0

I am facing issue setting up SSL certificate for tomcat. I will explain explain below the steps I followed

  1. I have purchased a wild card SSL certificate from GoDaddy, My domain is hosted on 123reg.co.uk so I have generated a CSR following this guide
  2. Godaddy asked to verify my domain asked me to add a TXT record in my DNS setting. I have added a DNS entry with @ and value they provided
  3. I have got SSL certificates files from GoDaddy, ref link
    • gd_bundle-g2-g1.crt (root certificate)
    • gdig2.crt.pem (intermediate certificate)
    • a20b537a8b66f79f.crt (my site certificate)
  4. I have setup SSL certificate in tomcat following this guide. Executed following command
    • keytool -import -alias root -keystore tomcat.keystore -trustcacerts file gd_bundle-g2-g1.crt
    • keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
    • keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file a20b537a8b66f79f.crt
  5. Update the server.xml by adding section, ref link
    • Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/dds/dont_remove_ssl/tomcat.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
  6. I have verified certificate import by this command keytool -list -keystore /home/dds/dont_remove_ssl/tomcat.keystore and here is the output
    • root, Nov 9, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
    • tomcat, Nov 9, 2017, trustedCertEntry, Certificate fingerprint (SHA1): D1:1B:39:38:53:40:AE:DC:7B:06:FC:A2:72:9F:3C:60:68:0B:BB:D5. This seems to be a problem as this entry must be of type PrivateKeyEntry which is not the case
    • intermed, Nov 9, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8

  7. Update my app web.xml to enable SSL on my application

    • <security-constraint> <web-resource-collection> <web-resource-name>DDS</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

But this configuration is not working. I am getting error ssl_error_no_cypher_overlap

Following stackoverflow posts are relevant to this issue I am facing. But solution mentioned in them to remove -trustcacerts flag does not solves my problem

  1. Import certificate as PrivateKeyEntry
  2. Fix Error code: ssl_error_no_cypher_overlap on Tomcat 8
M. Atif Riaz
  • 492
  • 1
  • 9
  • 22
  • @EJP This is not a duplicate as I mentioned in the post. Solution mentioned in other post does not solves my problem – M. Atif Riaz Nov 21 '17 at 10:25
  • They provided you with your private key, which is already a security branch, and you did nothing with it, which is futile. I strongly recommend you follow the steps in the JSSE Reference Guide rather than this nonsense. – user207421 Nov 21 '17 at 11:08
  • How can I use the private key they have provided me, can you please explain in detail? Also please provide URL for this JSSE Reference Guide you are mentioning and explain how it is relevant? – M. Atif Riaz Nov 21 '17 at 14:59
  • Google will find it. You *shouldn't* use the private key they provided you, as it isn't private. They know it. That's my point. – user207421 Nov 21 '17 at 19:46
  • This is the [link](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html) for JSSE Reference Guide but I cannot see how is relevant? I know you are trying hard to explain but I still din't get what you are mentioning regarding private key? I will be very helpful if give a detail answer to my question – M. Atif Riaz Nov 22 '17 at 07:16

1 Answers1

0

You must import your certificate into the same keystore you generated the CSR from, using the same alias as when you created the original keypair and CSR.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • As I mentioned I have generated a CSR using [online form](https://www.123-reg.co.uk/support/answers/using-the-123-reg-csr-generation-tool-4113/) of 123reg.co.uk, so I don't have an existing keystore with a same alias Do you suggest to repeat whole process and [rekey](https://pk.godaddy.com/help/rekey-certificate-4976) my SSL certificate? – M. Atif Riaz Nov 21 '17 at 10:24
  • Do you think rekey my SSL can solve the issue as I mentioned in my last comment? – M. Atif Riaz Nov 22 '17 at 07:16