|
Home > Archive > Web Servers on Windows > November 2005 > Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work.
|
|
|
| Howdy,
I'm running Tomcat 5.5.9, on a Windows 2003 server.
Tomcat is setup to run as a service, and uses my account to run
(BIGD\t_carbon). When I delete the .keystore file under C:\Documents
and Settings\t_carbon and create a new certificate using keytool -
everything works fine. I stop tomcat, delete the .keystore, create a
new certificate, restart Tomcat and it picks up the certificate every
time. https has no problems like this (https is running at 8443, http
is on 8080).
Anyway - I just got a new key from Verisign.
1. I shut down tomcat
2. I deleted the .keystore file (and the self generated cert and moved
the Verisign cert into my home directory).
3. I downloaded the root certificate from Verisign at:
http://www.verisign.com/support/ins...termediate.html
4. I ran the following commands:
C:\Documents and Settings\t_carbon>keytool -import -alias root
-keystore "C:\Documents and Settings\t_carbon\.keystore" -trustcacerts
-file "C:\Documents and Settings\t_carbon\chain.cer"
Enter keystore password: changeit
Certificate was added to keystore
C:\Documents and Settings\t_carbon>keytool -import -alias tomcat
-keystore "C:\Documents and Settings\t_carbon\.keystore" -trustcacerts
-file "C:\Documents and Settings\t_carbon\cert.cer"
Enter keystore password: changeit
Certificate was added to keystore
5. Now I have the .keystore, my cert from Verisign (cert.cer) and the
root Verisign cert (chain.cer) all sitting in my home directory. I
restart tomcat.
6. My website is up - but when I try to use SSL, it fails. (I get
nothing) - in the log I see the following message:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:639)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:119)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:520)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
DEBUG http-8443-Processor24 org.apache.tomcat.util.net.PoolTcpEndpoint
- Handshake failed
javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello
at
com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:453)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:343)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:720)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:119)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:520)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Any help or ideas would be greatfully appreciated.
Thanks,
TC
| |
|
| Howdy,
Problem solved.
Here's what I did not know.
The Keystore file (which I named .keystore) has to be the same Keystore
file you generated the CSR from, and that same file is the one you
install the certificate into.
Verisign revoked my old certificate and issued me a new one. Here are
the exact steps I took to make it work.
1. I stopped Tomcat
2. I deleted my .keystore file
3. I deleted all certs (the intermediate and my old one).
4. I then:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
-storepass changeit
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
-keystore .keystore -storepass changeit
5. I used the revoke/renew on Verisign's website to get a new cert (was
fast - took less than 30 minutes), using the certreq.csr file I
generated above. [NOTE: I made sure to leave the .keystore file alone.]
6. Next I took the cert and copied it down and then ran:
keytool -import -alias tomcat -keyalg RSA -keystore .keystore
-trustcacerts -file cert.cer -storepass changeit
7. I started Tomcat
It all worked perfectly 
TC
|
|
|
|
|