Thanks Igor I'll poke around based on your input.
________________________________________
From: Igor Cicimov <icici...@gmail.com>
Sent: Thursday, December 18, 2014 15:49
To: Tomcat Users List
Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2
On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival <
bkosti...@universallumpers.com> wrote:
>
> Tomcat 6.0.x
> Windows Server 2008
> Running Java 7
> Home grown app written in STS
>
> Running HTTPS with SHA1 cert
> Obtained SHA2 cert from GoDaddy by sending CSR generated from original
> keystore. Removed existing aliases from original keystore and loaded new
> root and domain cert to keystore.
> Trying to run up the new cert gives me this error:
>
> SEVERE: Error starting endpoint
> java.io.IOException: jsse.invalid_ssl_conf
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
> at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> at
> org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
> at
> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
> at
> org.apache.catalina.connector.Connector.start(Connector.java:1196)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:540)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> Caused by: javax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
>
> I feel like I'm missing something basic in the keystore. Any ideas?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> Just guessing but based on the cause given in the above error you probably
have ciphers set in your connector using 128 bit key, something like this:
ciphers="SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA"
In that case try to change that to match your new 256 bit key now. Of
course take care of the proper cipher suit names for BIO/NIO or APR
connector since they differ (the above example is for BIO/NIO connector).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
