 EF F6 BD 05 41 6E 20 C1 :....g(.....An .
0010: 94 DA 0F DE ....
]
]
*******************************************
*******************************************
Alias name: tomcat
Creation date: Mar 21, 2023
Entry type: trustedCertEntry
Owner: CN=personalitypad.org
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: afa46fd8c3404384
Valid from: Sat Mar 18 17:26:57 EDT 2023 until: Sun Feb 04 12:48:29 EST 2024
Certificate fingerprints:
SHA1: 43:33:D4:48:91:12:E2:1C:F2:E9:1C:F1:84:94:D4:24:1C:8A:C9:B9
SHA256: 68:9C:D5:0E:73:A4:37:3C:56:38:BA:89:ED:9B:53:71:F4:B8:C6:9B:16:B6:F5:37:5E:5E:41:85:0B:66:B1:88
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 82 01 6C 01 6A 00 76 00 EE CD D0 64 D5 DB 1A ...l.j.v....d...
0010: CE C5 5C B7 9D B4 CD 13 A2 32 87 46 7C BC EC DE ..\......2.F....
0020: C3 51 48 59 46 71 1F B5 9B 00 00 01 86 F6 9E 5A .QHYFq.........Z
0030: 53 00 00 04 03 00 47 30 45 02 20 6E 2F 52 3D 81 S.....G0E. n/R=.
0040: 1C 46 9A 90 BC A3 4E 2E 59 09 7A A9 10 42 04 82 .F....N.Y.z..B..
0050: 73 A7 DD D1 DC 7A F8 6C 7B 51 E2 02 21 00 AC 50 s....z.l.Q..!..P
0060: 33 31 C0 34 B5 6F D7 7C C4 41 39 29 A4 25 07 46 31.4.o...A9).%.F
0070: B7 48 C6 3E DE 2C 2E 19 CD 3A 65 A9 C0 0A 00 77 .H.>.,...:e....w
0080: 00 48 B0 E3 6B DA A6 47 34 0F E5 6A 02 FA 9D 30 .H..k..G4..j...0
0090: EB 1C 52 01 CB 56 DD 2C 81 D9 BB BF AB 39 D8 84 ..R..V.,.....9..
00A0: 73 00 00 01 86 F6 9E 5B 34 00 00 04 03 00 48 30 s......[4.....H0
00B0: 46 02 21 00 E7 46 1D A5 7C 83 89 09 EF 31 73 73 F.!..F.......1ss
00C0: 52 4C 0A BA 5A 8E BD 6B 7A 92 B8 19 5A 07 70 76 RL..Z..kz...Z.pv
00D0: BC 88 50 8C 02 21 00 A8 98 CB C7 86 B2 88 15 0E ..P..!..........
00E0: 81 06 89 8E 2C 00 B5 93 46 A6 DF F9 E8 33 B0 C3 ....,...F....3..
00F0: 36 17 9C 16 35 A8 FD 00 77 00 DA B6 BF 6B 3F B5 6...5...w....k?.
0100: B6 22 9F 9B C2 BB 5C 6B E8 70 91 71 6C BB 51 84 ."....\k.p.ql.Q.
0110: 85 34 BD A4 3D 30 48 D7 FB AB 00 00 01 86 F6 9E .4..=0H.........
0120: 5B E3 00 00 04 03 00 48 30 46 02 21 00 D1 45 86 [......H0F.!..E.
0130: 4E 62 EB 88 9A 4C 79 B9 39 8E 60 E3 8B 35 5A 95 Nb...Ly.9.`..5Z.
0140: 23 B2 22 E4 BC 70 A2 6E 29 61 83 66 CA 02 21 00 #."..p.n)a.f..!.
0150: E9 89 87 3B F6 26 67 B4 52 E7 E5 39 98 2A 0F 46 ...;.&g.R..9.*.F
0160: 5C F6 E7 34 84 87 64 BC 03 9D 7E 6A C3 75 30 70 \..4..d....j.u0p
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.godaddy.com/
,
accessMethod: caIssuers
accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l..
0010: B4 2C 80 CE .,..
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.godaddy.com/gdig2s1-5359.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 .+http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
]] ]
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: personalitypad.org
DNSName: www.personalitypad.org
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A3 F9 3A E5 38 6D 62 89 75 E8 98 E1 08 75 72 8E ..:.8mb.u....ur.
0010: FB 54 55 2C .TU,
]
]
*******************************************
*******************************************
>
>> And this is the Tomcat configuration for the connector:
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true">
>> <SSLHostConfig>
>> <Certificate certificateKeystoreFile="conf/keystore.jks"
>> type="RSA" certificateKeystorePassword="xxxxxx" />
>> </SSLHostConfig>
>> </Connector>
>
> The connector configuration looks OK.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: GoDaddy SSL certificate not working with Tomcat9
Posted by Mark Thomas <ma...@apache.org>.
On 21/03/2023 01:09, Ralph Grove wrote:
> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted server running Tomcat. Any suggestions for resolving it would be appreciated.
>
> I set up the server last year and installed the SSL certificate with no problem. This year, after the original certificate expired, I downloaded the new certificate provided by GoDaddy, removed the old certificate files from the keystore, and installed the new ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore from scratch and requesting a new certificate, but am getting the same exception with that certificate.
>
> These are the commands I used to obtain and install the certificate:
>
> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>
> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
>
> (--request and obtain certificate files from GoDaddy--)
Did you run the commands below on the same keystore file you created in
the first command above?
> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdcerts/gdroot-g2.crt
>
> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file gdcerts/gd_bundle-g2-g1.crt
>
> sudo keytool -import -alias tomcat -keystore keystore.jks -file gdcerts/xxxxxxxxxxxx.crt
What is the output of:
keytool -list -v -keystore keystore.jks
> And this is the Tomcat configuration for the connector:
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> maxThreads="150" SSLEnabled="true">
>
> <SSLHostConfig>
>
> <Certificate certificateKeystoreFile="conf/keystore.jks"
>
> type="RSA" certificateKeystorePassword="xxxxxx" />
>
> </SSLHostConfig>
>
> </Connector>
The connector configuration looks OK.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org