arktech
asked on
New SSL Certificate for existing Tomcat deployment
Help! Our SSL certificate is expiring very soon. We purchased a new certificate from VeriSign (not allowed to renew the existing one because company moved from Canada to US), but I'm not having any luck installing it into the existing site. Here's what I have. Running keytool -list against the existing keystore returns:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1 :14:53:5B: 59:DB:FF:0 D
I copied this keystore to a local machine and performing the following steps:
keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root. cer
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore
Running keytool -list against the resulting keystore yields the following:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32 :29:44:BB: B0:2C:79:F 8
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47 :75:31:E8: BC:96:CF:4 9
In my Tomcat/conf/server.xml file, I have the following:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true "
acceptCount="100" scheme="https" secure="true"
keystoreFile="D:/Tomcat-5. 5/conf/key store"
clientAuth="false" sslProtocol="TLS" />
With the old keystore in place, I'm having no problems at all. When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https. We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server. If I look in the catalina.log, I see:
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.H ttp11BaseP rotocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.H ttp11BaseP rotocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.S tandardSer vice stop
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.S tandardWra pper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.S tandardWra pper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.S tandardWra pper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.H ttp11BaseP rotocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.H ttp11BaseP rotocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.A prLifecycl eListener lifecycleEvent
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.A prLifecycl eListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WIN NT\system3 2;C:\WINNT ;D:\oracle \ora81\bin ;D:\oracle \ora81\Apa che\Perl\5 .00503\bin \mswin32-x 86;C:\Prog ram Files\Oracle\jre\1.1.7\bin ;C:\WINNT\ system32;C :\WINNT;C: \WINNT\Sys tem32\Wbem ;d:\MSSQL7 \BINN;d:\s cripts
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.H ttp11BaseP rotocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.H ttp11BaseP rotocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startu p.Catalina load
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S tandardSer vice start
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S tandardEng ine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S tandardHos t start
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startu p.HostConf ig deployWAR
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.H ttp11BaseP rotocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.H ttp11BaseP rotocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.Chann elSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMai n start
INFO: Jk running ID=0 time=0/31 config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storec onfig.Stor eLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startu p.Catalina start
INFO: Server startup in 2235 ms
No errors, no problems. But now I can't get to my application. I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work. In every case, if I specify a keyAlias, I get an error like:
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.H ttp11BaseP rotocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.H ttp11BaseP rotocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
at org.apache.tomcat.util.net .jsse.JSSE 14SocketFa ctory.getK eyManagers (JSSE14Soc ketFactory .java:143)
at org.apache.tomcat.util.net .jsse.JSSE 14SocketFa ctory.init (JSSE14Soc ketFactory .java:109)
at org.apache.tomcat.util.net .jsse.JSSE SocketFact ory.create Socket(JSS ESocketFac tory.java: 88)
at org.apache.tomcat.util.net .PoolTcpEn dpoint.ini tEndpoint( PoolTcpEnd point.java :292)
at org.apache.tomcat.util.net .PoolTcpEn dpoint.sta rtEndpoint (PoolTcpEn dpoint.jav a:312)
at org.apache.coyote.http11.H ttp11BaseP rotocol.st art(Http11 BaseProtoc ol.java:15 0)
at org.apache.coyote.http11.H ttp11Proto col.start( Http11Prot ocol.java: 75)
at org.apache.catalina.connec tor.Connec tor.start( Connector. java:1089)
at org.apache.catalina.core.S tandardSer vice.start (StandardS ervice.jav a:459)
at org.apache.catalina.core.S tandardSer ver.start( StandardSe rver.java: 709)
at org.apache.catalina.startu p.Catalina .start(Cat alina.java :551)
at sun.reflect.NativeMethodAc cessorImpl .invoke0(N ative Method)
at sun.reflect.NativeMethodAc cessorImpl .invoke(Un known Source)
at sun.reflect.DelegatingMeth odAccessor Impl.invok e(Unknown Source)
at java.lang.reflect.Method.i nvoke(Unkn own Source)
at org.apache.catalina.startu p.Bootstra p.start(Bo otstrap.ja va:275)
at org.apache.catalina.startu p.Bootstra p.main(Boo tstrap.jav a:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startu p.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
at org.apache.catalina.connec tor.Connec tor.start( Connector. java:1096)
at org.apache.catalina.core.S tandardSer vice.start (StandardS ervice.jav a:459)
at org.apache.catalina.core.S tandardSer ver.start( StandardSe rver.java: 709)
at org.apache.catalina.startu p.Catalina .start(Cat alina.java :551)
at sun.reflect.NativeMethodAc cessorImpl .invoke0(N ative Method)
at sun.reflect.NativeMethodAc cessorImpl .invoke(Un known Source)
at sun.reflect.DelegatingMeth odAccessor Impl.invok e(Unknown Source)
at java.lang.reflect.Method.i nvoke(Unkn own Source)
at org.apache.catalina.startu p.Bootstra p.start(Bo otstrap.ja va:275)
at org.apache.catalina.startu p.Bootstra p.main(Boo tstrap.jav a:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startu p.Catalina start
INFO: Server startup in 2313 ms
Help! Thanks in advance!
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1
I copied this keystore to a local machine and performing the following steps:
keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root.
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore
Running keytool -list against the resulting keystore yields the following:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47
In my Tomcat/conf/server.xml file, I have the following:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true
acceptCount="100" scheme="https" secure="true"
keystoreFile="D:/Tomcat-5.
clientAuth="false" sslProtocol="TLS" />
With the old keystore in place, I'm having no problems at all. When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https. We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server. If I look in the catalina.log, I see:
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.H
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.H
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.S
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.S
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.S
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.S
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.H
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.H
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.A
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.A
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WIN
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.H
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.H
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startu
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.S
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startu
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.H
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.H
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.Chann
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMai
INFO: Jk running ID=0 time=0/31 config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storec
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startu
INFO: Server startup in 2235 ms
No errors, no problems. But now I can't get to my application. I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work. In every case, if I specify a keyAlias, I get an error like:
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.H
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.H
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
at org.apache.tomcat.util.net
at org.apache.tomcat.util.net
at org.apache.tomcat.util.net
at org.apache.tomcat.util.net
at org.apache.tomcat.util.net
at org.apache.coyote.http11.H
at org.apache.coyote.http11.H
at org.apache.catalina.connec
at org.apache.catalina.core.S
at org.apache.catalina.core.S
at org.apache.catalina.startu
at sun.reflect.NativeMethodAc
at sun.reflect.NativeMethodAc
at sun.reflect.DelegatingMeth
at java.lang.reflect.Method.i
at org.apache.catalina.startu
at org.apache.catalina.startu
Nov 14, 2007 8:10:01 PM org.apache.catalina.startu
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
at org.apache.catalina.connec
at org.apache.catalina.core.S
at org.apache.catalina.core.S
at org.apache.catalina.startu
at sun.reflect.NativeMethodAc
at sun.reflect.NativeMethodAc
at sun.reflect.DelegatingMeth
at java.lang.reflect.Method.i
at org.apache.catalina.startu
at org.apache.catalina.startu
Nov 14, 2007 8:10:01 PM org.apache.catalina.startu
INFO: Server startup in 2313 ms
Help! Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER