spring boot https with valid cert get ERR_SSL_VERSION_OR_CIPHER_MISMATCH, self signed works fine

后端 未结 1 1958
轻奢々
轻奢々 2021-01-06 07:19

I am Running Spring Boot 1.4.0.RELEASE.

I got a valid cert from my IT dept.

I Generated a tomcat keystore.jks file using the IT_cert.cer

keyt         


        
相关标签:
1条回答
  • 2021-01-06 08:03

    Near dupe Java SSLHandshakeException: no cipher suites in common

    An HTTPS server needs both PRIVATE KEY AND matching certificate, and depending on how the certificate is issued the server may also need a 'chain' or 'intermediate' cert (and occasionally more than one). You imported only a certificate and that is not enough.

    First look at your file it_issued_cert.cer to see if it is in PEM format: does it contain all readable characters grouped into lines, with at least one block starting with a line
    -----BEGIN sometype_in_caps-----
    then some lines consisting entirely of letters, numbers, plussign + and slash / and maybe equals = at the end, and finally a line
    -----END same_type----?

    If PEM and there are at least two blocks where one has type [RSA|DSA|EC|ENCRYPTED] PRIVATE KEY and the other(s) has(have) type [X.509|maybesomethingelse] CERTIFICATE, you can use OpenSSL to convert to PKCS12 and then keytool to convert to JKS. First check if any 'chain' or 'intermediate' cert(s) is required: if the file already contains multiple certs and wasn't prepared by a complete doofus those multiple certs form the required chai, just proceed. If the file contains only one cert, use openssl x509 -in $file -noout -subject -issuer to make sure the subject is your server and look at the issuer; if the issuer is a CA trusted in your environment (like 'My Company CA') just proceed. Otherwise, ask IT what if any chain cert(s) are needed, get them in PEM format, and add them to the file. Then do:

    openssl pkcs12 -export -in $file -out new.p12 -friendlyname alias_you_want
    

    (edit) Java since 8u60 (in 2015 -- even before I wrote the original answer) accepts a PKCS12 keystore by default, and earlier versions could do so if configured. For earlier versions that want JKS, then do (spelling corrected, as commented by aszahran):

    keytool -importkeystore -srckeystore new.p12 -srcstoretype pkcs12 -destkeystore new.jks 
    # on Java versions that need JKS, it is the default type
    # but can specify -deststoretype jks if you want
    

    If file is PEM but there is only one block with type CERTIFICATE, or if the file is not PEM at all, this cert must have been issued in response to a CSR (Certificate Signing Request) from somebody:

    If you gave them the CSR, give details (edit your question) how and where you generated the CSR. That is where the privatekey was and you will need to either use that key, make a copy of it, or convert (and copy) it, depending on what you did.

    If you did not give them the CSR, ask them where they got it. If they generated the key and CSR themselves, ask them for the key in PEM format. If they got the CSR from someone else, ask that someone else for the key in PEM format. Once you get it, add it to the file, and return to the case above. If they insist on giving you something other than PEM format, give details.

    If no one has the privatekey for this certificate, the certificate cannot be used. Discard it and start over.

    0 讨论(0)
提交回复
热议问题