I have created a certificate with OpenSSL
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
keytool -import -trustcacerts -alias server.key -file server.crt -keystore
and placed keystore.jks into ${catalina.home}/lib/
server.xml
<Connector port="9002"
maxHttpHeaderSize="8192"
maxPostSize="4194304"
maxThreads="150"
protocol="org.apache.coyote.http11.Http11Protocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol = "TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="${catalina.home}/lib/keystore.jks"
keystorePass="123456"
On Chrome it gives following error:
This site can’t provide a secure connection
13.236.191.242 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
curl -Iv https://11.231.191.212:9001/
Trying 11.231.191.212...
TCP_NODELAY set
Connected to 11.231.191.212 (11.231.191.212) port 9001 (#0)
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 1/3)
schannel: checking server certificate revocation
schannel: using IP address, SNI is not supported by OS.
schannel: sending initial handshake data: sending 156 bytes...
schannel: sent initial handshake data: sent 156 bytes
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 2/3)
schannel: failed to receive handshake, need more data
The problem was that I was creating a Self-signed certificate with OpenSSL. But when I generated the certificate from java Keystore then it works perfectly.
keytool.exe -genkey -alias tomcat -keyalg RSA -keystore c:\tomcatkeys
The reason was OpenSSL and keystore produce certificate in different file formats. You see the difference from the link below.
https://security.stackexchange.com/questions/98282/difference-between-openssl-and-keytool
Related
I need to make my website SSL configured. I have the following files with me:
file.csr and
file.jks
and I need the following files to SSL enable my website:
file.crt and
file.key and
keystore
I have searched through the internet but found no help regarding. Can anyone tell me how I can get these files using the files I already have?
I have tried multiple options for conversion but nothing worked.
<Connector port="8442" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/conf/keys/server/keystore"
keystorePass="CHANGEME"/>
Following are the commands I performed to get the desire result
Convert mobiliser.jks file to keystore.p12:
keytool -importkeystore -srckeystore mobiliser.jks -destkeystore keystore.p12 -deststoretype PKCS12
Convert keystorep.12 file to keystore:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Create key:
C:\openssl-0.9.8k_X64\bin\openssl pkcs12 -in keystore.p12 -nocerts -nodes -out mobiliser.key
Create certificate:
C:\openssl-0.9.8k_X64\bin\openssl pkcs12 -in keystore.p12 -nokeys -out mobiliser.crt
My web application and Web Services are running in the same tomcat container. If I am not using HTTPS, everything is working fine.
When I am running the web application and web services both on HTTPS, I am getting SSLHandshakeException when web application is trying to call webservices.
CASE 1
I have created a local self-signed certificate file using below command
%JAVA_HOME%\bin\keytool -genkeypair -alias test1 -keyalg RSA -keystore c:/apps/test1.crt
A certificate file named test1.crt has been created in folder C:\apps.
Now, I want to import this certificate in the Java keystore, with the below command
%JAVA_HOME%\bin\keytool -import -alias test1 -file c:/apps/test1.crt-keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
I am getting below error -
Key tool error: java.lang.Exception: The entry is not an X.509 certificate
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am not getting any error at server startup. When I call webservices from the application, I am getting SSLHandshakeException
CASE 2
I have added a local self signed certificate in the Java keystore, with below command
%JAVA_HOME%/bin/keytool -genkeypair -alias test2 -keyalg RSA -validity 1000 -keysize 2048 -keystore %JAVA_HOME%/jre/lib/security/cacerts
A certificate has been added, which I have verfied with below command
JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
Now, I have exported a certificate file from the Java keystore, with below command
%JAVA_HOME%/bin/keytool -export -alias test2 -keystore %JAVA_HOME%/jre/lib/security/cacerts -rfc -file C:/apps/test2.crt
A certificate file named test2.crt has been created in folder C:\apps.
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am getting the below error
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Invalid keystore format
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1044)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:160)
Although server started and I am able to use my application. But when I am trying to call web services, I am getting
Here is the log of SSLHandshakeException
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error: (org.apache.axis.AxisFault) --> [; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I think for Tomcat the keystoreFile is "%JAVA_HOME%/jre/lib/security/cacerts" and rather you don't have to indicate any keystore becouse you added a keypair to the jre common keystore but it's exactly incorrect to use "C:/apps/test2.crt".
Also try to add the server certificate to the truststore file:
JAVA_HOME%\bin\keytool -import -v -trustcacerts -alias test2 -file C:/apps/test2.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts -keypass changeit -storepass changeit
One of our clients purchased wild card SSL certificates (*.example.com)
from GoDaddy and he simply downloaded without giving CSR data. We have 3 files in that zip file. Those are fce4f111a61ea3f4.crt, gd_bundle-g2-g1.crt and gdig2.crt.pem.
