Why isn't tomcat serving the correct SSL certificate
Solution 1
We had trouble with the protocol="HTTP/1.1"
, with errors in our logs. Our errors were
Certificate file specified or invalid file format
Based on some "google research", we used this for protocol
instead:
protocol="org.apache.coyote.http11.Http11NioProtocol"
Our Connector
is as follows:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="/path/to/keystore"
keystorePass="******"
clientAuth="false"
sslProtocol="TLS" />
Solution 2
turns out I had a typo in my Connector
It should be:
<Connector port="443" maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore.keys" keyAlias="webapps2013"
keystorePass="Redacted"
clientAuth="false" sslProtocol="TLS" protocol="HTTP/1.1" />
Note: the first a in keyAlias
is capitalized.
Turns out that if the alias isn't listed it just silently serves the first key it finds in the key store.
Related videos on Youtube
Raystorm
PHP refugee who's moved on to C#, and Java programming. #SOreadytohelp
Updated on September 18, 2022Comments
-
Raystorm over 1 year
I configured tomcat with SSL successfully and was using a self-signed certificate. Recently an issue arose where just having the client "Accept/trust" our certificate wasn't easy. We ended up purchasing a verisigin certificate for that server.
I've added the new certificate to the certificate to the key store. I've updated tomcat's server.xml file to use the alias, for the new certificate. I've restarted both Tomcat and the Server. Everytime I connect to the server I get the old Certificate.
Enviornment:
- Windows 2008 R2 - 64bit
- Tomcat 6.0.29 - installed as a service
- Java 1.6.0_23
Connector from server.xml:
<Connector port="443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore.keys" keyalias="webapps2013" keystorePass="Redacted" clientAuth="false" sslProtocol="TLS" protocol="HTTP/1.1" />
I've even tried changing the key store, by moving the old certificate to a different alias and adding my new certicate at what the old alias name was.
I've tried it from multiple browsers, and workstations. (Cleared my cache too.)
So what do I need to do to get tomcat to pickup and serve my new certificate?
UPDATE:
After a suggestion in one of the comments to clear tomcats cache.
I stopped tomcat, deleted ${CATALINA_HOME}/work and restarted tomcat.
It's still serving the old certificate.UPDATE 2:
I've looked through jakarta_service_date.log catalina.date.log manager.date.log stdout.date.log and stderr.date.log I don't see any certificate errors. Although I am Seeing an odd error about Session Serialization.Dec 11, 2013 10:46:27 AM org.apache.catalina.session.StandardManager doUnload SEVERE: IOException while saving persisted sessions: java.io.FileNotFoundException: C:\Tomcat6.0\work\Catalina\localhost\RCSLIBRRunner\SESSIONS.ser (Access is denied) java.io.FileNotFoundException: C:\Tomcat6.0\work\Catalina\localhost\RCSLIBRRunner\SESSIONS.ser (Access is denied)
followed by a stacktrace. Other Applications threw tha similar same exception. It hasn't happened in a couple hours, I think it was a side effect from clearing tomcats cache.
Here's another Serialization error:
Dec 11, 2013 10:46:27 AM org.apache.catalina.session.StandardManager stop SEVERE: Exception unloading sessions to persistent storage java.io.FileNotFoundException: C:\Tomcat6.0\work\Catalina\localhost\RCSLIBRRunner\SESSIONS.ser (Access is denied)
-
krisFR over 10 yearsDid you try to clear the Tomcat cache files ?
-
Raystorm over 10 yearsWhich files are those?
-
krisFR over 10 yearsStop Tomcat service, then delete the folder named "Catalina" in your "work" folder, and restart Tomcat service