1

Since my site ssl cert was expired I've renewed it and added new cert to keystore, but after that I am getting 502 when called the site url. Below you can see nginx config and tomcat configs for ssl.

Error I am getting in nginx error log is

SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 120.6.20.134, server: app.somewhere.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://53.10.10.10:8443/favicon.ico", host: "app.somewhere.com", referrer: "https://app.somewhere.com/board/index.jsp"

server nginx version: nginx/1.12.1

nginx config 

server {
  listen 443;
  server_name     app.somewhere.com;
  root            /usr/share/tomcat8/webapps;
  ssl on;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;  
  ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
  ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
  ssl_dhparam /etc/nginx/certs/dhparam.pem;
  proxy_ssl_server_name on;
  location / {
        proxy_read_timeout 120s;        
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://app.somewhere.com:8443;
  }
}

tomcat server.xml

<Connector port="8443"
                maxThreads="100"
                scheme="https"
                secure="true"
                SSLEnabled="true"
                keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                keystorePass="mypass"
                clientAuth="false"
                sslProtocol="TLS"
                proxyPort="443"/>
Improve this question
3
  • Something is messed up with the configuration in Tomcat so that nginx can no longer do an SSL handshake with Tomcat. If you only changed the key store than the problem is probably that you've messed up the key store. Only, the question does not provide enough information about this part of the configuration.
    – Steffen Ullrich
    Commented Feb 1, 2018 at 6:07
  • result of this command keytool7 -list -keystore "/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks" Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry myapp, Feb 1, 2018, trustedCertEntry, certificate fingerprint (SHA1): B1.... to import certificate to keystore I ran below command. keytool7 -import -trustcacerts -alias myapp -file "mycert.crt" -keystore "/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks" I am sure other than that I did nothing. @steffen-ullrich
    – Manoj Prasanna
    Commented Feb 1, 2018 at 10:58
  • Got it @steffen-ullrich. I found the issue, I was adding the certificate to the wrong keystore as you highlighted (messed up the key store).
    – Manoj Prasanna
    Commented Feb 1, 2018 at 11:57

1 Answer 1

Reset to default
2

Found the issue, the certificate was imported to the wrong key-store. So I've created new key-store using certificate and private-key that I had using following commands.

create new keystore

openssl pkcs12 -export -in cert.crt -inkey private-key.key -certfile cert.crt -name "tomcat" -out keystore.p12

convert keystore to jks format

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Then set the keystore.jks path in tomcat server.xml

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.