Thank you Christopher.
Appreciate all your help. Please let me know if any additional info is
required for the issue.
Regarding the ssl connection, if I use with and without the -tls1 flag with
the original certificate then it both cases it works fine.
After doing the steps I mentioned initially, both are not working.
Thanks,
Barc
On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ori,
>
> On 5/22/15 10:03 AM, Ori Raz wrote:
> > Thank you Christopher for your reply.
> >
> > I always make a backup before changes :) luckily :)
> >
> > I reverted back and tried without deleting the entries and getting
> > this:
> >
> > primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
> > tomcat -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> > Enter keystore password: keytool error: java.lang.Exception: Public
> > keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
> > keytool -import -trustcacerts -alias tomcat -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
> > Enter keystore password: keytool error: java.lang.Exception:
> > Certificate not imported, alias <tomcat> already exists
> > primeusr@sagi-vzadik-01 [~]#
> >
> >
> > Regarding the import you wrote - $ keytool -import -alias
> > ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
> >
> > Isnt that this one or am I missing something: keytool -importcert
> > -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
> > tomcat
>
> I'll have a look at that later when I have more time.
>
> > as mentioned, catalina-<date>.log is empty... I cannot see any
> > other relevant logs (if you can point me to other log -please do :)
> > )
> >
> >
> > If I try to connect to ssl localy, then with the original
> > certificate it workes, but with the new one - here is the output:
> > primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
> > 10.56.57.65:8443 CONNECTED(00000003) 4954:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> > failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
> > s_client -connect 127.0.0.1:8443 CONNECTED(00000003)
> > 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:583:
>
> Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
> ssl3 is dead and the handshake won't even work anymore.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
> haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
> bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
> Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
> tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
> 4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
> 2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
> uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
> QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
> YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
> j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
> R3LXaV99hAp7Aj0IsPpF
> =KyJc
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
