You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by James Lampert <ja...@touchtonecorp.com> on 2012/01/18 18:37:51 UTC
Problem bringing up SSL with a CA certificate
So far, I've had complete success using self-signed certificates, both
here and on the customer box, once I found out that the CN needs to
match the domain name.
But now, we're trying to get the customer box up on a CA-signed
certificate, and Tomcat doesn't like it. (Given that we haven't done it
on our own box, it's kind of a case of the blind leading the blind.) We
had our contact with the customer follow the procedure given on
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate
and I put the resulting keystore into service, started Tomcat, and got
this in logs/catalina.out:
> SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]
> Throwable occurred: java.io.IOException: Alias name tomcat does not identify a key entry
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
> �at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
> �at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
> �at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
> �at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
> �at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> �at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
> �at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
> �at java.lang.reflect.Method.invoke(Method.java:611)
> �at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> �at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
> Jan 18, 2012 12:15:16 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
> Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> �at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
> �at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
> �at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> �at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
> �at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
> �at java.lang.reflect.Method.invoke(Method.java:611)
> �at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> �at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:939)
> �at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> �... 12 more
> Caused by: java.io.IOException: Alias name tomcat does not identify a key entry
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
> �at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
> �at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
> �at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
> �at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
> �at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> �at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)
> �... 13 more
If I list the keystore, I get:
> Keystore type: jks
> Keystore provider: IBMJCE
>
> Your keystore contains 2 entries
>
> root, Jan 18, 2012, trustedCertEntry,
> Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A
> tomcat, Jan 18, 2012, trustedCertEntry,
> Certificate fingerprint (MD5): 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38
The above failure was with
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> keystoreFile="/wintouch/tomcat/cptomcat.ks" keyAlias="tomcat"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
in server.xml; it also failed without the keyAlias parameter. It does
work properly with
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> keystoreFile="/wintouch/tomcat/cptomcat.ks"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
and the self-signed certificate as the first (or only) entry in cptomcat.ks.
Anybody know what could be going wrong here?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem bringing up SSL with a CA certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James,
On 1/23/12 6:19 PM, James Lampert wrote:
> Christopher Schultz wrote:
>> Did you also put your server's key into the keystore?
>
> It seems that when the customer rep jumped the gun and submitted a
> CSR to Thawte before we even had Tomcat running on a self-signed
> certificate, he did so using IBM DCM, whose keystores are
> incompatible with Keytool, and presumably also with Tomcat.
>
> Fortunately, there's still a few days left to get a revocation and
> refund, and start from scratch the right way.
For the same domain name, the CA might just allow you to submit a new
CSR and not have to go through the whole transaction again.
> Don't you just love it when end-users jump the gun, and pay good
> money to a third party for things before you have the specs to give
> them?
I dunno about "good" money... CAs are a total racket.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8exnEACgkQ9CaO5/Lv0PBVKgCdGIWISTnr8Z+QRmb5rVMWUEWH
x/cAoIcObOKAWD/UXilXNAOrzoBRlt2h
=L+bm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem bringing up SSL with a CA certificate
Posted by James Lampert <ja...@touchtonecorp.com>.
Christopher Schultz wrote:
> Did you also put your server's key into the keystore?
It seems that when the customer rep jumped the gun and submitted a CSR
to Thawte before we even had Tomcat running on a self-signed
certificate, he did so using IBM DCM, whose keystores are incompatible
with Keytool, and presumably also with Tomcat.
Fortunately, there's still a few days left to get a revocation and
refund, and start from scratch the right way.
Don't you just love it when end-users jump the gun, and pay good money
to a third party for things before you have the specs to give them?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem bringing up SSL with a CA certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James,
On 1/18/12 12:37 PM, James Lampert wrote:
> So far, I've had complete success using self-signed certificates,
> both here and on the customer box, once I found out that the CN
> needs to match the domain name.
;)
> But now, we're trying to get the customer box up on a CA-signed
> certificate, and Tomcat doesn't like it. (Given that we haven't
> done it on our own box, it's kind of a case of the blind leading
> the blind.) We had our contact with the customer follow the
> procedure given on
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate
>
>
>
> and I put the resulting keystore into service, started Tomcat, and
> got this in logs/catalina.out:
>
>> SEVERE: Failed to initialize end point associated with
>> ProtocolHandler ["http-bio-443"] Throwable occurred:
>> java.io.IOException: Alias name tomcat does not identify a key
>> entry �at
Did you also put your server's key into the keystore?
> If I list the keystore, I get:
>> Keystore type: jks
>> Keystore provider: IBMJCE
>>
>>
>> Your keystore contains 2 entries
>>
>>
>> root, Jan 18, 2012, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A tomcat, Jan 18,
>> 2012, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38
It looks like you only have certificates. Did you forget to import the
key into the keystore?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8d5S0ACgkQ9CaO5/Lv0PC7oACdHek6Dxn2r0p2TXz7w9IxYJv8
EecAoI45tZqdrBsTZGII759VyURQAsFL
=beQr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org