subject:"Re\: Tomcat keeps breaking\/SSL keystore troubles"

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Werner Schalk


Hello Christoph,

welcome to the club, I am having the same problem. See my thread "Problems 
with SSL-enabled Tomcat 5.5".


Bye,
Werner.

- Original Message - 
From: "Christoph Lechner" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, August 30, 2007 5:11 PM
Subject: Tomcat keeps breaking/SSL keystore troubles



Hi all,

I've been trying hard to enable the SSL connector in TomCat for a few
days now. As I don't have very much experience with SSL, it's quite hard
for me to figure out what's going wrong.
I read a lot of different setup guides, but I'm getting the same error
messages all the time:

16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
http-0.0.0.0
-808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on 
/0.0.0.0:8009

16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
HTTP/1.1 on http-0.0.0.0
-844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,p
ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No available certificate or
key corresponds t
o the SSL cipher suites which are enabled.java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No avai
lable certificate or key corresponds to the SSL cipher suites which are
enabled.at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
   at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
   at
org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
   at java.lang.Thread.run(Thread.java:595)

I've got a .crt file, a .csr file and a .key file for the domain and I
also got the root cert from the CA. So I tried to set it up in the
following way (output messages included):
---> Begin of keystore creation <---
ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
rapidssl_01.cer -keystore thekeystore
Enter keystore password:  changeit
Certificate already exists in system-wide CA keystore under alias

Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
www_mydomain_com.crt -keystore thekeystore
Enter keystore password:  changeit
Certificate was added to keystore
ab-server1:~/ssl# keytool -list -keystore thekeystore
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

root, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
---> End of keystore creation <---

In server.xml file, I added:



OTOH I've tried a self-signed certificate and it worked.

What's my fault?

TIA
- C. Lechner


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Filip Hanik - Dev Lists


my guess is that the keystore file doesn't contain your private key,

Filip

Christoph Lechner wrote:

Hi all,

I've been trying hard to enable the SSL connector in TomCat for a few
days now. As I don't have very much experience with SSL, it's quite hard
for me to figure out what's going wrong.
I read a lot of different setup guides, but I'm getting the same error
messages all the time:

16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
http-0.0.0.0
-808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
HTTP/1.1 on http-0.0.0.0
-844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,p
ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No available certificate or
key corresponds t
o the SSL cipher suites which are enabled.java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No avai
lable certificate or key corresponds to the SSL cipher suites which are
enabled.at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
at java.lang.Thread.run(Thread.java:595)

I've got a .crt file, a .csr file and a .key file for the domain and I
also got the root cert from the CA. So I tried to set it up in the
following way (output messages included):
---> Begin of keystore creation <---
ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
rapidssl_01.cer -keystore thekeystore
Enter keystore password:  changeit
Certificate already exists in system-wide CA keystore under alias

Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
www_mydomain_com.crt -keystore thekeystore
Enter keystore password:  changeit
Certificate was added to keystore
ab-server1:~/ssl# keytool -list -keystore thekeystore
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

root, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
---> End of keystore creation <---

In server.xml file, I added:



OTOH I've tried a self-signed certificate and it worked.

What's my fault?

TIA
- C. Lechner


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Christoph Lechner

Filip Hanik - Dev Lists wrote:
> my guess is that the keystore file doesn't contain your private key,
Hi,

that's right. Actually the file sent to the CA was created using OpenSSL
(as far as I remember). So the keystore isn't the one used to create the
CSR. Among the files I have at the moment, there's a .key file, but how
to import it?

When I dump the self signed certificate that is known to work, I get:
[EMAIL PROTECTED]:/tmp$ keytool -list -keystore my.keystore
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 19, 2007, keyEntry,
Certificate fingerprint (MD5):
1D:31:E7:09:DF:AC:ED:B2:A7:09:36:06:E9:B6:69:DD

BTW: Looks like it's the same problem like in the thread "Re: Problems
with SSL-enabled Tomcat 5.5"

CU
- C. Lechner


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Morris Jones

Christoph, I hate these problems, they're always tough to work through, 
and keytool doesn't make it any easier.


Did you use keytool to create your key and certificate request?  If you 
created the key and request outside of keytool, then keytool won't have 
the private key and can't import the certificate.


In order to get your private key into the keystore, you need to use a 
bit of Java code.  See here:  


There's no need for you to import the CA's root certificate.  It's 
already there.


