Re: GoDaddy SSL cert update from SHA1 to SHA2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Bruce, On 12/18/14 5:28 PM, Bruce Kostival wrote: > Tomcat 6.0.x Windows Server 2008 Running Java 7 Home grown app > written in STS > > Running HTTPS with SHA1 cert Obtained SHA2 cert from GoDaddy by > sending CSR generated from original keystore. Removed existing > aliases from original keystore and loaded new root and domain cert > to keystore. Trying to run up the new cert gives me this error: > > SEVERE: Error starting endpoint java.io.IOException: > jsse.invalid_ssl_conf at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846) > > at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) > > at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > at > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) > at > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207) > > at org.apache.catalina.connector.Connector.start(Connector.java:1196) > at > org.apache.catalina.core.StandardService.start(StandardService.java:540) > > at org.apache.catalina.core.StandardServer.start(StandardServer.java:754) > at org.apache.catalina.startup.Catalina.start(Catalina.java:595) at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > java.lang.reflect.Method.invoke(Unknown Source) at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.net.ssl.SSLException: No available certificate or > key corresponds to the SSL cipher suites which are enabled. > > I feel like I'm missing something basic in the keystore. Any > ideas? The you use the original (old) key to generate the new CSR? If so, do you still have the old private key? (Your later reply seems to indicate that you no longer have the private key). If you don't have the private key anymore, you will have to generate a new one and go through the whole process again. I always make it a point to start over from scratch when obtaining a new certificate even when I'm not using Java Keystores, which seem to be unnecessarily finicky. If you have to do it all over again, move the old keystore out of the way (e.g. re-name it to keystore.backup-[date]) and create a new keystore, private key, and CSR. Send the CSR to the CA and then import the certificate and chain they give back to you. That should be all you need to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUlEyHAAoJEBzwKT+lPKRYUycP/jmLEVFRXYVYbOjOWuB1fV5r u91WT1vC6xQUeHz7gZpn6YY/qKnhOcKibGZTn/3RFZ5uOin+beKsJdfRD3OYTZxa 1RW5IDATsYbvzf1SCxZmyh3IUKA2+EoV8icc2uOwnPIftfUOl9NyrQI7l+oKjriQ tRQR3S6oETyzsnYKB04Su7duZc6tefA4UI2ZNXnUs2EVgd6Q6B3fAzGOEY2JrhTc R6Qre2PLBUepM5XhnzrcgSTkBNvJ0MM/58eoPCf5pQGpXKveb0p1owli2ITX/0xy 0DcHBMp7Xt2NvId6Jai7S8ysU2dGBk/fZAtKd8UqtT27VXOlDAuz7u7KdOsJNuzo /eWRJAU2gqZ6npFwxlHcPmSwjFfbu06SgTgljx6dIl4D6ckzG/CvHvL0hThJBg11 j9rlpxIVlfEIyXbag/9KZAON5o3M+fsTbU3bDD4ct6NV8ZqjsIMWLOo+ymKq0fe5 KAUtiKPK9fXGo1EKi0hya/orX3V4YmSf1y0VN+fef4IXToBkvlQgt7t4boFUD8v7 LUeS1JGNI33r1xG4ues5wLH+dvot3Qk6UK9NHLkvlh0NwIxE1yKY2oKE8jsmqDnl P3awTny0qy3vdaoGbZMVz6vorS5DrELwynxZ+Ws5vLR7/Yw+DuqrbmhbzR/h1xd/ HeV8EyEZmJF2Xi5J8gGU =btLS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
And how do I get the Private Key back? Its definitely not there. From: Igor Cicimov Sent: Thursday, December 18, 2014 17:52 To: Tomcat Users List Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2 On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival < bkosti...@universallumpers.com> wrote: > > Thanks Igor I'll poke around based on your input. > > From: Igor Cicimov > Sent: Thursday, December 18, 2014 15:49 > To: Tomcat Users List > Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2 > > On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival < > bkosti...@universallumpers.com> wrote: > > > > Tomcat 6.0.x > > Windows Server 2008 > > Running Java 7 > > Home grown app written in STS > > > > Running HTTPS with SHA1 cert > > Obtained SHA2 cert from GoDaddy by sending CSR generated from original > > keystore. Removed existing aliases from original keystore and loaded new > > root and domain cert to keystore. > > Trying to run up the new cert gives me this error: > > > > SEVERE: Error starting endpoint > > java.io.IOException: jsse.invalid_ssl_conf > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846) > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) > > at > > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > > at > > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) > > at > > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207) > > at > > org.apache.catalina.connector.Connector.start(Connector.java:1196) > > at > > org.apache.catalina.core.StandardService.start(StandardService.java:540) > > at > > org.apache.catalina.core.StandardServer.start(StandardServer.java:754) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:595) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > > at java.lang.reflect.Method.invoke(Unknown Source) > > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > Caused by: javax.net.ssl.SSLException: No available certificate or key > > corresponds to the SSL cipher suites which are enabled. > > > > I feel like I'm missing something basic in the keystore. Any ideas? > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > Just guessing but based on the cause given in the above error you > probably > have ciphers set in your connector using 128 bit key, something like this: > >ciphers="SSL_RSA_WITH_RC4_128_MD5, >SSL_RSA_WITH_RC4_128_SHA, >TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, >TLS_ECDHE_RSA_WITH_RC4_128_SHA, >TLS_ECDH_ECDSA_WITH_RC4_128_SHA, >TLS_ECDH_RSA_WITH_RC4_128_SHA" > > In that case try to change that to match your new 256 bit key now. Of > course take care of the proper cipher suit names for BIO/NIO or APR > connector since they differ (the above example is for BIO/NIO connector). > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Another possibility is that you have removed the private key used to generate the new CSR by removing the old aliases from the keystore. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival < bkosti...@universallumpers.com> wrote: > > Thanks Igor I'll poke around based on your input. > > From: Igor Cicimov > Sent: Thursday, December 18, 2014 15:49 > To: Tomcat Users List > Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2 > > On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival < > bkosti...