stackoom
  简体   繁体   中英

Tomcat godaddy ssl certificate private keys error

 原文  2017-08-28 14:19:05       tomcat/ ssl-certificate

Question

I have purchased an ssl certificate from godaddy and am having some trouble configuring it to run with Tomcat. In particular I get the following error message : 

java.security.KeyStoreException: Cannot store non-PrivateKeys

Godaddy gives 3 files for the certificate, and I have attempted to add these to the keystore as follows : 

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <random hex string>.crt

which I found here : http://www.calamitycoder.com/WebSiteNotes/goDaddySHA2SSL.php

I have configured Tomcat's server.xml as : 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
   keystoreFile="${user.home}/tomcat.keystore" keystorePass="password"
   clientAuth="false" sslProtocol="TLS">

`

The Tomcat version is 8.5.20.

Any help would be greatly appreciated. Not sure if this is the Tomcat version as I have not found much regarding this error after many hours of searching. Thanks !

Update :

I deleted the current keys : 

sudo keytool -delete -alias root -keystore tomcat.keystore
sudo keytool -delete -alias intermed -keystore tomcat.keystore
sudo keytool -delete -alias tomcat -keystore tomcat.keystore

and added the keys as recommended in the comments : 

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -file <random hex string>.crt

but unfortunately find the same error : 

Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
    at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
    at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
    at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
    at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)

I will continue to play around with this, any additional ideas are most welcome. Thank you !

3 answers

solution1
 0  2017-09-06 21:43:58

Additional Research:

Godaddy Cert

CentOS 7.3.1611

Only Change - Tomcat 8.5.20 upgraded from 8.5.3

conf/server.xml 

Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="tomcat.keystore" keystorePass="secret"
       clientAuth="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
       sslProtocol="TLSv1.2"

Works in Tomcat 8.5.3 But in 8.5.20 

org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)

solution2
 0  2017-10-09 21:09:47

Change it to direct using of certificate files. And also add key file to the configuration. 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/*.key"
                     certificateFile="conf/<random hex string>.crt"
                     certificateChainFile="conf/gd_bundle-g2-g1.crt"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

solution3
 0  2017-10-25 15:05:49

Since 8.5.20 I had the same error message with my certificates and I had to explicitly set the alias with 

<Connector keyAlias="tomcat" .... >

in the connector. Before I added the alias Tomcat tried to use the included CA certificate and failed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GoDaddy SSL Certificate installation in tomcat… No certificate matches private key GoDaddy SSL Certificate Keystore Installation Tomcat7 Install Godaddy ssl certificate on tomcat 8.5 Server Tomcat8.5 SSL connector with goDaddy certificate ssl tomcat certificate error Enable SSL on Tomcat using SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE How to install tomcat server in GoDaddy Platform to rum my jsp pages? Also is there any way to get a free SSL certificate for GoDaddy domain? Tomcat - SSL certificate configure Tomcat and SSL Client certificate SSL on tomcat with wildcard certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM