I have purchased an ssl certificate from godaddy and am having some trouble configuring it to run with Tomcat. In particular I get the following error message :
java.security.KeyStoreException: Cannot store non-PrivateKeys
Godaddy gives 3 files for the certificate, and I have attempted to add these to the keystore as follows :
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <random hex string>.crt
which I found here : http://www.calamitycoder.com/WebSiteNotes/goDaddySHA2SSL.php
I have configured Tomcat's server.xml as :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="${user.home}/tomcat.keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS">
`
The Tomcat version is 8.5.20.
Any help would be greatly appreciated. Not sure if this is the Tomcat version as I have not found much regarding this error after many hours of searching. Thanks !
Update :
I deleted the current keys :
sudo keytool -delete -alias root -keystore tomcat.keystore
sudo keytool -delete -alias intermed -keystore tomcat.keystore
sudo keytool -delete -alias tomcat -keystore tomcat.keystore
and added the keys as recommended in the comments :
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -file <random hex string>.crt
but unfortunately find the same error :
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
I will continue to play around with this, any additional ideas are most welcome. Thank you !
Additional Research:
Godaddy Cert
CentOS 7.3.1611
Only Change - Tomcat 8.5.20 upgraded from 8.5.3
conf/server.xml
Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="tomcat.keystore" keystorePass="secret"
clientAuth="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
sslProtocol="TLSv1.2"
Works in Tomcat 8.5.3 But in 8.5.20
org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
Change it to direct using of certificate files. And also add key file to the configuration.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/*.key"
certificateFile="conf/<random hex string>.crt"
certificateChainFile="conf/gd_bundle-g2-g1.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
Since 8.5.20 I had the same error message with my certificates and I had to explicitly set the alias with
<Connector keyAlias="tomcat" .... >
in the connector. Before I added the alias Tomcat tried to use the included CA certificate and failed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.