Re: Replaced a self-signed key with a GoDaddy key
Mark, It turns out that the root certificate was a combination of g1 and g2, and that this causes a problem for keytool. I downloaded the single root certificate gdroot-g2.crt and used it to replace the root certificate. That fixed the problems. Jeff Sent from Windows Mail From: Mark Thomas Sent: Friday, August 7, 2015 1:40 PM To: Tomcat Users List On 7 August 2015 19:01:34 BST, jeffery.scott.cr...@gmail.com wrote: >I’ve been using Tomcat for about fours years. I’ve developed websites >and services that used certificates based upon SHA1. Today I purchased >a new certificate from GoDaddy based upon using “-sigalg >SHA256withRSA”. > > >So for this new service I executed the following commands in the >directory of the keystore: > > >keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg >SHA256withRSA -keystore tomcat.keystore >keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore >tomcat.keystore > > >sent the csr.txt to GoDadday and received the certificate files. > > >keytool -delete -alias tomcat -keystore tomcat.keystore You deleted the key at this point. There should be no need to do this. Mark > >keytool -import -alias root -keystore tomcat.keystore -trustcacerts >-file gd_bundle-g2-g1.crt >keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts >-file gdig2.crt >keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts >-file xx.crt > > >If I copy over the new tomcat.keystore with a backup of the original >everything works. > > >My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in >server.xml; the following is for the one with the GoDaddy certificate. >I’m doing them one-at-time. > > > >/> >SSLEngine="on" /> >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >/> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >/> > > > > >connectionTimeout="2" redirectPort="8443" /> >SSLEnabled="true" maxThreads="150" scheme="https" secure="true" >keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore" >keystorePass="xxx" clientAuth="false" sslProtocol="TLS" >/> > >unpackWARs="true" autoDeploy="true" > >www..com >directory="logs" prefix=".com" suffix=".log" pattern="common" >/> > > > > > > > >…. > > > > > > > > >Each service is on a different IP address and I’ve been redirecting 80 >to 8080 and 443 to 8443. This has been working fine until I replaced >the key. > > >This is from the catalina.out file: > > >07-Aug-2015 12:43:02.493 SEVERE [main] >org.apache.coyote.AbstractProtocol.init Failed to initialize end point >associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"] > java.io.IOException: Alias name tomcat does not identify a key entry >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599) >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358) >at >org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457) >at >org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) >at >org.apache.catalina.connector.Connector.initInternal(Connector.java:960) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at org.apache.catalina.startup.Catalina.load(Catalina.java:576) >at org.apache.catalina.startup.Catalina.load(Catalina.java:599) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) > > > >07-Aug-2015 12:43:02.496 SEVERE [main] >org.apache.catalina.core.StandardService.initInternal Failed to >initialize connector [Connector[HTTP/1.1-8443]] >org.apache.catalina.LifecycleException: Failed to initialize component >[Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalin
Re: Configuring E-Mail Session via JNDI
> I use NetBeans with Maven, and in that context I would declare the > mail dependency to be provided. I don't know how to do > that in a native NetBeans project, but what you'd need to do is to > tell NetBeans that javax.mail is required to compile but must not be > included in the output WAR. I found this option; it's under "File", "Project Properties", "Libraries", and then you un-check the "Package" column for the JavaMail library. Thanks for the pointer! -- Tim Gustafson t...@tgustafson.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Replaced a self-signed key with a GoDaddy key
>>keytool -delete -alias tomcat -keystore tomcat.keystore >> >You deleted the key at this point. There should be no need to do this. > >Mark Mark, I rekeyed my certificate from a newly created tomcat.keystore and imported in the root and immediate certificates, then I got this when I imported my certificate: keytool error: java.lang.Exception: Failed to establish chain from reply Jeff Sent from Windows Mail From: Mark Thomas Sent: Friday, August 7, 2015 1:40 PM To: Tomcat Users List On 7 August 2015 19:01:34 BST, jeffery.scott.cr...