1

I don't have much info to go on here, looking for ideas as I've run out. I did a server certificate update on our tomcat box (FreeBSD 9.2). After reboot, any connections to it fail immediately (page not found in the browser). However, on the server side everything looks fine. Tomcat's listening on 443 on IPv4 and IPv6. No errors in the system logs. No errors in the tomcat (catalina) logs. The app deploys normally as far as I can tell. No firewall in between. No other configuration changes made, just a "simple" certificate replacement.

edit

server.xml:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="SSLv3" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA
_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
" />
Brian Knoblauch
  • 2,196
  • 2
  • 32
  • 48
  • 1
    have you already tried `openssl s_client -connect -showcerts host:port`? – dawud Apr 14 '14 at 18:05
  • I had not. OpenSSL says "connect: Operation timed out" and "connect:errno=60". – Brian Knoblauch Apr 14 '14 at 18:15
  • Have you restarted the `tomcat` process after replacing the certificate? – dawud Apr 14 '14 at 18:17
  • Yes. Server has now been completely rebooted multiple times. I tried the openssl against "localhost" and get a completely different error. It returns a "CONNECTED(00000003)" followed by "1271:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:602:" Perhaps a problem with the new certificate we were issued? – Brian Knoblauch Apr 14 '14 at 18:19
  • Please add the relevant portions of `server.xml` to your question. I'd also try to run `openssl verify` on the certificate, just to rule that out. – dawud Apr 14 '14 at 18:22
  • openssl verify comes up with "error 20 at 0 depth lookup:unable to get local issuer certificate" – Brian Knoblauch Apr 14 '14 at 18:25
  • You might be missing the CA or any intermediate certificates, check that out with the vendor. – dawud Apr 14 '14 at 18:31
  • Vendor supplied root and inter certificates are quite old and were never installed before. I went ahead and removed my cert, then installed root - inter - cert (in that order as specified by documents I saw). Rebooted. No change. :-( – Brian Knoblauch Apr 14 '14 at 19:03
  • re-test with the `s_client` and `verify` commands above – dawud Apr 14 '14 at 19:22
  • I did. Still no change. This is very odd. – Brian Knoblauch Apr 14 '14 at 19:38
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/13886/discussion-between-dawud-and-brian-knoblauch) – dawud Apr 14 '14 at 20:11

1 Answers1

0

We got another certificate reissue done (we had other servers choking on the original reissue too) and I configured the server in question to directly use the PKCS12 keystore instead of loading into the JKS.

Brian Knoblauch
  • 2,196
  • 2
  • 32
  • 48