FAQ

[Tomcat-users] Error: No available certificate or key corresponds to the SSL cipher suites which are enabled.

Jeanna Geier
Sep 9, 2006 at 2:13 pm
Hi All-

I'm running into an odd problem and am hoping that someone out there can help me!

I'm trying to configure and run SSL; I am able to create, startup and run everyting when I am using a self-signed certificate. (Yeah!)

However, when I attempt to use a trial certificate from thawte (which is where we want to get to), I am getting an error. Here's what I'v done (http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html):

- created a local Certificate: >keytool -genkey -alias tomcat -keyalg RSA

I didn't get a 'chain certificate' with my free trial, so for the next step, I imported the certificate I got from Thawte:

- keytool -import -alias root -keystore C:\Documents and Settings\HP_Administrator\.keystore -trustcacerts -file C:\thawte_ca_cert.cert

Then I imported the new certificate under my tomcat user:

- keytool -import -alias tomcat -keystore C:\Documents and Settings\HP_Administrator\.keystore -trustcacerts -file C:\thawte_ca_cert.cert


According to the directions, that should be it; however, when I go to start Tomcat, I get the following error:

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:368)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:549)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:595)
Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
WARNING: Reinitializing ServerSocket
Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

When I search/google on this, it says that one cause could be "different passwords has been used for the certificate and the Keystore. In this case, use the Keytool to change the password of the certificate to match the password of the Keystore." - but that's not the case.

Please, any help you can offer would be greatly appreciated. Thanks!
-Jeanna
reply

Search Discussions

5 responses

  • Bill Barker at Sep 10, 2006 at 9:55 pm
    I don't know if it's just copy/paste errors, but from what you've written,
    you've imported the ca cert twice, and into a different keystore file than
    you used to generate the key.

    What does > keytool -list say?

    "Jeanna Geier" <jgeier@apt-cafm.com> wrote in message
    news:007001c6d378$7214f470$6700a8c0@geier...
    Hi All-

    I'm running into an odd problem and am hoping that someone out there can
    help me!

    I'm trying to configure and run SSL; I am able to create, startup and run
    everyting when I am using a self-signed certificate. (Yeah!)

    However, when I attempt to use a trial certificate from thawte (which is
    where we want to get to), I am getting an error. Here's what I'v done
    (http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html):

    - created a local Certificate: >keytool -genkey -alias tomcat -keyalg RSA

    I didn't get a 'chain certificate' with my free trial, so for the next
    step, I imported the certificate I got from Thawte:

    - keytool -import -alias root -keystore C:\Documents and
    Settings\HP_Administrator\.keystore -trustcacerts -file
    C:\thawte_ca_cert.cert

    Then I imported the new certificate under my tomcat user:

    - keytool -import -alias tomcat -keystore C:\Documents and
    Settings\HP_Administrator\.keystore -trustcacerts -file
    C:\thawte_ca_cert.cert


    According to the directions, that should be it; however, when I go to start
    Tomcat, I get the following error:

    at
    org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
    at
    org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:368)
    at
    org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:549)
    at
    org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:595)
    Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint
    acceptSocket
    WARNING: Reinitializing ServerSocket
    Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint
    acceptSocket
    SEVERE: Endpoint [SSL:
    ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=443]] ignored exception:
    java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
    available certificate or key corresponds to the SSL cipher suites which are
    enabled.
    java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
    available certificate or key corresponds to the SSL cipher suites which are
    enabled.

    When I search/google on this, it says that one cause could be "different
    passwords has been used for the certificate and the Keystore. In this case,
    use the Keytool to change the password of the certificate to match the
    password of the Keystore." - but that's not the case.

    Please, any help you can offer would be greatly appreciated. Thanks!
    -Jeanna




    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Jeanna Geier at Sep 11, 2006 at 1:58 pm
    Hi Bill- Thanks for replying.
    keytool -list says:
    C:\Program Files\Java\jdk1.5.0_06\bin>keytool -list -keystore "C:\Documents
    and
    Settings\HP_Administrator\.keystore
    Enter keystore password: changeit

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 2 entries

    root, Sep 11, 2006, trustedCertEntry,
    Certificate fingerprint (MD5):
    A1:53:42:0F:F5:CB:A3:E2:40:D6:06:89:62:64:3E:55
    tomcat, Sep 11, 2006, trustedCertEntry,
    Certificate fingerprint (MD5):
    A1:53:42:0F:F5:CB:A3:E2:40:D6:06:89:62:64:3E:55

    C:\Program Files\Java\jdk1.5.0_06\bin>

    I have the same certificate imported under the 'root' and 'tomcat' alias; is
    that a problem?

    And I'm positive I'm using the same keystore file that I used to generate
    the key.

    Thanks for replying and your help!! This Security issue has been giving me
    problems for over a week now!
    -Jeanna

    ----- Original Message -----
    From: "Bill Barker" <wbarker@wilshire.com>
    To: <users@tomcat.apache.org>
    Sent: Sunday, September 10, 2006 4:54 PM
    Subject: Re: Error: No available certificate or key corresponds to the SSL
    cipher suites which are enabled.

    I don't know if it's just copy/paste errors, but from what you've written,
    you've imported the ca cert twice, and into a different keystore file than
    you used to generate the key.

    What does > keytool -list say?

    "Jeanna Geier" <jgeier@apt-cafm.com> wrote in message
    news:007001c6d378$7214f470$6700a8c0@geier...
    Hi All-

    I'm running into an odd problem and am hoping that someone out there can
    help me!

    I'm trying to configure and run SSL; I am able to create, startup and run
    everyting when I am using a self-signed certificate. (Yeah!)

    However, when I attempt to use a trial certificate from thawte (which is
    where we want to get to), I am getting an error. Here's what I'v done
    (http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html):

    - created a local Certificate: >keytool -genkey -alias tomcat -keyalg RSA

    I didn't get a 'chain certificate' with my free trial, so for the next
    step, I imported the certificate I got from Thawte:

    - keytool -import -alias root -keystore C:\Documents and
    Settings\HP_Administrator\.keystore -trustcacerts -file
    C:\thawte_ca_cert.cert

    Then I imported the new certificate under my tomcat user:

    - keytool -import -alias tomcat -keystore C:\Documents and
    Settings\HP_Administrator\.keystore -trustcacerts -file
    C:\thawte_ca_cert.cert


    According to the directions, that should be it; however, when I go to
    start Tomcat, I get the following error:

    at
    org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
    at
    org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:368)
    at
    org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:549)
    at
    org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:595)
    Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint
    acceptSocket
    WARNING: Reinitializing ServerSocket
    Sep 8, 2006 1:34:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint
    acceptSocket
    SEVERE: Endpoint [SSL:
    ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=443]] ignored
    exception: java.net.SocketException: SSL handshake
    errorjavax.net.ssl.SSLException: No available certificate or key
    corresponds to the SSL cipher suites which are enabled.
    java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
    No available certificate or key corresponds to the SSL cipher suites which
    are enabled.

    When I search/google on this, it says that one cause could be "different
    passwords has been used for the certificate and the Keystore. In this
    case, use the Keytool to change the password of the certificate to match
    the password of the Keystore." - but that's not the case.

    Please, any help you can offer would be greatly appreciated. Thanks!
    -Jeanna



    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Pulkit Singhal at Sep 13, 2006 at 1:47 am
    Could you please paste the <Connector...> piece out of your server.xml where
    you configure the use of the certificate here? It will help me understand
    what you are trying to do and what's actually happening a little better.
  • Jeanna Geier at Sep 13, 2006 at 9:24 pm
    Thanks for the reply!

    <Connector port="8443"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS" />

    I didn't specify the "keyStore" parameter in here because I only have one
    keystore at C:\Documents and Settings\HP_Administrator\.keystore... or do I
    explicitely need to do that? I read somewhere that I didn't.

    I also have the following in my
    C:\jakarta-tomcat-5.0.28\webapps\slide\WEB-INF\web.xml file to enable SSL:

    <user-data-constraint>
    <description>Constrain the entire application to force use of
    HTTPS</description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

    Thanks,
    -Jeanna


    ----- Original Message -----
    From: "Pulkit Singhal" <pulkitsinghal@gmail.com>
    To: "Tomcat Users List" <users@tomcat.apache.org>
    Sent: Tuesday, September 12, 2006 8:46 PM
    Subject: Re: Error: No available certificate or key corresponds to the SSL
    cipher suites which are enabled.

    Could you please paste the <Connector...> piece out of your server.xml
    where
    you configure the use of the certificate here? It will help me understand
    what you are trying to do and what's actually happening a little better.

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Pulkit Singhal at Sep 13, 2006 at 9:39 pm

    I didn't specify the "keyStore" parameter in here
    because I only have one keystore at
    C:\Documents and Settings\HP_Administrator\.keystore
    or do Iexplicitely need to do that? I read somewhere that I didn't.
    Personally, I can not even begin to imagine how Tomcat would know where to
    find the keystore on a windows machine so one thing I would suggest (until
    you get it all working) is to be as explicit as possible and provide the
    keystore location in the connector and the password for it as well.
    I have the same certificate imported under the 'root' and 'tomcat' alias;
    is that a problem?
    I have no idea why you felt or thought that you needed to have the same
    certificate listed twice in your keystore. Its not really a question of
    weather or not its a problem...its more a question of me wanting to know the
    motivation for you doing this at all.

    The point here is configure a "connector" so that when someone uses https,
    you can serve up a certificate that you got signed by some CA that is
    trusted(the CA cert is trusted by the user's browser) by most user's
    browsers and is embedded(the CA's cert is embedded in the user browser) in
    them. Since the user's browser trusts the CA's cert to sign other
    certs...that means they should/will the certificate that you happen to be
    serving....Right?

    So as long as you tell the connector what keystore to look in, what the
    password for that keystore is, and what alias to use as a handle to pull the
    certificate (that needs to be served) out of that keystore....you should be
    good to go.

    Feel free to tell me otherwise or let me know of any issues you face.

    Cheers!

Related Discussions

Discussion Navigation
viewthread | post