@universallumpers.com> wrote: > > > > Tomcat 6.0.x > > Windows Server 2008 > > Running Java 7 > > Home grown app written in STS > > > > Running HTTPS with SHA1 cert > > Obtained SHA2 cert from GoDaddy by sending CSR generated from original > > keystore. Removed existing aliases from original keystore and loaded new > > root and domain cert to keystore. > > Trying to run up the new cert gives me this error: > > > > SEVERE: Error starting endpoint > > java.io.IOException: jsse.invalid_ssl_conf > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846) > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) > > at > > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > > at > > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) > > at > > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207) > > at > > org.apache.catalina.connector.Connector.start(Connector.java:1196) > > at > > org.apache.catalina.core.StandardService.start(StandardService.java:540) > > at > > org.apache.catalina.core.StandardServer.start(StandardServer.java:754) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:595) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > > at java.lang.reflect.Method.invoke(Unknown Source) > > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > Caused by: javax.net.ssl.SSLException: No available certificate or key > > corresponds to the SSL cipher suites which are enabled. > > > > I feel like I'm missing something basic in the keystore. Any ideas? > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > Just guessing but based on the cause given in the above error you > probably > have ciphers set in your connector using 128 bit key, something like this: > >ciphers="SSL_RSA_WITH_RC4_128_MD5, >SSL_RSA_WITH_RC4_128_SHA, >TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, >TLS_ECDHE_RSA_WITH_RC4_128_SHA, >TLS_ECDH_ECDSA_WITH_RC4_128_SHA, >TLS_ECDH_RSA_WITH_RC4_128_SHA" > > In that case try to change that to match your new 256 bit key now. Of > course take care of the proper cipher suit names for BIO/NIO or APR > connector since they differ (the above example is for BIO/NIO connector). > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Another possibility is that you have removed the private key used to generate the new CSR by removing the old aliases from the keystore.
Re: GoDaddy SSL cert update from SHA1 to SHA2
Thanks Igor I'll poke around based on your input. From: Igor Cicimov Sent: Thursday, December 18, 2014 15:49 To: Tomcat Users List Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2 On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival < bkosti...@universallumpers.com> wrote: > > Tomcat 6.0.x > Windows Server 2008 > Running Java 7 > Home grown app written in STS > > Running HTTPS with SHA1 cert > Obtained SHA2 cert from GoDaddy by sending CSR generated from original > keystore. Removed existing aliases from original keystore and loaded new > root and domain cert to keystore. > Trying to run up the new cert gives me this error: > > SEVERE: Error starting endpoint > java.io.IOException: jsse.invalid_ssl_conf > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) > at > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > at > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) > at > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207) > at > org.apache.catalina.connector.Connector.start(Connector.java:1196) > at > org.apache.catalina.core.StandardService.start(StandardService.java:540) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:754) > at org.apache.catalina.startup.Catalina.start(Catalina.java:595) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.net.ssl.SSLException: No available certificate or key > corresponds to the SSL cipher suites which are enabled. > > I feel like I'm missing something basic in the keystore. Any ideas? > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Just guessing but based on the cause given in the above error you probably have ciphers set in your connector using 128 bit key, something like this: ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA" In that case try to change that to match your new 256 bit key now. Of course take care of the proper cipher suit names for BIO/NIO or APR connector since they differ (the above example is for BIO/NIO connector). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GoDaddy SSL cert update from SHA1 to SHA2
On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival < bkosti...@universallumpers.com> wrote: > > Tomcat 6.0.x > Windows Server 2008 > Running Java 7 > Home grown app written in STS > > Running HTTPS with SHA1 cert > Obtained SHA2 cert from GoDaddy by sending CSR generated from original > keystore. Removed existing aliases from original keystore and loaded new > root and domain cert to keystore. > Trying to run up the new cert gives me this error: > > SEVERE: Error starting endpoint > java.io.IOException: jsse.invalid_ssl_conf > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) > at > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) > at > org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) > at > org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207) > at > org.apache.catalina.connector.Connector.start(Connector.java:1196) > at > org.apache.catalina.core.StandardService.start(StandardService.java:540) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:754) > at org.apache.catalina.startup.Catalina.start(Catalina.java:595) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.net.ssl.SSLException: No available certificate or key > corresponds to the SSL cipher suites which are enabled. > > I feel like I'm missing something basic in the keystore. Any ideas? > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Just guessing but based on the cause given in the above error you probably have ciphers set in your connector using 128 bit key, something like this: ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA" In that case try to change that to match your new 256 bit key now. Of course take care of the proper cipher suit names for BIO/NIO or APR connector since they differ (the above example is for BIO/NIO connector).