We've had customers who have had issues with Java and GoDaddy certs. http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java
http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/ On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Nick, > > (The formatting was awful on the message and made it difficult to > read. I've adjusted it to make it readable and reply-able). > > On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > > I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57. > > That's an x509 certificate for SSL/TLS, using a SHA2-based signature > algorithm, right? > > > Port 8443 is listening, selinux is disabled, and have tried it > > with 8443 enabled in firewall and with firewall off. > > > > After receiving the .crt file from GoDaddy: ran the 4 keytool > > -import commands: > > > > For the alias=root, I used gdroot-g2.crt(from repository) For the > > alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > > alias=cross, I used gdroot-g2_cross.crt(from repository) For the > > alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy) > > > > I see all the entries when I did the keytool -list > > Good. Everything above looks good, except that you need to make sure > that the certificates you imported were all the correct ones... thee > days, CAs tend to have a variety of intermediate certificates for > various purposes: one for code-signing, one for European certificates > and another for American ones, an old one with SHA1-based signature, > new ones with SHA2-based signatures, etc. > > Verifying the accuracy of the certificate chain should be a priority. > > > I made this change in server.xml: > > > > <Connector port="8443" maxThreads="200" SSLEnabled="true" > > scheme="https" secure="true" clientAuth="false" > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to > > .keystore file" keystorePass="keystore password" /> > > > > I then shutdown tomcat; startup tomcat. > > > > When I go to the URL in the browser with the port 8443, I get > > this:Firefox: Cannot communicate securely with peer: no common > > encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > > > Chrome: A secure connection cannot be established because this > > site uses an unsupported protocol.Error code: > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > What version of Chrome are you using? > > Do you have access to an OpenSSL library? Can you run "openssl -debug > - -showcerts s_client -connect https://host:8443/"; and post the > (possibly sanitized) results? > > You could also grab and compile the source of this tool from the > tomcat-dev archives and run it against your server: > http://markmail.org/thread/tz4z44nfjl7sy2lj > > This will tell you what is and is not supported. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc > 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp > PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT > HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi > 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md > /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK > 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+ > LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS > XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E > n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K > uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO > 2CA9DwlS0hMtRDLuPvAl > =sJsq > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
