>>keytool -delete -alias tomcat -keystore tomcat.keystore >> >You deleted the key at this point. There should be no need to do this. > >Mark
Mark, I rekeyed my certificate from a newly created tomcat.keystore and imported in the root and immediate certificates, then I got this when I imported my certificate: keytool error: java.lang.Exception: Failed to establish chain from reply Jeff Sent from Windows Mail From: Mark Thomas Sent: Friday, August 7, 2015 1:40 PM To: Tomcat Users List On 7 August 2015 19:01:34 BST, jeffery.scott.cr...@gmail.com wrote: >I’ve been using Tomcat for about fours years. I’ve developed websites >and services that used certificates based upon SHA1. Today I purchased >a new certificate from GoDaddy based upon using “-sigalg >SHA256withRSA”. > > >So for this new service I executed the following commands in the >directory of the keystore: > > >keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg >SHA256withRSA -keystore tomcat.keystore >keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore >tomcat.keystore > > >sent the csr.txt to GoDadday and received the certificate files. > > >keytool -delete -alias tomcat -keystore tomcat.keystore You deleted the key at this point. There should be no need to do this. Mark > >keytool -import -alias root -keystore tomcat.keystore -trustcacerts >-file gd_bundle-g2-g1.crt >keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts >-file gdig2.crt >keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts >-file xxxxxxxxxxxxxx.crt > > >If I copy over the new tomcat.keystore with a backup of the original >everything works. > > >My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in >server.xml; the following is for the one with the GoDaddy certificate. >I’m doing them one-at-time. > > ><Server port="8005" shutdown="SHUTDOWN"> ><Listener className="org.apache.catalina.startup.VersionLoggerListener" >/> ><Listener className="org.apache.catalina.core.AprLifecycleListener" >SSLEngine="on" /> ><Listener >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> ><Listener >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >/> ><Listener >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >/> > > > > <Service name="System"> ><Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" >connectionTimeout="20000" redirectPort="8443" /> ><Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1" >SSLEnabled="true" maxThreads="150" scheme="https" secure="true" >keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore" >keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS" >/> > <Engine name="System" defaultHost="xxxxxxxx.com"> ><Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com" >unpackWARs="true" autoDeploy="true" > > <Alias>www.xxxxxxxx.com</Alias> ><Valve className="org.apache.catalina.valves.AccessLogValve" >directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common" >/> > </Host> > </Engine> > </Service> > > > > >…. > > > ></Server> > > > > >Each service is on a different IP address and I’ve been redirecting 80 >to 8080 and 443 to 8443. This has been working fine until I replaced >the key. > > >This is from the catalina.out file: > > >07-Aug-2015 12:43:02.493 SEVERE [main] >org.apache.coyote.AbstractProtocol.init Failed to initialize end point >associated with ProtocolHandler ["http-nio-xxx.xxx.xxx.xxx-8443"] > java.io.IOException: Alias name tomcat does not identify a key entry >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599) >at >org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358) >at >org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457) >at >org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) >at >org.apache.catalina.connector.Connector.initInternal(Connector.java:960) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at org.apache.catalina.startup.Catalina.load(Catalina.java:576) > at org.apache.catalina.startup.Catalina.load(Catalina.java:599) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) > > > >07-Aug-2015 12:43:02.496 SEVERE [main] >org.apache.catalina.core.StandardService.initInternal Failed to >initialize connector [Connector[HTTP/1.1-8443]] >org.apache.catalina.LifecycleException: Failed to initialize component >[Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) >at >org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) >at >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > at org.apache.catalina.startup.Catalina.load(Catalina.java:576) > at org.apache.catalina.startup.Catalina.load(Catalina.java:599) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > >Then I used keytool to verify that the alias is in the tomcat.keystore. >The following is a list from the keystore: > > > >#keytool -list -v -keystore tomcat.keystore -alias tomcat > > >Enter keystore password: >Alias name: tomcat >Creation date: Aug 7, 2015 >Entry type: trustedCertEntry > > > >Owner: CN=xxxxxxxx.com, OU=Domain Control Validated >Issuer: CN=Go Daddy Secure Certificate Authority - G2, >OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", >L=Scottsdale, ST=Arizona, C=US >Serial number: xxxxxxxxxxxxxxxxxx >Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT >2016 >Certificate fingerprints: > MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59 > SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C >SHA256: >E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33 > Signature algorithm name: SHA256withRSA > Version: 3 > > > >Extensions: > > > >#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false >AuthorityInfoAccess [ > [ > accessMethod: ocsp > accessLocation: URIName: http://ocsp.godaddy.com/ >, > accessMethod: caIssuers >accessLocation: URIName: >http://certificates.godaddy.com/repository/gdig2.crt >] >] > > > >#2: ObjectId: 2.5.29.35 Criticality=false >AuthorityKeyIdentifier [ >KeyIdentifier [ >0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 >@..'..4.0.3..l.. >0010: B4 2C 80 CE .,.. >] >] > > > >#3: ObjectId: 2.5.29.19 Criticality=true >BasicConstraints:[ > CA:false > PathLen: undefined >] > > > >#4: ObjectId: 2.5.29.31 Criticality=false >CRLDistributionPoints [ > [DistributionPoint: > [URIName: http://crl.godaddy.com/gdig2s1-105.crl] >]] > > > >#5: ObjectId: 2.5.29.32 Criticality=false >CertificatePolicies [ > [CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x] >[PolicyQualifierInfo: [ > qualifierID: 1.3.6.1.5.5.7.2.1 >qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 >.+http://certifi >0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F >cates.godaddy.co >0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/ > > > >]] ] >] > > > >#6: ObjectId: 2.5.29.37 Criticality=false >ExtendedKeyUsages [ > serverAuth > clientAuth >] > > > >#7: ObjectId: 2.5.29.15 Criticality=true >KeyUsage [ > DigitalSignature > Key_Encipherment >] > > > >#8: ObjectId: 2.5.29.17 Criticality=false >SubjectAlternativeName [ > DNSName: xxxxxxxx.com > DNSName: www.xxxxxxxx.com >] > > > >#9: ObjectId: 2.5.29.14 Criticality=false >SubjectKeyIdentifier [ >KeyIdentifier [ >0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57 >;..\2........p.W >0010: C7 5A 97 88 .Z.. >] >] > > >I would be grateful for any assistance. > > >Jeff Crump > > > > > >Sent from Windows Mail --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
