You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bruce Kostival <bk...@universallumpers.com> on 2014/12/18 23:28:01 UTC
GoDaddy SSL cert update from SHA1 to SHA2
Tomcat 6.0.x
Windows Server 2008
Running Java 7
Home grown app written in STS
Running HTTPS with SHA1 cert
Obtained SHA2 cert from GoDaddy by sending CSR generated from original keystore. Removed existing aliases from original keystore and loaded new root and domain cert to keystore.
Trying to run up the new cert gives me this error:
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
at org.apache.catalina.connector.Connector.start(Connector.java:1196)
at org.apache.catalina.core.StandardService.start(StandardService.java:540)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
I feel like I'm missing something basic in the keystore. Any ideas?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
Posted by Bruce Kostival <bk...@universallumpers.com>.
And how do I get the Private Key back? Its definitely not there.
________________________________________
From: Igor Cicimov <ic...@gmail.com>
Sent: Thursday, December 18, 2014 17:52
To: Tomcat Users List
Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival <
bkostival@universallumpers.com> wrote:
>
> Thanks Igor I'll poke around based on your input.
> ________________________________________
> From: Igor Cicimov <ic...@gmail.com>
> Sent: Thursday, December 18, 2014 15:49
> To: Tomcat Users List
> Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
>
> On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
> bkostival@universallumpers.com> wrote:
> >
> > Tomcat 6.0.x
> > Windows Server 2008
> > Running Java 7
> > Home grown app written in STS
> >
> > Running HTTPS with SHA1 cert
> > Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> > keystore. Removed existing aliases from original keystore and loaded new
> > root and domain cert to keystore.
> > Trying to run up the new cert gives me this error:
> >
> > SEVERE: Error starting endpoint
> > java.io.IOException: jsse.invalid_ssl_conf
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> > at
> > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> > at
> > org.apache.catalina.connector.Connector.start(Connector.java:1196)
> > at
> > org.apache.catalina.core.StandardService.start(StandardService.java:540)
> > at
> > org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> > Caused by: javax.net.ssl.SSLException: No available certificate or key
> > corresponds to the SSL cipher suites which are enabled.
> >
> > I feel like I'm missing something basic in the keystore. Any ideas?
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > Just guessing but based on the cause given in the above error you
> probably
> have ciphers set in your connector using 128 bit key, something like this:
>
> ciphers="SSL_RSA_WITH_RC4_128_MD5,
> SSL_RSA_WITH_RC4_128_SHA,
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
> TLS_ECDHE_RSA_WITH_RC4_128_SHA,
> TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
> TLS_ECDH_RSA_WITH_RC4_128_SHA"
>
> In that case try to change that to match your new 256 bit key now. Of
> course take care of the proper cipher suit names for BIO/NIO or APR
> connector since they differ (the above example is for BIO/NIO connector).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> Another possibility is that you have removed the private key used to
generate the new CSR by removing the old aliases from the keystore.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
Posted by Igor Cicimov <ic...@gmail.com>.
On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival <
bkostival@universallumpers.com> wrote:
>
> Thanks Igor I'll poke around based on your input.
> ________________________________________
> From: Igor Cicimov <ic...@gmail.com>
> Sent: Thursday, December 18, 2014 15:49
> To: Tomcat Users List
> Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
>
> On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
> bkostival@universallumpers.com> wrote:
> >
> > Tomcat 6.0.x
> > Windows Server 2008
> > Running Java 7
> > Home grown app written in STS
> >
> > Running HTTPS with SHA1 cert
> > Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> > keystore. Removed existing aliases from original keystore and loaded new
> > root and domain cert to keystore.
> > Trying to run up the new cert gives me this error:
> >
> > SEVERE: Error starting endpoint
> > java.io.IOException: jsse.invalid_ssl_conf
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> > at
> >
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> > at
> > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> > at
> > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> > at
> > org.apache.catalina.connector.Connector.start(Connector.java:1196)
> > at
> > org.apache.catalina.core.StandardService.start(StandardService.java:540)
> > at
> > org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> > at java.lang.reflect.Method.invoke(Unknown Source)
> > at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> > Caused by: javax.net.ssl.SSLException: No available certificate or key
> > corresponds to the SSL cipher suites which are enabled.
> >
> > I feel like I'm missing something basic in the keystore. Any ideas?
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > Just guessing but based on the cause given in the above error you
> probably
> have ciphers set in your connector using 128 bit key, something like this:
>
> ciphers="SSL_RSA_WITH_RC4_128_MD5,
> SSL_RSA_WITH_RC4_128_SHA,
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
> TLS_ECDHE_RSA_WITH_RC4_128_SHA,
> TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
> TLS_ECDH_RSA_WITH_RC4_128_SHA"
>
> In that case try to change that to match your new 256 bit key now. Of
> course take care of the proper cipher suit names for BIO/NIO or APR
> connector since they differ (the above example is for BIO/NIO connector).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> Another possibility is that you have removed the private key used to
generate the new CSR by removing the old aliases from the keystore.
Re: GoDaddy SSL cert update from SHA1 to SHA2
Posted by Bruce Kostival <bk...@universallumpers.com>.
Thanks Igor I'll poke around based on your input.
