aspose file tools*
The moose likes Tomcat and the fly likes another guy who can't get SSL working within Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "another guy who can Watch "another guy who can New topic
Author

another guy who can't get SSL working within Tomcat

Seth Dustin
Greenhorn

Joined: Sep 15, 2010
Posts: 7
I searched the forum and found several postings describing similar issues to the one I'm experiencing. I would normally post within those threads, but I've tried the solutions that solved those other people's issues, so I'm thinking the root problem here may be different.

I've got three physically separate tomcat servers that I need to use a godaddy wildcard (*.ourdomain.com) SSL cert on. We've got it working on one server (someone else configured it), and I've been unable to get the other two to start-up and use the keystore.

I have tried copying the working keystore file from the working server. That doesn't work.

Below are example set-up steps and errors that result. I've spent two full days trying to get this to work through every imaginable approach, so I'm not going to paste in every attempt.

Following steps in this poorly-written article.

D:\jrepath\jre6\bin>keytool -import -alias root -keystore tomcat_3.keystor
e.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\valicert_class2_root.crt

Enter keystore password:
Re-enter new password:
Certificate already exists in system-wide CA keystore under alias <valicertclass
2ca>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias cross -keystore tomcat_3.keysto
re.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\gd_cross_intermediate.c
rt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias intermed -keystore tomcat_3.key
store.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\gd_intermediate.crt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias tomcat -keystore tomcat_3.keyst
ore.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\ourdomain.com.c
rt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>


So then I move the tomcat_3.keystore.jks file to the D:\tomcat_path\Tomcat6\keys\ directory.

I edit the server.xml file for Tomcat to include the following container:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/tomcat_path/Tomcat6/keys/tomcat_3.keystore.jks"
keystorePass="changeit" />


Upon starting Tomcat, I find this error in the catalina log file:
Sep 15, 2010 12:19:57 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1087)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:307)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more


This issue is really blowing my mind. I have no idea what is wrong with my installation of this SSL certificate. Any advice would be greatly appreciated.

austin_seth

Misha Ver
Ranch Hand

Joined: Mar 03, 2008
Posts: 470
Seth Dustin wrote:
I edit the server.xml file for Tomcat to include the following container:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/tomcat_path/Tomcat6/keys/tomcat_3.keystore.jks"
keystorePass="changeit" />



If you are using Windows, then use the "\" (backslash) "D:\tomcat_path\Tomcat6\keys\tomcat_3.keystore.jks"
Seth Dustin
Greenhorn

Joined: Sep 15, 2010
Posts: 7
Misha,

Thank you for catching that. I checked the server.xml file where we are getting the certificate working, and sure enough, the path is delimited with the '\' slashes. I changed those in the server.xml file for the tomcat with broken SSL and it didn't fix the problem.

I also tried copying the working keystore file from the machine with successful SSL and pointing the server.xml at that file. No luck. Should we be able to do that? Should we be able to copy the keystore across multiple tomcat servers? Or do we have to combine the certs on each machine?

Here's the error in catalina log file after fixing the delimiters in server.xml and starting tomcat with the keystore copied over from the working server:


Sep 15, 2010 5:44:19 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1087)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)




Appreciatively,

austin_Seth
 
Don't get me started about those stupid light bulbs.
 
subject: another guy who can't get SSL working within Tomcat