GlassFish and SSL - "Public keys in reply and keystore don't match"

Hi All,
I am following this tutorial.. but trying to use existing certificate
http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/

Using Comodo certificate

Got "Public keys in reply and keystore don't match" and don't know what to do next...


C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias 64.147.148.71 -keystore server.keystore -trustcacerts -file STAR_cmpny_com.crt
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Open in new window




C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias root -keystore server.keystore -trustcacerts -file AddTrustExternalCARoot.crt
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexternalca>
Do you still want to add it to your own keystore? [no]: no
Certificate was not added to keystore

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias comodo -k
eystore server.keystore -trustcacerts -file ComodoUTNSGCCA.crt
Enter keystore password:
Certificate was added to keystore

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias essential
 -keystore server.keystore -trustcacerts -file EssentialSSLCA_2.crt
Enter keystore password:
Certificate was added to keystore

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias utn -keys
tore server.keystore -trustcacerts -file UTNAddTrustSGCCA.crt
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was
incorrect

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias utn -keys
tore server.keystore -trustcacerts -file UTNAddTrustSGCCA.crt
Enter keystore password:
Certificate was added to keystore

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias 64.147.14
8.71 -keystore server.keystore -trustcacerts -file STAR_dmba_com.crt
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't matc
h

C:\glassfish3\glassfish\domains\dmba.com\config>keytool -import -alias 64.147.148.71 -keystore server.keystore -trustcacerts -file STAR_cmpny_com.crt
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Open in new window

LVL 2
BILL CarlisleAPEX DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TeeshirtCommented:
are you running the command prompt in elevated mode as "run as administrator" ?
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

Are you sure all aliases selected are unique to the cert store? trying to import doubles will lead to these errors.
0
BILL CarlisleAPEX DeveloperAuthor Commented:
Teeshirt,
I am logged on as administrator

Patrick,
No, I'm not sure.. how do I check?

But now I can't logon to my app through glassfish now..
How can I get back to scratch is I need to?

This is Oracle APEX Listener being run through GlassFish.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi again,
I would imagine like this:
keytool -list -v -keystore server.keystore -alias 64.147.148.71
or plain
keytool -list -v -keystore server.keystore
0
BILL CarlisleAPEX DeveloperAuthor Commented:
In GlassFish what is the difference between these two? Are they both servers but one is a default? what kind of default..

default-config
server-config
0
BILL CarlisleAPEX DeveloperAuthor Commented:
I found it

It appears that the default-config is used by Glassfish as a template to create other configs, so anything you actually want to configure on a server should go in the server-config.

http://stackoverflow.com/questions/13749765/glassfish-3-1-2-difference-between-default-config-and-server-config
0
BILL CarlisleAPEX DeveloperAuthor Commented:
I have taken a side step trying to overcome some other problems first.
Will be back to the certificates soon..
0
BILL CarlisleAPEX DeveloperAuthor Commented:
OK, I now have the certificates loaded successfully, so the output said. But it doesn't get to the page so I check the log and find:

[#|2013-10-14T07:36:14.526-0600|WARNING|glassfish3.1.2|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=19;_ThreadName=Thread-2;|GRIZZLY0007: SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
	at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:455)
	at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183)
	at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:363)
	at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:241)
	at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:202)
	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
	at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
	at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
	at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
	at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
	at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:451)
	... 14 more
|#]

[#|2013-10-14T07:36:14.532-0600|SEVERE|glassfish3.1.2|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=19;_ThreadName=Thread-2;|ProtocolChain exception
java.lang.NullPointerException
	at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:352)
	at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:399)
	at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:159)
	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
	at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
	at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
	at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
	at java.lang.Thread.run(Thread.java:662)
|#]

Open in new window


I have googled but have no idea...
0
Patrick BogersDatacenter platform engineer LindowsCommented:
You should ensure that the keystore password matches the Glassfish master password (which is not the admin password).

Here is a tutorial how to change the master password for GF 3.1
0
BILL CarlisleAPEX DeveloperAuthor Commented:
Yes, had already done this.. thanks.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Did it fix the issue?
0
BILL CarlisleAPEX DeveloperAuthor Commented:
These are the actual commands I used to load certificates:

keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key

keytool -import -trustcacerts -alias intermed -file COMODOSSLCA.crt -keystore domain.key

keytool -import -alias STAR_dmba_com -keystore keystore.jks -trustcacerts -file STAR_mydomain_com.crt
0
BILL CarlisleAPEX DeveloperAuthor Commented:
How do I clear all these certificates from my keystore?

I just got 3 from Comodo definitely for GlassFish and was going to reload these..

C:\glassfish3\glassfish\domains\mydomain.com\config>keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias <root> already exists

Open in new window

0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi again,

Something like this?

keytool -delete -alias root -keystore domain.key
0
BILL CarlisleAPEX DeveloperAuthor Commented:
keytool -list -v -keystore server.keystore
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries



keytool -list -v -keystore domain.key
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries
0
BILL CarlisleAPEX DeveloperAuthor Commented:
OK, what is the difference between domain.key and server.keystore and keystore.jks
0
Patrick BogersDatacenter platform engineer LindowsCommented:
C:\glassfish3\glassfish\domains\mydomain.com\config>keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias <root> already exists

This says the Java Key Store is populated.
While

keytool -list -v -keystore domain.key
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries

Says it is not populated, something odd going on here. Any ideas yourself?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BILL CarlisleAPEX DeveloperAuthor Commented:
Yes, I used the delete and emptied all keystores

Now, I shouldn't have loaded 2 to domain.key keystore and one to keystore.jdk ???
Should I load all to same keystore?

This  webpage shows what I did but the second webpage shows one with same name
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1393

Open in new window


http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/

Open in new window

0
BILL CarlisleAPEX DeveloperAuthor Commented:
I am frustrated...

What is the cacerts.jks ? Where does it come from?
0
BILL CarlisleAPEX DeveloperAuthor Commented:
Where does the cacerts.jks come from?
Aren't the keystore.jdk cacerts.jks to match something?
0
BILL CarlisleAPEX DeveloperAuthor Commented:
Ok, went through the whole process with Comodo, everything is matching and everything installed successfully BUT I still get

SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
ProtocolChain exception
0
BILL CarlisleAPEX DeveloperAuthor Commented:
Thank you for your help Patrick,
I ended up installing glassfish for with all the defaults as they are and then doing everything I learned from your posts as well as Komodo and it was a success
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.