Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57. That's an x509 certificate for SSL/TLS, using a SHA2-based signature algorithm, right? Yes, it is a SHA-2 algorithm from GoDaddy. Port 8443 is listening, selinux is disabled, and have tried it with 8443 enabled in firewall and with firewall off. After receiving the .crt file from GoDaddy: ran the 4 keytool -import commands: For the alias=root, I used gdroot-g2.crt(from repository) For the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the alias=cross, I used gdroot-g2_cross.crt(from repository) For the alias= tomcat, I used the the alphanumeric.crt(from GoDaddy) I see all the entries when I did the keytool -list Good. Everything above looks good, except that you need to make sure that the certificates you imported were all the correct ones... thee days, CAs tend to have a variety of intermediate certificates for various purposes: one for code-signing, one for European certificates and another for American ones, an old one with SHA1-based signature, new ones with SHA2-based signatures, etc. Verifying the accuracy of the certificate chain should be a priority. Checked the filed from repository and checked with support that gdroot-g2.crt, gdig2.crt, gdroot-g2_cross.crt, and the alphanumeric.crt are accurate. I made this change in server.xml: Connector port=8443 maxThreads=200 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=path to .keystore file keystorePass=keystore password / I then shutdown tomcat; startup tomcat. When I go to the URL in the browser with the port 8443, I get this:Firefox: Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Chrome: A secure connection cannot be established because this site uses an unsupported protocol.Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH What version of Chrome are you using? Firefox 33.1 Chrome Version 40.0.2214.111 m I upgrade to Firefox 35 and got this when I put in the 8443 url:Firefox cannot guarantee the safety of your data on URL because it uses SSLv3, a broken security protocol. Advanced info: ssl_error_no_cypher_overlap Do you have access to an OpenSSL library? Can you run openssl -debug - -showcerts s_client -connect https://host:8443/; and post the (possibly sanitized) results? When I ran this:#openssl s_client -connect my url:8443 (-debug and -showcerts was giving me invalid commands) I received:CONNECTED(0003) error14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 249 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Thanks, Nick You could also grab and compile the source of this tool from the tomcat-dev archives and run it against your server: http://markmail.org/thread/tz4z44nfjl7sy2lj This will tell you what is and is not supported. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+ LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO 2CA9DwlS0hMtRDLuPvAl =sJsq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The #1 Worst Carb Ever? Click to Learn #1 Carb that Kills Your Blood Sugar #40;Don#39;t Eat This!#41; http://thirdpartyoffers.juno.com/TGL3131/54d905c8d415f5c8073dst04duc
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
We just ended up re-keying this cert through GoDaddy with the same repository files and the new domain file and it worked as it should have. Thanks for all the replies. How Old Men Tighten Skin 63 Year Old Man Shares DIY Skin Tightening Method You Can Do From Home http://thirdpartyoffers.juno.com/TGL3131/54d91d4d799111d4d788bst02duc---BeginMessage--- On Mon, Feb 9, 2015 at 10:13 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sean, On 2/9/15 9:46 AM, Sean Dawson wrote: We've had customers who have had issues with Java and GoDaddy certs. http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/ Did you read the OP? He's already installed the GoDaddy cross-signed certificate. It's also not a Java client problem, since the client in this case is Google Chrome. Oh ok sorry - I read it last week and forgot that it wasn't the same issue. Just wanted to help out anyone else that might have run into the GoDaddy/Java issue. - -chris On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz ch...@christopherschultz.net wrote: Nick, (The formatting was awful on the message and made it difficult to read. I've adjusted it to make it readable and reply-able). On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57. That's an x509 certificate for SSL/TLS, using a SHA2-based signature algorithm, right? Port 8443 is listening, selinux is disabled, and have tried it with 8443 enabled in firewall and with firewall off. After receiving the .crt file from GoDaddy: ran the 4 keytool -import commands: For the alias=root, I used gdroot-g2.crt(from repository) For the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the alias=cross, I used gdroot-g2_cross.crt(from repository) For the alias= tomcat, I used the the alphanumeric.crt(from GoDaddy) I see all the entries when I did the keytool -list Good. Everything above looks good, except that you need to make sure that the certificates you imported were all the correct ones... thee days, CAs tend to have a variety of intermediate certificates for various purposes: one for code-signing, one for European certificates and another for American ones, an old one with SHA1-based signature, new ones with SHA2-based signatures, etc. Verifying the accuracy of the certificate chain should be a priority. I made this change in server.xml: Connector port=8443 maxThreads=200 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=path to .keystore file keystorePass=keystore password / I then shutdown tomcat; startup tomcat. When I go to the URL in the browser with the port 8443, I get this:Firefox: Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Chrome: A secure connection cannot be established because this site uses an unsupported protocol.Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH What version of Chrome are you using? Do you have access to an OpenSSL library? Can you run openssl -debug -showcerts s_client -connect https://host:8443/; and post the (possibly sanitized) results? You could also grab and compile the source of this tool from the tomcat-dev archives and run it against your server: http://markmail.org/thread/tz4z44nfjl7sy2lj This will tell you what is and is not supported. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2M6yAAoJEBzwKT+lPKRYdo8QAKqyY87oXjHy4CkNc3fPjYQH IQMRzFrnH/Dgk2g1eO9WXlJXg+4drjmDtsHpRBsJR17nZaDBz282lgVh4x8OUEhW tK6eagXHHnwhA8HBCCey5f6EfCF7dMR6AbwLkbhTUN7aym4gYMmQM18q2Nt6jxz7 qmtHW5GZ4OscqA6MQ5SVT6FckKR83570WakPQsl64JJwCUbC0uwOL9nU654nckNy hFiSznDugopfIICrmgHoX6HkAx7lChmCmfpexbUsDZkj/xpPriuvPMPu//sZ4zFc euqin0/gDMy76Qr+H0ExHaMKH734vXWgjXTakHg5D/V0C8U4iQEJSBsDWCaXqvDX kA+O2s/mYeiqqPVvA4nZ3JrNUQFgZPvOik8ubyCb2+/p7PLL9Hshikgl+sZ4cAW2 +NfertfDZ483IQKCKN1LKnWZNQ2ofF+jJ1vEoceqV/ybFi8fKipbJ37aU6c7EltL h4zJFv86l/irYzVKweGuszX7xX9DwWUu7YdKx4wIVArncb+wrALx3NXF0bI8pMaC C5sUoM2EBrOIZZkrpPDPdgr5O+XvWEaARd6eDnCDvZ1xjHcQxiHuVrnglzH3LE2L rU6wfg4ZRaX5rMA++yetf4/qYOe+/+YW84zLK3VkL0jWdlldr6/QoActiUquI2OD 7fGjoyFAdo2GcZP1OloD =T8m8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e
Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Good afternoon,#8203;I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.Port 8443 is listening, selinux is disabled, and have tried it with 8443 enabled in firewall and with firewall off. After receiving the .crt file from GoDaddy: ran the 4 keytool -import commands: For the alias=root, I used gdroot-g2.crt(from repository) For the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the alias=cross, I used gdroot-g2_cross.crt(from repository) For the alias= tomcat, I used the the alphanumeric.crt(from GoDaddy)I see all the entries when I did the keytool -list I made this change in server.xml:Connector port=8443 maxThreads=200 SSLEnabled=true scheme=https secure=true clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=path to .keystore file keystorePass=keystore password / I thenshutdown tomcatstartup tomcat When I go to the URL in the browser with the port 8443, I get this:Firefox: Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) #8203; Chrome: A secure connection cannot be established because this site uses an unsupported protocol.Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Thank you NetZero now offers 4G mobile broadband. Sign up now. http://www.netzero.net/?refcd=NZINTISP0512T4GOUT1