Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
Good afternoon,I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.Port 8443 is listening, selinux is disabled, and have tried it with 8443 enabled in firewall and with firewall off. After receiving the .crt file from GoDaddy: ran the 4 keytool -import commands: For the alias=root, I used gdroot-g2.crt(from repository) For the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the alias=cross, I used gdroot-g2_cross.crt(from repository) For the alias= tomcat, I used the .crt(from GoDaddy)I see all the entries when I did the keytool -list I made this change in server.xml: I thenshutdown tomcatstartup tomcat When I go to the URL in the browser with the port 8443, I get this:Firefox: Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Chrome: A secure connection cannot be established because this site uses an unsupported protocol.Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Thank you NetZero now offers 4G mobile broadband. Sign up now. http://www.netzero.net/?refcd=NZINTISP0512T4GOUT1
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57. That's an x509 certificate for SSL/TLS, using a SHA2-based signature algorithm, right? Yes, it is a SHA-2 algorithm from GoDaddy. > Port 8443 is listening, selinux is disabled, and have tried it > with 8443 enabled in firewall and with firewall off. > > After receiving the .crt file from GoDaddy: ran the 4 keytool > -import commands: > > For the alias=root, I used gdroot-g2.crt(from repository) For the > alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > alias=cross, I used gdroot-g2_cross.crt(from repository) For the > alias= tomcat, I used the .crt(from GoDaddy) > > I see all the entries when I did the keytool -list Good. Everything above looks good, except that you need to make sure that the certificates you imported were all the correct ones... thee days, CAs tend to have a variety of intermediate certificates for various purposes: one for code-signing, one for European certificates and another for American ones, an old one with SHA1-based signature, new ones with SHA2-based signatures, etc. Verifying the accuracy of the certificate chain should be a priority. Checked the filed from repository and checked with support that gdroot-g2.crt, gdig2.crt, gdroot-g2_cross.crt, and the alphanumeric.crt are accurate. > I made this change in server.xml: > > scheme="https" secure="true" clientAuth="false" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to > .keystore file" keystorePass="keystore password" /> > > I then shutdown tomcat; startup tomcat. > > When I go to the URL in the browser with the port 8443, I get > this:Firefox: Cannot communicate securely with peer: no common > encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > Chrome: A secure connection cannot be established because this > site uses an unsupported protocol.Error code: > ERR_SSL_VERSION_OR_CIPHER_MISMATCH What version of Chrome are you using? Firefox 33.1 Chrome Version 40.0.2214.111 m I upgrade to Firefox 35 and got this when I put in the 8443 url:Firefox cannot guarantee the safety of your data on because it uses SSLv3, a broken security protocol. Advanced info: ssl_error_no_cypher_overlap Do you have access to an OpenSSL library? Can you run "openssl -debug - -showcerts s_client -connect https://host:8443/"; and post the (possibly sanitized) results? When I ran this:#openssl s_client -connect :8443 (-debug and -showcerts was giving me invalid commands) I received:CONNECTED(0003) error14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 249 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Thanks, Nick You could also grab and compile the source of this tool from the tomcat-dev archives and run it against your server: http://markmail.org/thread/tz4z44nfjl7sy2lj This will tell you what is and is not supported. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+ LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO 2CA9DwlS0hMtRDLuPvAl =sJsq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The #1 Worst Carb Ever? Click to Learn #1 Carb that Kills Your Blood Sugar (Don't Eat This!) http://thirdpartyoffers.juno.com/TGL3131/54d905c8d415f5c8073dst04duc
Re: Problems with enabling SSL with GoDaddy cert with Tomcat 7.0.57
We just ended up re-keying this cert through GoDaddy with the same repository files and the new domain file and it worked as it should have. Thanks for all the replies. How Old Men Tighten Skin 63 Year Old Man Shares DIY Skin Tightening Method You Can Do From Home http://thirdpartyoffers.juno.com/TGL3131/54d91d4d799111d4d788bst02duc--- Begin Message --- On Mon, Feb 9, 2015 at 10:13 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sean, > > On 2/9/15 9:46 AM, Sean Dawson wrote: > > We've had customers who have had issues with Java and GoDaddy > > certs. > > > > > http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java > > > > > > > http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/ > > Did > > > you read the OP? He's already installed the GoDaddy cross-signed > certificate. > It's also not a Java client problem, since the client in this case is > Google Chrome. > Oh ok sorry - I read it last week and forgot that it wasn't the same issue. Just wanted to help out anyone else that might have run into the GoDaddy/Java issue. > - -chris > > > On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Nick, > > > > (The formatting was awful on the message and made it difficult to > > read. I've adjusted it to make it readable and reply-able). > > > > On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > >>>> I have a SHA2 certificate for a RHEL 6 server using tomcat > >>>> 7.0.57. > > > > That's an x509 certificate for SSL/TLS, using a SHA2-based > > signature algorithm, right? > > > >>>> Port 8443 is listening, selinux is disabled, and have tried > >>>> it with 8443 enabled in firewall and with firewall off. > >>>> > >>>> After receiving the .crt file from GoDaddy: ran the 4 > >>>> keytool -import commands: > >>>> > >>>> For the alias=root, I used gdroot-g2.crt(from repository) For > >>>> the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > >>>> alias=cross, I used gdroot-g2_cross.crt(from repository) For > >>>> the alias= tomcat, I used the .crt(from > >>>> GoDaddy) > >>>> > >>>> I see all the entries when I did the keytool -list > > > > Good. Everything above looks good, except that you need to make > > sure that the certificates you imported were all the correct > > ones... thee days, CAs tend to have a variety of intermediate > > certificates for various purposes: one for code-signing, one for > > European certificates and another for American ones, an old one > > with SHA1-based signature, new ones with SHA2-based signatures, > > etc. > > > > Verifying the accuracy of the certificate chain should be a > > priority. > > > >>>> I made this change in server.xml: > >>>> > >>>> >>>> scheme="https" secure="true" clientAuth="false" > >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > >>>> keystoreFile="path to .keystore file" keystorePass="keystore > >>>> password" /> > >>>> > >>>> I then shutdown tomcat; startup tomcat. > >>>> > >>>> When I go to the URL in the browser with the port 8443, I > >>>> get this:Firefox: Cannot communicate securely with peer: no > >>>> common encryption algorithm(s). (Error code: > >>>> ssl_error_no_cypher_overlap) > >>>> > >>>> Chrome: A secure connection cannot be established because > >>>> this site uses an unsupported protocol.Error code: > >>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > > > What version of Chrome are you using? > > > > Do you have access to an OpenSSL library? Can you run "openssl > > -debug -showcerts s_client -connect https://host:8443/"; and post > > the (possibly sanitized) results? > > > > You could also grab and compile the source of this tool from the > > tomcat-dev archives and run it against your server: > > http://markmail.org/thread/tz4z44nfjl7sy2lj > > > > This will tell you what is and is not supported. > > > > -chris > >> > >>
