> On Mar 21, 2023, at 4:25 AM, Mark Thomas <ma...@apache.org> wrote: > > On 21/03/2023 01:09, Ralph Grove wrote: >> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted >> server running Tomcat. Any suggestions for resolving it would be appreciated. >> I set up the server last year and installed the SSL certificate with no >> problem. This year, after the original certificate expired, I downloaded the >> new certificate provided by GoDaddy, removed the old certificate files from >> the keystore, and installed the new ones. Now Tomcat is throwing a >> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to >> open the HTTPS connector. I also tried rebuilding the keystore from scratch >> and requesting a new certificate, but am getting the same exception with >> that certificate. >> These are the commands I used to obtain and install the certificate: >> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks >> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore >> keystore.jks >> (--request and obtain certificate files from GoDaddy--) > > Did you run the commands below on the same keystore file you created in the > first command above?
Yes - it was the same file. I went through the commands twice, just to be sure. > >> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file >> gdcerts/gdroot-g2.crt >> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file >> gdcerts/gd_bundle-g2-g1.crt >> sudo keytool -import -alias tomcat -keystore keystore.jks -file >> gdcerts/xxxxxxxxxxxx.crt > > What is the output of: > keytool -list -v -keystore keystore.jks > sudo keytool -list -v -keystore keystore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 3 entries Alias name: inter Creation date: Mar 21, 2023 Entry type: trustedCertEntry Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial number: 7 Valid from: Tue May 03 03:00:00 EDT 2011 until: Sat May 03 03:00:00 EDT 2031 Certificate fingerprints: SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.godaddy.com/ ] ] #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3A 9A 85 07 10 67 28 B6 EF F6 BD 05 41 6E 20 C1 :....g(.....An . 0010: 94 DA 0F DE .... ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.godaddy.com/gdroot-g2.crl] ]] #5: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 25 68 74 74 70 73 3A 2F 2F 63 65 72 74 73 2E .%https://certs. 0010: 67 6F 64 61 64 64 79 2E 63 6F 6D 2F 72 65 70 6F godaddy.com/repo 0020: 73 69 74 6F 72 79 2F sitory/ ]] ] ] #6: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #7: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l.. 0010: B4 2C 80 CE .,.. ] ] ******************************************* ******************************************* Alias name: root Creation date: Mar 21, 2023 Entry type: trustedCertEntry Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial number: 0 Valid from: Mon Aug 31 20:00:00 EDT 2009 until: Thu Dec 31 18:59:59 EST 2037 Certificate fingerprints: SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3A 9A 85 07 10 67 28 B6 EF F6 BD 05 41 6E 20 C1 :....g(.....An . 0010: 94 DA 0F DE .... ] ] ******************************************* ******************************************* Alias name: tomcat Creation date: Mar 21, 2023 Entry type: trustedCertEntry Owner: CN=personalitypad.org Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial number: afa46fd8c3404384 Valid from: Sat Mar 18 17:26:57 EDT 2023 until: Sun Feb 04 12:48:29 EST 2024 Certificate fingerprints: SHA1: 43:33:D4:48:91:12:E2:1C:F2:E9:1C:F1:84:94:D4:24:1C:8A:C9:B9 SHA256: 68:9C:D5:0E:73:A4:37:3C:56:38:BA:89:ED:9B:53:71:F4:B8:C6:9B:16:B6:F5:37:5E:5E:41:85:0B:66:B1:88 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false 0000: 04 82 01 6C 01 6A 00 76 00 EE CD D0 64 D5 DB 1A ...l.j.v....d... 0010: CE C5 5C B7 9D B4 CD 13 A2 32 87 46 7C BC EC DE ..\......2.F.... 0020: C3 51 48 59 46 71 1F B5 9B 00 00 01 86 F6 9E 5A .QHYFq.........Z 0030: 53 00 00 04 03 00 47 30 45 02 20 6E 2F 52 3D 81 S.....G0E. n/R=. 0040: 1C 46 9A 90 BC A3 4E 2E 59 09 7A A9 10 42 04 82 .F....N.Y.z..B.. 0050: 73 A7 DD D1 DC 7A F8 6C 7B 51 E2 02 21 00 AC 50 s....z.l.Q..!..P 0060: 33 31 C0 34 B5 6F D7 7C C4 41 39 29 A4 25 07 46 31.4.o...A9).%.F 0070: B7 48 C6 3E DE 2C 2E 19 CD 3A 65 A9 C0 0A 00 77 .H.>.,...:e....w 0080: 00 48 B0 E3 6B DA A6 47 34 0F E5 6A 02 FA 9D 30 .H..k..G4..j...0 0090: EB 1C 52 01 CB 56 DD 2C 81 D9 BB BF AB 39 D8 84 ..R..V.,.....9.. 00A0: 73 00 00 01 86 F6 9E 5B 34 00 00 04 03 00 48 30 s......[4.....H0 00B0: 46 02 21 00 E7 46 1D A5 7C 83 89 09 EF 31 73 73 F.!..F.......1ss 00C0: 52 4C 0A BA 5A 8E BD 6B 7A 92 B8 19 5A 07 70 76 RL..Z..kz...Z.pv 00D0: BC 88 50 8C 02 21 00 A8 98 CB C7 86 B2 88 15 0E ..P..!.......... 00E0: 81 06 89 8E 2C 00 B5 93 46 A6 DF F9 E8 33 B0 C3 ....,...F....3.. 00F0: 36 17 9C 16 35 A8 FD 00 77 00 DA B6 BF 6B 3F B5 6...5...w....k?. 0100: B6 22 9F 9B C2 BB 5C 6B E8 70 91 71 6C BB 51 84 ."....\k.p.ql.Q. 0110: 85 34 BD A4 3D 30 48 D7 FB AB 00 00 01 86 F6 9E .4..=0H......... 0120: 5B E3 00 00 04 03 00 48 30 46 02 21 00 D1 45 86 [......H0F.!..E. 0130: 4E 62 EB 88 9A 4C 79 B9 39 8E 60 E3 8B 35 5A 95 Nb...Ly.9.`..5Z. 0140: 23 B2 22 E4 BC 70 A2 6E 29 61 83 66 CA 02 21 00 #."..p.n)a.f..!. 0150: E9 89 87 3B F6 26 67 B4 52 E7 E5 39 98 2A 0F 46 ...;.&g.R..9.*.F 0160: 5C F6 E7 34 84 87 64 BC 03 9D 7E 6A C3 75 30 70 \..4..d....j.u0p #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.godaddy.com/ , accessMethod: caIssuers accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt ] ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l.. 0010: B4 2C 80 CE .,.. ] ] #4: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #5: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.godaddy.com/gdig2s1-5359.crl] ]] #6: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 .+http://certifi 0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co 0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/ ]] ] [CertificatePolicyId: [2.23.140.1.2.1] [] ] ] #7: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #8: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] #9: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: personalitypad.org DNSName: www.personalitypad.org ] #10: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A3 F9 3A E5 38 6D 62 89 75 E8 98 E1 08 75 72 8E ..:.8mb.u....ur. 0010: FB 54 55 2C .TU, ] ] ******************************************* ******************************************* > >> And this is the Tomcat configuration for the connector: >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" SSLEnabled="true"> >> <SSLHostConfig> >> <Certificate certificateKeystoreFile="conf/keystore.jks" >> type="RSA" certificateKeystorePassword="xxxxxx" /> >> </SSLHostConfig> >> </Connector> > > The connector configuration looks OK. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
