SSL error in catalina.out

cancel
Showing results for 
Search instead for 
Did you mean: 
dkeidel
Member II

SSL error in catalina.out

I have spent the last day or so trying to debug an issue I am having between Alfresco and SOLR.  I have searched the web and seen much about SSL errors and read many relevant posts.  I have tried all the following to resolve a SSLHandshakeException ERROR I am seeing in catalina.out:

1.  replaced policy/unlimited/ .jar files

2.  uncommented crypto.policy=unlimited

3.  added -Dhttps.protocols=TLSv1.1,TLSv1.2 to Java options in setenv.sh

4.  recreated certs and keystores by following instructions in CreateSSLKeystores.txt

5.  tried generating keystores using ./generate_keystores_epic_instance.sh

I am setting this up on an OpenStack VM

I added -Djavax.net.debug=ssl:handshake:verbose to Java options so that I can get better logging info in catalina.out.  I have attached that log to this ticket.

Any help after viewing the logs would be very helpful.  

6 Replies
angelborroy
Alfresco Employee

Re: SSL error in catalina.out

Probably this is a newbie check, but... Have you added your public certificate to "cacerts"?

Hyland Developer Evangelist
dkeidel
Member II

Re: SSL error in catalina.out

Angel Borroy‌, thank you for your reply.  I appreciate the newbie check since I am not too familiar with certs or keystores so any help in this area is appreciated.  I thought it might be best to give you more details on what I did in the way of certs and keystores.

Performed the following in the $HOME directory

Instructions for Generating Repository SSL Keystores
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I generated my own certificate.

Generate the repository public/private key pair in a keystore:

$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>

(ii) Generate a certificate request for the repository key

$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>

I then generated the CA Key and certificate and then finished the rest of the steps.

Instructions for Generating a Certificate Authority (CA) Key and Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Generate the CA private key

$ openssl genrsa -des3 -out ca.key 1024

(ii) Generate the CA self-signed certificate

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

I then picked back up where I left off above.

(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.

$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365

(iv) Import the Alfresco CA key into the repository key store

$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>

(v) Import the CA-signed repository certificate into the repository keystore

$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>

(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.

keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass <password> -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco

(vi) Create a repository truststore containing the Alfresco CA certificate

***** This line kept failing for me.  Maybe you have some insight into why it failed?********
keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
*** This one executed just fine.*****
keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>


(vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.

cp -f * /store/alf_data/keystore/


(viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.

Are any of the steps above what you mean by "Have you added your public certificate to "cacerts"??

Do you mean to add it to ./jre/lib/security/cacerts?  If so can you give more details?

Thank you for the newbie check.

angelborroy
Alfresco Employee

Re: SSL error in catalina.out

Yes, you have to add your "ca.crt" to "jre/lib/security/cacerts"

On the other hand, you have to understand that "ca.key" is the private part of the certificate to be stored in "keystores" and "ca.crt" is the public part of the certificate to be stored in "truststores". This is why your line is failing.

Check also this blog post: https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/ 

Hyland Developer Evangelist
dkeidel
Member II

Re: SSL error in catalina.out

Angel Borroy‌ thank you for the reply.  Could you please provide for me the exact command to execute to add "ca.crt" to "jre/lib/security/cacerts"?  I ask since when I read you blog post you left in your last comment I see the following command:

keytool –import –trustcacerts -storetype JKS -providerName SUN –file ca.cer –alias ca.ssl –keystore ssl.truststore

I think in this command the cert is being imported into the truststore ssl.truststore instead of "jre/lib/security/cacerts".  I also do not know what to use of the other options such as -alias, -providerName, etc.

angelborroy
Alfresco Employee

Re: SSL error in catalina.out

You can import your public part of the certificate to default JVM truststore (jre/lib/security/cacerts) or to specific Tomcat connector truststore (https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/tomcat/server.xml#L97). 

In the sample I provided you, second alternative is followed.

You can use any alias and the same "storetype"and "providerName" values.

Hyland Developer Evangelist
dkeidel
Member II

Re: SSL error in catalina.out

Angel Borroy‌ I tried the following command:

sudo /opt/jdk1.8.0_181/bin/keytool -importcert -alias alfreco.ca -file ca.crt -keystore /opt/jdk1.8.0_181/jre/lib/security/cacerts

I did not use -storetype JCEKS as I was getting errors:  java.io.IOException: Invalid keystore format alfresco

I verified that the public part was imported by running:

$ keytool -v -list -keystore     /opt/jdk1.8.0_181/jre/lib/security/cacerts | grep alfre

Enter keystore password:  changeit

Alias name: alfreco.ca

So it was added.

I am still getting the same error message:

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

SolrTrackerScheduler_Worker-2, setSoTimeout(60000) called

SolrTrackerScheduler_Worker-2, setSoTimeout(60000) called

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1533728767 bytes = { 20, 9, 35, 168, 110, 145, 179, 254, 79, 224, 90, 9, 190, 251, 255, 83, 113, 48, 114, 129, 178, 177, 28, 212, 138, 245, 92, 204 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Extension extended_master_secret

***

SolrTrackerScheduler_Worker-2, WRITE: TLSv1.2 Handshake, length = 199

SolrTrackerScheduler_Worker-2, READ: TLSv1.2 Alert, length = 2

SolrTrackerScheduler_Worker-2, RECV TLSv1.2 ALERT:  fatal, handshake_failure

SolrTrackerScheduler_Worker-2, called closeSocket()

SolrTrackerScheduler_Worker-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

SolrTrackerScheduler_Worker-2, called close()

SolrTrackerScheduler_Worker-2, called closeInternal(true)

SolrTrackerScheduler_Worker-2, called close()

SolrTrackerScheduler_Worker-2, called closeInternal(true)

SolrTrackerScheduler_Worker-2, called close()

SolrTrackerScheduler_Worker-2, called closeInternal(true)

2018-08-08 23:02:39,009  ERROR [solr.tracker.CoreTracker] [SolrTrackerScheduler_Worker-2] Tracking failed

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)

at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)

at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121)

at java.io.FilterOutputStream.write(FilterOutputStream.java:97)

at org.apache.commons.httpclient.methods.ByteArrayRequestEntity.writeRequest(ByteArrayRequestEntity.java:90)

at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)

at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)

at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)

at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)

at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)

at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:135)

at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:111)

at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:371)

at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1056)

at org.alfresco.solr.tracker.CoreTracker.trackModels(CoreTracker.java:1897)

at org.alfresco.solr.tracker.CoreTracker.trackRepository(CoreTracker.java:1227)

at org.alfresco.solr.tracker.CoreTracker.updateIndex(CoreTracker.java:513)

at org.alfresco.solr.tracker.CoreTrackerJob.execute(CoreTrackerJob.java:45)

at org.quartz.core.JobRunShell.run(JobRunShell.java:216)

at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

http-bio-8443-Acceptor-0, setSoTimeout(240000) called

SolrTrackerScheduler_Worker-1, setSoTimeout(60000) called

SolrTrackerScheduler_Worker-1, setSoTimeout(60000) called

No available cipher suite for TLSv1

No available cipher suite for TLSv1.1

No available cipher suite for TLSv1.2

http-bio-8443-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

http-bio-8443-exec-4, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

http-bio-8443-exec-4, WRITE: TLSv1.2 Alert, length = 2

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

http-bio-8443-exec-4, called closeSocket()

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

http-bio-8443-exec-4, IOException in getSession():  javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

http-bio-8443-exec-4, called close()

http-bio-8443-exec-4, called closeInternal(true)

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1533728767 bytes = { 12, 32, 84, 173, 43, 85, 228, 181, 255, 70, 84, 34, 78, 219, 93, 66, 8, 128, 54, 230, 220, 102, 191, 11, 169, 75, 143, 162 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Extension extended_master_secret

***

I have attached a more complete catalina.out that contains just the messages from the last time I started tomcat.