@gmail.com wrote: >I’ve been using Tomcat for about fours years. I’ve developed websites >and services that used certificates based upon SHA1. Today I purchased >a new certificate from GoDaddy based upon using “-sigalg >SHA256withRSA”. > > >So for this new service I executed the following commands in the >directory of the keystore: > > >keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg >SHA256withRSA -keystore tomcat.keystore >keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore >tomcat.keystore > > >sent the csr.txt to GoDadday and received the certificate files. > > >keytool -delete -alias tomcat -keystore tomcat.keystore You deleted the key at this point. There should be no need to do this. Mark > >keytool -import -alias root -keystore tomcat.keystore -trustcacerts >-file gd_bundle-g2-g1.crt >keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts >-file gdig2.crt >keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts >-file xx.crt > > >If I copy over the new tomcat.keystore with a backup of the original >everything works. > > >My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in >server.xml; the following is for the one with the GoDaddy certificate. >I’m doing them one-at-time. > > > >/> >SSLEngine="on" /> >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >/> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >/> > > > > >connectionTimeout="2" redirectPort="8443" /> >SSLEnabled="true" maxThreads="150" scheme="https" secure="true" >keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore" >keystorePass="xxx" clientAuth="false" sslProtocol="TLS" >/> > >unpackWARs="true" autoDeploy="true" > >www..com >directory="logs" prefix=".com" suffix=".log" pattern="common" >/> > > > > > > > >…. > > > > > > > > >Each service is on a different IP address and I’ve been redirecting 80 >to 8080 and 443 to 8443. This has been working fine until I replaced >the key. > > >This is from the catalina.out file: > > >07-Aug-2015 12:43:02.493 SEVERE [main] >org.apache.coyote.AbstractProtocol.init Failed to initialize end point >associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"] > java.io.IOException: Alias name tomcat does not identify a key entry >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599) >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358) >at >org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457) >at >org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) >at >org.apache.catalina.connector.Connector.initInternal(Connector.java:960) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at org.apache.catalina.startup.Catalina.load(Catalina.java:576) >at org.apache.catalina.startup.Catalina.load(Catalina.java:599) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) > > > >07-Aug-2015 12:43:02.496 SEVERE [main] >org.apache.catalina.core.StandardService.initInternal Failed to >initialize connector [Connector[HTTP/1.1-8443]] >org.apache.catalina.LifecycleException: Failed to initialize component >[Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) >at >org.apache.catalina.core.StandardServ
Re: Replaced a self-signed key with a GoDaddy key
On 7 August 2015 19:01:34 BST, jeffery.scott.cr...@gmail.com wrote: >I’ve been using Tomcat for about fours years. I’ve developed websites >and services that used certificates based upon SHA1. Today I purchased >a new certificate from GoDaddy based upon using “-sigalg >SHA256withRSA”. > > >So for this new service I executed the following commands in the >directory of the keystore: > > >keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg >SHA256withRSA -keystore tomcat.keystore >keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore >tomcat.keystore > > >sent the csr.txt to GoDadday and received the certificate files. > > >keytool -delete -alias tomcat -keystore tomcat.keystore You deleted the key at this point. There should be no need to do this. Mark > >keytool -import -alias root -keystore tomcat.keystore -trustcacerts >-file gd_bundle-g2-g1.crt >keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts >-file gdig2.crt >keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts >-file xx.crt > > >If I copy over the new tomcat.keystore with a backup of the original >everything works. > > >My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in >server.xml; the following is for the one with the GoDaddy certificate. >I’m doing them one-at-time. > > > >/> >SSLEngine="on" /> >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >/> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >/> > > > > >connectionTimeout="2" redirectPort="8443" /> >SSLEnabled="true" maxThreads="150" scheme="https" secure="true" >keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore" >keystorePass="xxx" clientAuth="false" sslProtocol="TLS" >/> > >unpackWARs="true" autoDeploy="true" > >www..com >directory="logs" prefix=".com" suffix=".log" pattern="common" >/> > > > > > > > >…. > > > > > > > > >Each service is on a different IP address and I’ve been redirecting 80 >to 8080 and 443 to 8443. This has been working fine until I replaced >the key. > > >This is from the catalina.out file: > > >07-Aug-2015 12:43:02.493 SEVERE [main] >org.apache.coyote.AbstractProtocol.init Failed to initialize end point >associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"] > java.io.IOException: Alias name tomcat does not identify a key entry >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599) >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358) >at >org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457) >at >org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) >at >org.apache.catalina.connector.Connector.initInternal(Connector.java:960) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at org.apache.catalina.startup.Catalina.load(Catalina.java:576) >at org.apache.catalina.startup.Catalina.load(Catalina.java:599) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) > > > >07-Aug-2015 12:43:02.496 SEVERE [main] >org.apache.catalina.core.StandardService.initInternal Failed to >initialize connector [Connector[HTTP/1.1-8443]] >org.apache.catalina.LifecycleException: Failed to initialize component >[Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at org.apache.catalina.startup.Catalina.load(Catalina.java:576) >at org.apache.catalina.startup.Catalina.load(Catalina.java:599) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > >Then I used keytool to verif
Replaced a self-signed key with a GoDaddy key
I’ve been using Tomcat for about fours years. I’ve developed websites and services that used certificates based upon SHA1. Today I purchased a new certificate from GoDaddy based upon using “-sigalg SHA256withRSA”. So for this new service I executed the following commands in the directory of the keystore: keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat.keystore keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore tomcat.keystore sent the csr.txt to GoDadday and received the certificate files. keytool -delete -alias tomcat -keystore tomcat.keystore keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file xx.crt If I copy over the new tomcat.keystore with a backup of the original everything works. My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in server.xml; the following is for the one with the GoDaddy certificate. I’m doing them one-at-time. www..com …. Each service is on a different IP address and I’ve been redirecting 80 to 8080 and 443 to 8443. This has been working fine until I replaced the key. This is from the catalina.out file: 07-Aug-2015 12:43:02.493 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"] java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) at org.apache.catalina.connector.Connector.initInternal(Connector.java:960) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at org.apache.catalina.startup.Catalina.load(Catalina.java:599) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) 07-Aug-2015 12:43:02.496 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at org.apache.catalina.startup.Catalina.load(Catalina.java:599) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Then I used keytool to verify that the alias is in the tomcat.keystore. The following is a list from the keystore: #keytool -list -v -keystore tomcat.keystore -alias tomcat Enter keystore password: Alias name: tomcat Creation date: Aug 7, 2015 Entry type: trustedCertEntry Owner: CN=.com, OU=Domain Control Validated Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial number: xx Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT 2016 Certificate fingerprints: MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59 SHA1: 26:32:29:
Firefox SSL with APR - losing client certificate
Hi!
I use tomcat 6.0.44 wit APR on Windows x64.
I set up SSLVerifyClient="optional" and since then encounter the following
problem with Firefox 39.0.03 (IE works OK):
On first access Firefox shows the client certificate selection dialog. I select
a certificate and continue. The web application "sees" the selected certificate
and show a proper response page.
But on next access (I click a link) the client certificate is not visible to
the application any more. It gets null from the method call
HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 (similar)
And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] Client
certificate gone after 1 minute timeout (SSL, APR)"
(even more similar, except for me it fails on next access without a minute of
waiting)
As suggested in the second link, clearing cache and authentication in the
browser is a workaround that works. Kind of as one has to select the
certificate again and do it before every click on a link.
Strange, just now it worked fine for a few minutes.
Is this some known issue?
Without APR, using JSSE, it works fine (and did so for years).
This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to
apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version).
Firefox version 39.0, today updated to 39.0.3
The Connector line from server.xml:
Regards,
David Balažic
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 8 jspx and HTML5
I want to use a jspx to generate some HTML5 but I'm running into a strange problem. I've produced a very small test to demonstrate the problem. In the jspx pasted below if I remove the comment in the tag (in the head) then the page won't render properly in chrome browser. When I have a non-empty