Thanks everyone,
We solved the problem by using the "-nodes" option for the hostkey.
openssl pkcs12 -in goc01.pfx -nocerts -nodes -out hostkey.pem
Dave
=========================================================
Dr Dave Kant
CCLRC eScience Department Phone: (+44)|(0) 1235 778178
Rutherford Appleton Laboratory Fax: (+44)|(0) 1235 446626
Chilton, Didcot, Oxon, OX11 0QX, UK Email: [log in to unmask]
==========================================================
-----Original Message-----
From: LHC Computer Grid - Rollout
[mailto:[log in to unmask]]On Behalf Of Mario David
Sent: 06 December 2006 14:33
To: [log in to unmask]
Subject: Re: [LCG-ROLLOUT] Host Certificate renewal on RGMA MON
Hi Dave
On Wed, 2006-12-06 at 14:14 +0000, Kant, D (Dave) wrote:
> Alessandra,
>
> I did this.
>
> openssl pkcs12 -in goc01.pfx -clcerts -nokeys -out hostcert.pem
> openssl pkcs12 -in goc01.pfx -nocerts -out hostkey.pem
> chmod 400 userkey.pem
> chmod 400 usercert.pem
>
it should be
chmod 644 usercert.pem
Mario
> Dave
>
> =========================================================
> Dr Dave Kant
> CCLRC eScience Department Phone: (+44)|(0) 1235 778178
> Rutherford Appleton Laboratory Fax: (+44)|(0) 1235 446626
> Chilton, Didcot, Oxon, OX11 0QX, UK Email: [log in to unmask]
> ==========================================================
>
>
> -----Original Message-----
> From: LHC Computer Grid - Rollout
> [mailto:[log in to unmask]]On Behalf Of Alessandra Forti
> Sent: 06 December 2006 13:12
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Host Certificate renewal on RGMA MON
>
>
> Hi Dave,
>
> did you export the p12 certificate from the browser with a password?
>
> cheers
> alessandra
>
>
> Kant, D (Dave) wrote:
> > Hi,
> >
> > I have renewed the host certificate on the APEL accounting archiver and tried to re-start the tomcat, then the flexy archiver service.
> > The certificate looks fine and has been copied to the various locations. But, we have lots of certificate related errors when starting tomcat services.
> > Any suggestions?
> >
> > Dave
> >
> >
> > [root@goc01 grid-security]# ls -l `locate hostkey`
> > -r-------- 1 root root 1202 Dec 6 10:41 /etc/grid-security/hostkey.pem
> > -r-------- 1 tomcat4 tomcat4 1202 Dec 6 10:46 /etc/tomcat5/hostkey.pem
> > -r-------- 1 rgma rgma 1202 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostkey.pem
> >
> > [root@goc01 grid-security]# ls -l `locate hostcert`
> > -r-------- 1 root root 1989 Dec 6 10:40 /etc/grid-security/hostcert.pem
> > -r-------- 1 tomcat4 tomcat4 1989 Dec 6 10:44 /etc/tomcat5/hostcert.pem
> > -r-------- 1 rgma rgma 1989 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostcert.pem
> >
> > [root@goc01 grid-security]# openssl verify -CApath /etc/grid-security/certificates/ hostcert.pem
> > hostcert.pem: OK
> >
> > [root@goc01 grid-security]# tail -150 /usr/share/tomcat5/logs/catalina.out | less
> >
> > INFO: Installing web application at context path /webdav from URL file:/var/lib/tomcat5/webapps/webdav
> > java.io.IOException: problem creating RSA private key: java.io.IOException: No password finder specified, but a password is required
> > at org.bouncycastle.openssl.PEMReader.readObject(PEMReader.java:113)
> > at org.glite.security.util.PrivateKeyReader.read(PrivateKeyReader.java:78)
> > at org.glite.security.util.KeyStoreGenerator.generate(KeyStoreGenerator.java:59)
> > at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:190)
> > at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106)
> > at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338)
> > at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285)
> > at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106)
> > at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
> > at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281)
> > at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171)
> > at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527)
> > at org.apache.catalina.core.StandardService.start(StandardService.java:489)
> > at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:556)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > at java.lang.reflect.Method.invoke(Method.java:324)
> > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)
> > SEVERE: Server socket factory creation failed: java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: jav
> > a.io.IOException: No password finder specified, but a password is required
> > java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: java.io.IOException: No password finder specified,
> > but a password is required
> > at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:216)
> > at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106)
> > at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338)
> > at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285)
> > at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185)
> > at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106)
> > at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259)
> > at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281)
> > at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171)
> > at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527)
> > at org.apache.catalina.core.StandardService.start(StandardService.java:489)
> > at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:556)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > at java.lang.reflect.Method.invoke(Method.java:324)
> > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)
> > 06-Dec-2006 12:50:57 org.apache.coyote.http11.Http11Protocol start
>
|