I searched so many articles regarding this but everyone is saying first take the CSR data from your server and past it in the GoDaddy for getting SSL certificates.
In my case we didn't provide CSR data to GoDaddy, which means I don't have the keystore file.
Now, I tried to install certificates without keystore to my server. For that I used the below commands with no success:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file fce4f111a61ea3f4.crt
keytool -import -alias interm -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
I'm assuming you already have keystore maintained as per your statements above. Take a backup of your keystore first in order to avoid any mishap.
Apart from the files you have, you should also has Private Key of your generated certificate.
Now follow the steps as ordered.
Delete any existing entries from keystore file first.
keytool -delete -alias tomcat -keystore domain.jks
You may also view any other existing entries by keytool -list -keystore domain.jks delete them as well.
Now export the certificate and private key into PKCS12 file
openssl pkcs12 -export -in fce4f111a61ea3f4.crt -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root
If you receive similar to following error
unable to load private key
139995851216720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
It means your private.key isn't in proper format, you need to change encoding to ASCII text run following command to convert your private key
# You can do a dry run before manipulating the actual file
tail -c +4 private.key | file -
# Change encoding
tail -c +4 private.key > private.key
Import PKCS12 file into JKS keystore:
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore domain.jks
Now import root certificate into JKS keystore (with root alias)
keytool -import -trustcacerts -alias root -file $certdir/gd_bundle-g2-g1.crt -noprompt -keystore domain.jks
Add following in server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/keysore/domain.jks" keystorePass="xxxxxx"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />
Don't forget to replace xxxxxx with your JKS keystore password and keystoreFile parameter
Done. Now restart your Tomcat server and listen to your log file
sudo service tomcat7 restart
sudo tail -f /var/log/tomcat7/catalina.out
Note: replace domain.jks with your actual keystore file.
Following the info here and other places, this worked for me on TC9 on windows:
Make sure path has a Java Home:
set PATH=%PATH%;C:\Program Files\Java\jre1.8.0_281\bin
Create keystore:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore mydomain.jks
Extract .csr:
keytool -certreq -alias server -file C:\pathtoit\csr.txt -keystore mydomain.jks
Give csr.txt to godaddy and obtain the certificate
Import the bundle and the .crt file:
keytool -import -trustcacerts -alias intermediate -file gd_bundle-g2-g1.crt -keystore mydomain.jks
keytool -import -alias server -keystore mydomain.jks -trustcacerts -file 24234234.crt
Note: use Keystore Explorer if you want to see what's happening.
Then in server.xml:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="C:\pathtoit\mydomain.jks" keystorePass="xxxx" />
Since my site ssl cert was expired I've renewed it and added new cert to keystore, but after that I am getting 502 when called the site url. Below you can see nginx config and tomcat configs for ssl.
Error I am getting in nginx error log is
SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 120.6.20.134, server: app.somewhere.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://53.10.10.10:8443/favicon.ico", host: "app.somewhere.com", referrer: "https://app.somewhere.com/board/index.jsp"
server nginx version: nginx/1.12.1
nginx config
server {
listen 443;
server_name app.somewhere.com;
root /usr/share/tomcat8/webapps;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
proxy_ssl_server_name on;
location / {
proxy_read_timeout 120s;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://app.somewhere.com:8443;
}
}
tomcat server.xml
<Connector port="8443"
maxThreads="100"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="mypass"
clientAuth="false"
sslProtocol="TLS"
proxyPort="443"/>
Found the issue, the certificate was imported to the wrong key-store. So I've created new key-store using certificate and private-key that I had using following commands.
create new keystore
openssl pkcs12 -export -in cert.crt -inkey private-key.key -certfile cert.crt -name "tomcat" -out keystore.p12
convert keystore to jks format
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Then set the keystore.jks path in tomcat server.xml
I have created a certificate in my system using this command:
keytool -export -file test.cert -keystore test -storepass 123456 -alias sriram
Ans: Certificate stored in file <test.cert>.
I have imported this certificate in cacerts of new system using the command :
keytool -importcert -trustcacerts -file "path-to-public-cert" -keystore JAVA_HOME/jre/lib/security/cacerts".
The output is something like this:Trust this certificate? [no]: yes Certificate was added to keystore.
But still I am getting the link error when I run my jar file in new system...Where I went wrong??
Try to read the Apache Tomcat SSL Configuration How-To.
In Edit the Tomcat Configuration File paragraph it explain that you can had the keystoreFile attribute to the connector configuration.
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>