Re: Support Request for problem with problem running SSL certificate on tomcat 8

[logo]

Munzer,


Am 2019-08-07 09:19, schrieb Peter Kreuser:
Hi Munzer,

I guess we‘re going a slightly awkward way here, but to fix your
problem with the new cert in the first place, you could use this:

If your keystore is the old proprietary format, convert it to PKCS12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore
keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass
<password> -destkeypass <password>
Then extract the key using openssl:
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
After that recombine it with the new cert.
I‘ve found this here: https://security.stackexchange.com/a/66865

There has to be an easier way, but as your keystore is causing
troubles, I‘m not really able to troubleshoot that.


now I've replayed your commands and selfsigned the csr with my ca. I see 
the same behaviour on tomcat10.keystore!

BUUUUT! If I replace tomcat14.keystore in the first two commands with 
tomcat10.keystore the generated cert is imported as a PrivateKeyEntry. 
:-)

Well IF you did it like you send in the first mail, you imported the ca 
and the intermediate certificate into a different (unused?) keystore!!!

Could you please doublecheck?


Peter

BTW: did you get warnings on the console that the JKS-keystore format is 
a proprietary format and should be converted to pkcs12?


After all, you may have to reread on cert handling with keytool vs. 
openssl.
I prefer the openssl way ;-).

Peter



Peter Kreuser
Am 06.08.2019 um 19:50 schrieb Munzer Khatib 
<smk_01_2...@yahoo.com.invalid>:

Hi Peter
I dont have the private key file. That is created when I create the 
keystore. I dont know if it can be extracted.
Munzer
   On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
<l...@kreuser.name> wrote:

Hi,


Am 06.08.2019 um 02:42 schrieb Munzer Khatib 
<smk_01_2...@yahoo.com.invalid>:

Hi
Can you help me with this problem.
Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
I am trying to install a new SSL certificate into Apache tomcat 
8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 
7. Nothing changed other than moving the virtual machine from old 
server to new hardware this year. Windows Server 2008 is still the 
same Operating system.
I created a keystore and extracted CSR, generated certificate using 
godaddy for Apache server and imported to server. I keep getting an 
SSL handshake errors and I think it is because the certificate 
entrytype is "trustedcertEntry" and not "privateKey Entry'
Here are the steps I used to create the keystore and import 
certificate to it.
1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
SHA256withRSA -keypass secret19 -keystore tomcat10.keystore

2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
SHA256withRSA -keystore tomcat10.keystore -file file10.csr

3) Generate certificates on godaddy site for "Apache" server (not 
tomcat)
4) Install root, intermediate and user certificate
keytool -import -alias root -keystore tomcat14.keystore -trustcacerts 
-file c:\cert_2022\gd-class2-root.crt

keytool -import -alias intermediate -keystore tomcat14.keystore 
-trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
c:\cert_2019\508c844632c0145.crt

I‘ve not found a keytool command for that. I use openssl to convert 
the PEM to pkcs12/keystore format

Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat 
-certfile fullchain.pem -passout pass:changeit -out jssekeystore

Peter

I am not sure why but it seems the new one is not linking all 
certificates into the private key.
I tried many different imports and it would never import the server 
certificate as a "privateKeyentry" as the one running now.C:\Program 
Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter 
keystore password:
Keystore type: JKSKeystore provider: SUN
Your keystore contains 3 entries
root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, 
Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 
22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E

I also tried creating a PEM text file for all certificates and 
importing that into private key alias tomcat but it only imported the 
domain certificate as "trustedcertentry"
My server xml file connector config is like this        <Connector 
port="8080" protocol="HTTP/1.1" connectionTimeout="20000" 
redirectPort="8443" compression="on" URIEncoding="UTF-8" 
compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" 
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector 
port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" 
secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" 
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, 
TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" 
keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>    
</Service></Server>

Tried many different options for keytool command.
Followed tomcat 8 documentation and godaddy list for installing 
certificate.
When I try to access using browser I get this error
This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in 
Advanced settings and try connecting to https://psscr.xyz.c
When I use openssl I get handshake failure$openssl s_client -connect 
10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:769:---no peer certificate available---No client 
certificate CA names sent---SSL handshake has read 7 bytes and 
written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation 
IS NOT supportedCompression: NONEExpansion: NONENo ALPN 
negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : 0000    
Session-ID:    Session-ID-ctx:    Master-Key:    Key-Arg  : None    
Krb5 Principal: None    PSK identity: None    PSK identity hint: None 
   Start Time: 1564789174    Timeout  : 300 (sec)    Verify return 
code: 0 (ok)
Thanks,

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org