user2446136
Reputation: 33
Tomcat SSL Cert Renewal Issue (SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure)
Attemping to renew a certificate that expired earlier this month and I can't seem to get it to work.
- Apache Tomcat 7.0.34
- Centos
- Java 1.7.0_65
- (Root Cert) I've tried Both gdroot-g2_cross.crt (Java Root) And gdroot-g2.crt seperately and neither worked
- (intermed Cert) gdig2.crt
- (tomcat Cert) The one I was given by GoDaddy
- All newly SHA2
- Instructions Used
Step by step what I have done
- Generate CSR using the already existing keystore via :
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore - Submit the new CSR to GoDaddy
- Receive Certificates from GoDaddy
- Unzip them to my desired directory
- Delete the old certificates from the keystore via :
keytool -delete -alias root -keystore tomcat.keystore(This was done with intermed and tomcat as well) - Add the new certificates to the keystore via:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file newrootfile.crt(Again I did this with intermed and tomcat) - Check the
server.xml(It is still pointed to the right keystore because I reused one) - Restart Tomcat
- No errors in catalina.out, no errors when importing certs.
- Attempt to bring up page gets Secure Connection Failed: FireFox(SSL_Error_no_cypher_overlap), Chrome (ERR_SSL_Version_Or_Cypher_Mismatch)
- Spend the last five days trying different things
- Creating new keystore instead of using old one
-No errors again, but instead of Secure Connection Failed I get Unable to connect - Using different root certs from the GoDaddy Repository
- Creating new keystore instead of using old one
- Found out how to use openssl to check a connection
(Server is a virtual machine that has saved states so when I break it I can go back to when it was working) With old SHA1 (expired):
$ openssl s_client -connect myhost:443
CONNECTED(00000003)
---
Certificate chain
...
...
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
.....
.....
----
No client certificate CA names sent
----
SSL handshake has read 4586 bytes and written 461 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
server public key is 2048 bit
....
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256
....
Verify return code: 10 (certificate has expired)
---
closed
With new SHA2:
$ openssl s_client -connect myhost:443
CONNECTED(00000003)
140219291584328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741
---
no peer certificate available
--
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation is NOT supported
Compression: NONE
Expansion: NONE
server.xml
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.security.SecurityListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" "SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="path/to/users" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" keystoreFile="path/to/keystore"
keystorePass="mykeystorepass" compression="on" />
Everything was previously set up by a developer before I began work here years ago, so I assume that he set up the server.xml correctly because it has been working for the past two years.
Any thoughts on how to rectify this?
Upvotes: 1
Views: 2362
Answers (1)
user2446136
Reputation: 33
Oh my god I feel a fool, I thought when creating the keystore when it asks for a password for tomcat it wanted my tomcat manager password, nope just keep it the same as your keystore.
Also, gdroot-g2.crt is the correct crt needed for the root alias, you can get it from their repository.
Go daddy gives you a bundle for some reason.
Man such a stupid mistake.
Upvotes: 1
Related Questions
- Tomcat server AND HTTP Client accepting expired self-signed certificate
- Tomcat 8 ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- SSL fatal error, handshake failure 40
- How renew ssl certificate on Tomcat?
- SSLHandshakeException with valid certificate on Tomcat server
- nginx and tomcat ssl issue - SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
- Java SSL handshake error - Tomcat keystore
- "SSL23_GET_SERVER_HELLO:unknown protocol" After server upgrade
- ssl tomcat certificate error
- tomcat ssl client handshake java error