CODEWITHSUNDEEP
javatomcatsslnginxnginx-reverse-proxy
Manoj Prasanna
Manoj Prasanna

Reputation: 99

nginx and tomcat ssl issue - SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Since my site ssl cert was expired I've renewed it and added new cert to keystore, but after that I am getting 502 when called the site url. Below you can see nginx config and tomcat configs for ssl.

Error I am getting in nginx error log is

SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 120.6.20.134, server: app.somewhere.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://53.10.10.10:8443/favicon.ico", host: "app.somewhere.com", referrer: "https://app.somewhere.com/board/index.jsp"

server nginx version: nginx/1.12.1

nginx config 

server {
  listen 443;
  server_name     app.somewhere.com;
  root            /usr/share/tomcat8/webapps;
  ssl on;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;  
  ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
  ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
  ssl_dhparam /etc/nginx/certs/dhparam.pem;
  proxy_ssl_server_name on;
  location / {
        proxy_read_timeout 120s;        
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://app.somewhere.com:8443;
  }
}

tomcat server.xml

<Connector port="8443"
                maxThreads="100"
                scheme="https"
                secure="true"
                SSLEnabled="true"
                keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                keystorePass="mypass"
                clientAuth="false"
                sslProtocol="TLS"
                proxyPort="443"/>

Upvotes: 1

Views: 1393

Answers (1)

Manoj Prasanna
Manoj Prasanna

Reputation: 99

Found the issue, the certificate was imported to the wrong key-store. So I've created new key-store using certificate and private-key that I had using following commands.

create new keystore

openssl pkcs12 -export -in cert.crt -inkey private-key.key -certfile cert.crt -name "tomcat" -out keystore.p12

convert keystore to jks format

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Then set the keystore.jks path in tomcat server.xml

Upvotes: 2

Related Questions