spring boot https with valid cert get ERR_SSL_VERSION_OR_CIPHER_MISMATCH, self signed works fine

Question

I am Running Spring Boot 1.4.0.RELEASE.

I got a valid cert from my IT dept.

I Generated a tomcat keystore.jks file using the IT_cert.cer

keytool -keystore tomcat-keystore.jks -storepass password -import -alias "tomcat" -file it_issued_cert.cer

config my application.yml to turn on SSL

server:
  context-path: /uaa
  port: 9999
  ssl:
      enabled: true
      key-store: classpath:tomcat-keystore.jks
      key-store-password: password
      key-password: password
      enabled-protocols: TLSv1.2 # make sure only to use the latest TLS version

The algorithm used to sign the cert is

Signature algorithm name: SHA256withRSA

When I run the spring-boot app, it starts up and finds my cert.

When I use chrome on my HTTPS port, there's no longer a "untrusted" warning from the browser.

But now there's a ERR_SSL_VERSION_OR_CIPHER_MISMATCH from Chrome and IE11 claims I may be using RC4 encryption...

I've tried specifying non-safe protocols lower than TLSv1.2 and taking the defaults.. but they all result in the same error.

I am sure the latest Chrome/IE11 has TLSv1.2 So I am baffled by the error from the browser.

Also if I used a self signed, everything works, but I get the security warning about trusting self signed.

My conclusion is it the way I configure my cert that causes this error, or can it be the Signature algorithm from my IT dept?

Answer 1

Near dupe Java SSLHandshakeException: no cipher suites in common

An HTTPS server needs both PRIVATE KEY AND matching certificate , and depending on how the certificate is issued the server may also need a 'chain' or 'intermediate' cert (and occasionally more than one). You imported only a certificate and that is not enough.

First look at your file it_issued_cert.cer to see if it is in PEM format: does it contain all readable characters grouped into lines, with at least one block starting with a line
-----BEGIN sometype_in_caps-----
then some lines consisting entirely of letters, numbers, plussign + and slash / and maybe equals = at the end, and finally a line
-----END same_type---- ?

If PEM and there are at least two blocks where one has type [RSA|DSA|EC|ENCRYPTED] PRIVATE KEY and the other(s) has(have) type [X.509|maybesomethingelse] CERTIFICATE , you can use OpenSSL to convert to PKCS12 and then keytool to convert to JKS. First check if any 'chain' or 'intermediate' cert(s) is required: if the file already contains multiple certs and wasn't prepared by a complete doofus those multiple certs form the required chai, just proceed. If the file contains only one cert, use openssl x509 -in $file -noout -subject -issuer to make sure the subject is your server and look at the issuer; if the issuer is a CA trusted in your environment (like 'My Company CA') just proceed. Otherwise, ask IT what if any chain cert(s) are needed, get them in PEM format, and add them to the file. Then do:

openssl pkcs12 -export -in $file -out new.p12 -friendlyname alias_you_want

(edit) Java since 8u60 (in 2015 -- even before I wrote the original answer) accepts a PKCS12 keystore by default, and earlier versions could do so if configured. For earlier versions that want JKS, then do (spelling corrected, as commented by aszahran):

keytool -importkeystore -srckeystore new.p12 -srcstoretype pkcs12 -destkeystore new.jks 
# on Java versions that need JKS, it is the default type
# but can specify -deststoretype jks if you want

If file is PEM but there is only one block with type CERTIFICATE, or if the file is not PEM at all, this cert must have been issued in response to a CSR (Certificate Signing Request) from somebody:

If you gave them the CSR, give details (edit your question) how and where you generated the CSR. That is where the privatekey was and you will need to either use that key, make a copy of it, or convert (and copy) it, depending on what you did.

If you did not give them the CSR, ask them where they got it. If they generated the key and CSR themselves, ask them for the key in PEM format. If they got the CSR from someone else, ask that someone else for the key in PEM format. Once you get it, add it to the file, and return to the case above. If they insist on giving you something other than PEM format, give details.

If no one has the privatekey for this certificate, the certificate cannot be used. Discard it and start over.