Good luck!

Mojo
--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

Christoph Lechner wrote:

Hi all,

I've been trying hard to enable the SSL connector in TomCat for a few
days now. As I don't have very much experience with SSL, it's quite hard
for me to figure out what's going wrong.
I read a lot of different setup guides, but I'm getting the same error
messages all the time:

16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
http-0.0.0.0
-808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
HTTP/1.1 on http-0.0.0.0
-844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,p
ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No available certificate or
key corresponds t
o the SSL cipher suites which are enabled.java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No avai
lable certificate or key corresponds to the SSL cipher suites which are
enabled.at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
at java.lang.Thread.run(Thread.java:595)

I've got a .crt file, a .csr file and a .key file for the domain and I
also got the root cert from the CA. So I tried to set it up in the
following way (output messages included):
---> Begin of keystore creation <---
ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
rapidssl_01.cer -keystore thekeystore
Enter keystore password:  changeit
Certificate already exists in system-wide CA keystore under alias

Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
www_mydomain_com.crt -keystore thekeystore
Enter keystore password:  changeit
Certificate was added to keystore
ab-server1:~/ssl# keytool -list -keystore thekeystore
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

root, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
---> End of keystore creation <---

In server.xml file, I added:



OTOH I've tried a self-signed certificate and it worked.

What's my fault?

TIA
- C. Lechner


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Christoph Lechner

Morris Jones wrote:
> Christoph, I hate these problems, they're always tough to work through,
> and keytool doesn't make it any easier.
> 
> Did you use keytool to create your key and certificate request?  If you
> created the key and request outside of keytool, then keytool won't have
> the private key and can't import the certificate.
No, the CSR and the key were created using OpenSSL.

> In order to get your private key into the keystore, you need to use a
> bit of Java code.  See here:  
It worked for me!!! Thanks a lot for that link, without it I would be
screwed. But IMHO it's a flaw in the documentation of tomcat that they
don't mention how to do this sort of import of the .crt file and the
.key file as well. There are still people out there who don't believe in
the power on the keytool!

> There's no need for you to import the CA's root certificate.  It's
> already there.
That's right. I just did it, as most of the guides recommended it.

Thanks a lot
- C. Lechner

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Filip Hanik - Dev Lists


Christoph Lechner wrote:

Filip Hanik - Dev Lists wrote:
  

my guess is that the keystore file doesn't contain your private key,


Hi,

that's right. Actually the file sent to the CA was created using OpenSSL
(as far as I remember). So the keystore isn't the one used to create the
CSR. Among the files I have at the moment, there's a .key file, but how
to import it?
  

then you have two options
1. The one you mentioned, import the key, I have no idea how, but I'm 
sure it's doable
2. Use the Tomcat APR connector, this connector uses OpenSSL 
certificates and keys
  And the benefit here, is that you get twice as fast SSL to Tomcat, 
way better than Java SSL



Filip

When I dump the self signed certificate that is known to work, I get:
[EMAIL PROTECTED]:/tmp$ keytool -list -keystore my.keystore
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 19, 2007, keyEntry,
Certificate fingerprint (MD5):
1D:31:E7:09:DF:AC:ED:B2:A7:09:36:06:E9:B6:69:DD

BTW: Looks like it's the same problem like in the thread "Re: Problems
with SSL-enabled Tomcat 5.5"

CU
- C. Lechner


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Werner Schalk

Great piece of code! Now everything is fine with me as well. Thanks to 
everyone who helped me on this one!
I suppose it would be worth adding this piece of code or at least a link to 
the Tomcat site!!!


Bye,
Werner.

- Original Message - 
From: "Christoph Lechner" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, August 30, 2007 7:27 PM
Subject: Re: Tomcat keeps breaking/SSL keystore troubles



Morris Jones wrote:

Christoph, I hate these problems, they're always tough to work through,
and keytool doesn't make it any easier.

Did you use keytool to create your key and certificate request?  If you
created the key and request outside of keytool, then keytool won't have
the private key and can't import the certificate.

No, the CSR and the key were created using OpenSSL.


In order to get your private key into the keystore, you need to use a
bit of Java code.  See here:  <http://www.agentbob.info/agentbob/79.html>

It worked for me!!! Thanks a lot for that link, without it I would be
screwed. But IMHO it's a flaw in the documentation of tomcat that they
don't mention how to do this sort of import of the .crt file and the
.key file as well. There are still people out there who don't believe in
the power on the keytool!


