Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Tomcat and the fly likes another guy who can't get SSL working within Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Products » Tomcat
Reply Bookmark "another guy who can Watch "another guy who can New topic
Author

another guy who can't get SSL working within Tomcat

Seth Dustin
Greenhorn

Joined: Sep 15, 2010
Posts: 5
posted private message
0
Quote
I searched the forum and found several postings describing similar issues to the one I'm experiencing. I would normally post within those threads, but I've tried the solutions that solved those other people's issues, so I'm thinking the root problem here may be different.

I've got three physically separate tomcat servers that I need to use a godaddy wildcard (*.ourdomain.com) SSL cert on. We've got it working on one server (someone else configured it), and I've been unable to get the other two to start-up and use the keystore.

I have tried copying the working keystore file from the working server. That doesn't work.

Below are example set-up steps and errors that result. I've spent two full days trying to get this to work through every imaginable approach, so I'm not going to paste in every attempt.

Following steps in this poorly-written article.

D:\jrepath\jre6\bin>keytool -import -alias root -keystore tomcat_3.keystor
e.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\valicert_class2_root.crt

Enter keystore password:
Re-enter new password:
Certificate already exists in system-wide CA keystore under alias <valicertclass
2ca>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias cross -keystore tomcat_3.keysto
re.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\gd_cross_intermediate.c
rt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias intermed -keystore tomcat_3.key
store.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\gd_intermediate.crt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>keytool -import -alias tomcat -keystore tomcat_3.keyst
ore.jks -trustcacerts -file D:\tomcat_path\Tomcat6\keys\ourdomain.com.c
rt
Enter keystore password:
Certificate was added to keystore

D:\jrepath\jre6\bin>


So then I move the tomcat_3.keystore.jks file to the D:\tomcat_path\Tomcat6\keys\ directory.

I edit the server.xml file for Tomcat to include the following container:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/tomcat_path/Tomcat6/keys/tomcat_3.keystore.jks"
keystorePass="changeit" />


Upon starting Tomcat, I find this error in the catalina log file:
Sep 15, 2010 12:19:57 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1087)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:307)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more


This issue is really blowing my mind. I have no idea what is wrong with my installation of this SSL certificate. Any advice would be greatly appreciated.

austin_seth

Misha Ver
Ranch Hand

Joined: Mar 03, 2008
Posts: 470
posted private message
0
Quote
Seth Dustin wrote:
I edit the server.xml file for Tomcat to include the following container:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/tomcat_path/Tomcat6/keys/tomcat_3.keystore.jks"
keystorePass="changeit" />



If you are using Windows, then use the "\" (backslash) "D:\tomcat_path\Tomcat6\keys\tomcat_3.keystore.jks"
Seth Dustin
Greenhorn

Joined: Sep 15, 2010
Posts: 5
posted private message
0
Quote
Misha,

Thank you for catching that. I checked the server.xml file where we are getting the certificate working, and sure enough, the path is delimited with the '\' slashes. I changed those in the server.xml file for the tomcat with broken SSL and it didn't fix the problem.

I also tried copying the working keystore file from the machine with successful SSL and pointing the server.xml at that file. No luck. Should we be able to do that? Should we be able to copy the keystore across multiple tomcat servers? Or do we have to combine the certs on each machine?

Here's the error in catalina log file after fixing the delimiters in server.xml and starting tomcat with the keystore copied over from the working server:


Sep 15, 2010 5:44:19 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1087)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)




Appreciatively,

austin_Seth
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: another guy who can't get SSL working within Tomcat
 
Similar Threads
[Update - Success] Adding SSL certificate to Server.xml
Https post
Tomcat SSL configuration issue - java.io.IOException: jsse.invalid_ssl_conf
Ora 10gAS: java.io.IOException: Keystore was tampered with, or password was incorrect
Enabling SSL in netbeans