> -----Original Message----- > From: Chris Arnold [mailto:carn...@electrichendrix.com] > Sent: Wednesday, October 30, 2013 9:43 AM > To: Tomcat Users List > Subject: Re: Secure Tomcat With SSL > > >Chris, > > Thank you for taking the time to help me in securing tomcat. I called > godaddy and they instructed me to download the tomcat cert, which i > did, and follow their provided instructions: > http://support.godaddy.com/help/article/5239/generating-a-csr-and- > installing-an-ssl-certificate-in-tomcat-4x5x6x?locale=en > > I skipped generating a keystore and csr in tomcat and went directly to > install ssl in tomcat (generating a csr and keystore = tomcat already > has a keystore, no? I already have generated the csr with godaddy > (thats how i got the cert, no?) > > So in installing ssl in tomcat, i run the 1st command: > keytool -import -alias root -keystore tomcat.keystore -trustcacerts - > file /root/2b05f72c7ddd37/gd_bundle.crt (this is the root cert > according to rep with godaddy) and get this: > > Enter keystore password: > keytool error: java.lang.Exception: Certificate not imported, alias > <root> already exists > > Then: > ./keytool -import -alias intermed -keystore tomcat.keystore - > trustcacerts -file /root/2b05f72c7ddd37/gd_intermediate.crt > and get this: > > Enter keystore password: > Certificate already exists in keystore under alias <root> Do you still > want to add it? [no]: y Certificate was added to keystore > > Then: > ./keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts > -file /root/2b05f72c7ddd37//2b05f72c7ddd37.crt > and get this: > > Enter keystore password: > keytool error: java.lang.Exception: Certificate not imported, alias > <tomcat> already exists > > Not sure where to go from here! Can anyone help? I just want to do > something basic and that issecure tomcat with a godaddy SSL cert. >
Chris, First, go back and re-read the last wonderful response you received from Ognjen. He is right on the money for how you last had your server.xml configured. If you haven't made any changes, you need to do so. Then, ignore the bad advice that GoDaddy is giving you, because they didn't understand that you are using OpenSSL, aka the "Tomcat Native Libraries", aka APR, in your configuration. Go back to the GoDaddy site and re-issue the signed certificate and the bundled CA certs in "apache" format and save them somewhere that Tomcat can see them. Add the 3 SSL lines to the 2nd connector in your server.xml as Ognjen sugessted, and comment out the 4th connector to avoid conflicts (you didn't provide the port numbers for the connectors, so I can't be sure you won't have conflicts.) That should do it. And have fun. If you insist on using the Java keystore method that GoDaddy is assuming you use, you need to make a few more changes: 1) Comment out or remove the line in your server.xml: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> This will prevent the APR library from loading for all connectors. 2) Comment out the 2nd Connector (first SSL connector) to avoid conflicts with your 4th Connector. 3) You must use the alias "tomcat" for the SSL certificate when you load it into your keystore. I really suggest that you just use the APR/OpenSSl setup that you have half-configured. It is much easier to maintain and you can avoid all this messy mucking about with keytool. Jeff