There's no need for you to import the CA's root certificate.  It's
already there.

That's right. I just did it, as most of the guides recommended it.

Thanks a lot
- C. Lechner

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Christoph Lechner

Werner Schalk wrote:
> Great piece of code! Now everything is fine with me as well. Thanks to
> everyone who helped me on this one!
> I suppose it would be worth adding this piece of code or at least a link
> to the Tomcat site!!!
Damn right. Maybe one should add the case where the CSR wasn't created
using keytool to the Tomcat SSL Howto. The solution is really a snap if
you know how to deal with the problem ...
Without this piece of code LOTS of people fail setting up the Tomcat SSL
support using "real", signed SSL certs. Actually when feeding the
different error messages etc. in to Google I found lots of forum
postings where they didn't fix this problem.

- C. Lechner

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat keeps breaking/SSL keystore troubles

2007-08-30 Thread Andrew Friebel

I am pretty confident you can use other tools other than keytool.  My belief
is that if you use things like openssl, then you may need to play with the
sslProtocol attribute in the server.xml file (maybe PKCS12).  There may be
something on a forum on using sslProtocol, or within the Tomcat doco itself.

Tomcat uses keytool to load the certificates (which you have probably
already figured out).

Older version of keytool support the use of PKCS12, but are unable to create
this format, while I believe that the latest version of keytool supports the
creation of other formats (ie:PKCS12).

I don't know if this is useful to you or not, but I hope it helps.

Regards,
Andrew

-Original Message-
From: Morris Jones [mailto:[EMAIL PROTECTED] 
Sent: Friday, 31 August 2007 2:24 AM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: Re: Tomcat keeps breaking/SSL keystore troubles

Christoph, I hate these problems, they're always tough to work through, 
and keytool doesn't make it any easier.

Did you use keytool to create your key and certificate request?  If you 
created the key and request outside of keytool, then keytool won't have 
the private key and can't import the certificate.

In order to get your private key into the keystore, you need to use a 
bit of Java code.  See here:  <http://www.agentbob.info/agentbob/79.html>

There's no need for you to import the CA's root certificate.  It's 
already there.

Good luck!

Mojo
-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

Christoph Lechner wrote:
> Hi all,
> 
> I've been trying hard to enable the SSL connector in TomCat for a few
> days now. As I don't have very much experience with SSL, it's quite hard
> for me to figure out what's going wrong.
> I read a lot of different setup guides, but I'm getting the same error
> messages all the time:
> 
> 16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
> http-0.0.0.0
> -808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on
/0.0.0.0:8009
> 16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
> config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
> HTTP/1.1 on http-0.0.0.0
> -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
> ServerSocket[addr=/0.0.0.0,p
> ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No available certificate or
> key corresponds t
> o the SSL cipher suites which are enabled.java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No avai
> lable certificate or key corresponds to the SSL cipher suites which are
> enabled.at
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFac
tory.java:113)
> at
>
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java
:407)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
> at java.lang.Thread.run(Thread.java:595)
> 
> I've got a .crt file, a .csr file and a .key file for the domain and I
> also got the root cert from the CA. So I tried to set it up in the
> following way (output messages included):
> ---> Begin of keystore creation <---
> ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
> rapidssl_01.cer -keystore thekeystore
> Enter keystore password:  changeit
> Certificate already exists in system-wide CA keystore under alias
> 
> Do you still want to add it to your own keystore? [no]:  yes
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
> www_mydomain_com.crt -keystore thekeystore
> Enter keystore password:  changeit
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -list -keystore thekeystore
> Enter keystore password:  changeit
> 
> Keystore type: jks
> Keystore provider: SUN
> 
> Your keystore contains 2 entries
> 
> root, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
> tomcat, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
> ---> End of keystore creation <---
> 
> In server.xml file, I added:
>  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
> emptySessionPath="true"
> scheme="https" secure="true" clientAuth="false"
> keystoreFile="/root/ssl/thekeystore"
> keystorePass="changeit" sslProtocol = "TLS" />
> 
> 
> OTOH I've tried a self-signe

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

Re: Tomcat keeps breaking/SSL keystore troubles

RE: Tomcat keeps breaking/SSL keystore troubles

9 matches

Site Navigation

Mail list logo

Footer information