________________________________________
From: Igor Cicimov <ic...@gmail.com>
Sent: Thursday, December 18, 2014 15:49
To: Tomcat Users List
Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
bkostival@universallumpers.com> wrote:
>
> Tomcat 6.0.x
> Windows Server 2008
> Running Java 7
> Home grown app written in STS
>
> Running HTTPS with SHA1 cert
> Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> keystore. Removed existing aliases from original keystore and loaded new
> root and domain cert to keystore.
> Trying to run up the new cert gives me this error:
>
> SEVERE: Error starting endpoint
> java.io.IOException: jsse.invalid_ssl_conf
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> at
> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> at
> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> at
> org.apache.catalina.connector.Connector.start(Connector.java:1196)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:540)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> Caused by: javax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
>
> I feel like I'm missing something basic in the keystore. Any ideas?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> Just guessing but based on the cause given in the above error you probably
have ciphers set in your connector using 128 bit key, something like this:
ciphers="SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA"
In that case try to change that to match your new 256 bit key now. Of
course take care of the proper cipher suit names for BIO/NIO or APR
connector since they differ (the above example is for BIO/NIO connector).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
Posted by Igor Cicimov <ic...@gmail.com>.
On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
bkostival@universallumpers.com> wrote:
>
> Tomcat 6.0.x
> Windows Server 2008
> Running Java 7
> Home grown app written in STS
>
> Running HTTPS with SHA1 cert
> Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> keystore. Removed existing aliases from original keystore and loaded new
> root and domain cert to keystore.
> Trying to run up the new cert gives me this error:
>
> SEVERE: Error starting endpoint
> java.io.IOException: jsse.invalid_ssl_conf
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> at
> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> at
> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> at
> org.apache.catalina.connector.Connector.start(Connector.java:1196)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:540)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> Caused by: javax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
>
> I feel like I'm missing something basic in the keystore. Any ideas?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> Just guessing but based on the cause given in the above error you probably
have ciphers set in your connector using 128 bit key, something like this:
ciphers="SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA"
In that case try to change that to match your new 256 bit key now. Of
course take care of the proper cipher suit names for BIO/NIO or APR
connector since they differ (the above example is for BIO/NIO connector).
Re: GoDaddy SSL cert update from SHA1 to SHA2
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Bruce,
On 12/18/14 5:28 PM, Bruce Kostival wrote:
> Tomcat 6.0.x Windows Server 2008 Running Java 7 Home grown app
> written in STS
>
> Running HTTPS with SHA1 cert Obtained SHA2 cert from GoDaddy by
> sending CSR generated from original keystore. Removed existing
> aliases from original keystore and loaded new root and domain cert
> to keystore. Trying to run up the new cert gives me this error:
>
> SEVERE: Error starting endpoint java.io.IOException:
> jsse.invalid_ssl_conf at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
>
>
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
>
>
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> at
> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> at
> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
>
>
at org.apache.catalina.connector.Connector.start(Connector.java:1196)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:540)
>
>
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:595) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
> java.lang.reflect.Method.invoke(Unknown Source) at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> Caused by: javax.net.ssl.SSLException: No available certificate or
> key corresponds to the SSL cipher suites which are enabled.
>
> I feel like I'm missing something basic in the keystore. Any
> ideas?
The you use the original (old) key to generate the new CSR? If so, do
you still have the old private key? (Your later reply seems to
indicate that you no longer have the private key). If you don't have
the private key anymore, you will have to generate a new one and go
through the whole process again.
I always make it a point to start over from scratch when obtaining a
new certificate even when I'm not using Java Keystores, which seem to
be unnecessarily finicky.
If you have to do it all over again, move the old keystore out of the
way (e.g. re-name it to keystore.backup-[date]) and create a new
keystore, private key, and CSR. Send the CSR to the CA and then import
the certificate and chain they give back to you. That should be all
you need to do.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUlEyHAAoJEBzwKT+lPKRYUycP/jmLEVFRXYVYbOjOWuB1fV5r
u91WT1vC6xQUeHz7gZpn6YY/qKnhOcKibGZTn/3RFZ5uOin+beKsJdfRD3OYTZxa
1RW5IDATsYbvzf1SCxZmyh3IUKA2+EoV8icc2uOwnPIftfUOl9NyrQI7l+oKjriQ
tRQR3S6oETyzsnYKB04Su7duZc6tefA4UI2ZNXnUs2EVgd6Q6B3fAzGOEY2JrhTc
R6Qre2PLBUepM5XhnzrcgSTkBNvJ0MM/58eoPCf5pQGpXKveb0p1owli2ITX/0xy
0DcHBMp7Xt2NvId6Jai7S8ysU2dGBk/fZAtKd8UqtT27VXOlDAuz7u7KdOsJNuzo
/eWRJAU2gqZ6npFwxlHcPmSwjFfbu06SgTgljx6dIl4D6ckzG/CvHvL0hThJBg11
j9rlpxIVlfEIyXbag/9KZAON5o3M+fsTbU3bDD4ct6NV8ZqjsIMWLOo+ymKq0fe5
KAUtiKPK9fXGo1EKi0hya/orX3V4YmSf1y0VN+fef4IXToBkvlQgt7t4boFUD8v7
LUeS1JGNI33r1xG4ues5wLH+dvot3Qk6UK9NHLkvlh0NwIxE1yKY2oKE8jsmqDnl
P3awTny0qy3vdaoGbZMVz6vorS5DrELwynxZ+Ws5vLR7/Yw+DuqrbmhbzR/h1xd/
HeV8EyEZmJF2Xi5J8gGU
=btLS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org