Quantcast

SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled

Joe Hansen-2
Hey all,

Apache 2.0/Tomcat 5.5/mod_jk installed on RedHat Enterprise Linux ES 4.0.

Our web server has been up and running smoothly for more than 2 years
now. This morning I noticed that the websites were down. When I
checked the logs, I found the following message:
java.io.FileNotFoundException: The file /root/.keystore is not available

Sure enough, the /root/.keystore file was missing. I have no clue how
that file got deleted in first place. So, I created the keystore file
using the following commands:
Added the certificate chain file to the keystore (When prompted for
the password, I entered 'changeit') :
$JAVA_HOME/bin/keytool -import -alias root -trustcacerts -file
/etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt

Added the certificate file to the keystore (When prompted for the
password, I entered 'changeit'):
$JAVA_HOME/bin/keytool -import -alias tomcat -trustcacerts -file
/etc/httpd/conf/ssl.crt/_joesdomain.com.crt

The above two commands created the /root/.keystore file. I then added
the keystoreFile and keystorePass attributes to Tomcat's server.xml
file's connector element as follows

       <Connector className="org.apache.coyote.tomcat5.Coyote-Connector"
               port="8443" miniProcessors="5" maxProcessors="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/root/.keystore"
               keystorePass="changeit" />

Now, when I restart the web server, the websites seem to be working
fine, but the tomcat logs are inundated with the following error
message:
2009 Oct 02 / 15:18:29 ERROR -
[org.apache.tomcat.util.net.PoolTcpEndpoint] : Endpoint [SSL:
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored
exception: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled.


Can a Tomcat/SSL guru please guide me in solving this issue.

Thank you!
Joe

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled

Joe Hansen-2
I think I just solved my issue. I followed the instructions on GoDaddy
to get this done.

To install the GoDaddy Certificates:

Create a keystore file
openssl pkcs12 -export -chain -CAfile
/etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt -in
/etc/httpd/conf/ssl.crt/_.joesdomain.com.crt -inkey
/etc/httpd/conf/ssl.key/joesdomain.key -out
/etc/httpd/conf/ssl.crt/keystore.tomcat -name tomcat -passout
pass:changeit

To list the certificates in the keystore file:
$JAVA_HOME/bin/keytool -list -v -storetype pkcs12 -keystore
/etc/httpd/conf/ssl.crt/keystore.tomcat

/* server.xml */
<Connector className="org.apache.coyote.tomcat5.Coyote-Connector"
        port="8443" miniProcessors="5" maxProcessors="75"
        enableLookups="true" disableUploadTimeout="true"
        acceptCount="100" debug="0" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="/etc/httpd/conf/ssl.crt/keystore.tomcat"
        keystorePass="changeit"
        keystoreType="PKCS12" />


-Joe


On Fri, Oct 2, 2009 at 4:17 PM, Joe Hansen <[hidden email]> wrote:

> Hey all,
>
> Apache 2.0/Tomcat 5.5/mod_jk installed on RedHat Enterprise Linux ES 4.0.
>
> Our web server has been up and running smoothly for more than 2 years
> now. This morning I noticed that the websites were down. When I
> checked the logs, I found the following message:
> java.io.FileNotFoundException: The file /root/.keystore is not available
>
> Sure enough, the /root/.keystore file was missing. I have no clue how
> that file got deleted in first place. So, I created the keystore file
> using the following commands:
> Added the certificate chain file to the keystore (When prompted for
> the password, I entered 'changeit') :
> $JAVA_HOME/bin/keytool -import -alias root -trustcacerts -file
> /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
>
> Added the certificate file to the keystore (When prompted for the
> password, I entered 'changeit'):
> $JAVA_HOME/bin/keytool -import -alias tomcat -trustcacerts -file
> /etc/httpd/conf/ssl.crt/_joesdomain.com.crt
>
> The above two commands created the /root/.keystore file. I then added
> the keystoreFile and keystorePass attributes to Tomcat's server.xml
> file's connector element as follows
>
>       <Connector className="org.apache.coyote.tomcat5.Coyote-Connector"
>               port="8443" miniProcessors="5" maxProcessors="75"
>               enableLookups="true" disableUploadTimeout="true"
>               acceptCount="100" debug="0" scheme="https" secure="true"
>               clientAuth="false" sslProtocol="TLS"
>               keystoreFile="/root/.keystore"
>               keystorePass="changeit" />
>
> Now, when I restart the web server, the websites seem to be working
> fine, but the tomcat logs are inundated with the following error
> message:
> 2009 Oct 02 / 15:18:29 ERROR -
> [org.apache.tomcat.util.net.PoolTcpEndpoint] : Endpoint [SSL:
> ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored
> exception: java.net.SocketException: SSL handshake error
> javax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
>
>
> Can a Tomcat/SSL guru please guide me in solving this issue.
>
> Thank you!
> Joe
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...