https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42707#M17757 <HTML><HEAD></HEAD><BODY><P><B>Angel Borroy</B>‌, thank you for your reply.&nbsp; I appreciate the newbie check since I am not too familiar with certs or keystores so any help in this area is appreciated.&nbsp; I thought it might be best to give you more details on what I did in the way of certs and keystores.</P><P></P><P>Performed the following in the $HOME directory</P><P></P><P>Instructions for Generating Repository SSL Keystores<BR />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</P><P></P><P>I generated my own certificate.</P><P></P><P><IMG src="https://connect.hyland.com/legacyfs/online/alfresco/emoticons/info.png" /> Generate the repository public/private key pair in a keystore:</P><P>$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>(ii) Generate a certificate request for the repository key</P><P>$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>I then generated the CA Key and certificate and then finished the rest of the steps.</P><P></P><P>Instructions for Generating a Certificate Authority (CA) Key and Certificate<BR />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</P><P><IMG src="https://connect.hyland.com/legacyfs/online/alfresco/emoticons/info.png" /> Generate the CA private key</P><P>$ openssl genrsa -des3 -out ca.key 1024</P><P></P><P></P><P>(ii) Generate the CA self-signed certificate</P><P>$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt</P><P></P><P>I then picked back up where I left off above.</P><P></P><P>(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.</P><P>$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365</P><P></P><P></P><P>(iv) Import the Alfresco CA key into the repository key store</P><P>$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>(v) Import the CA-signed repository certificate into the repository keystore</P><P>$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P></P><P>(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.</P><P>keytool -importkeystore -srckeystore ssl.keystore -srcstorepass&nbsp;&lt;password&gt; -srcstoretype JCEKS -srcalias ssl.repo -srckeypass&nbsp;&lt;password&gt; -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco</P><P></P><P>(vi) Create a repository truststore containing the Alfresco CA certificate</P><P></P><P></P><P>***** This line kept failing for me.&nbsp; Maybe you have some insight into why it failed?********<BR />keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;<BR />*** This one executed just fine.*****<BR />keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass &lt;store password&gt;</P><P><BR />(vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.</P><P>cp -f * /store/alf_data/keystore/</P><P><BR />(viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.</P><P></P><P></P><P></P><P>Are any of the steps above what you mean by "Have you added your public certificate to "cacerts"??</P><P>Do you mean to add it to ./jre/lib/security/cacerts?&nbsp; If so can you give more details?</P><P></P><P>Thank you for the newbie check.</P></BODY></HTML> Thu, 02 Aug 2018 00:41:24 GMT dkeidel 2018-08-02T00:41:24Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42705#M17755 I have spent the last day or so trying to debug an issue I am having between Alfresco and SOLR.&nbsp; I have searched the web and seen much about SSL errors and read many relevant posts.&nbsp; I have tried all the following to resolve a&nbsp;SSLHandshakeException ERROR I am seeing in catalina.out:1.&nbsp; replaced&nbsp;poli Wed, 01 Aug 2018 06:30:03 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42705#M17755 dkeidel 2018-08-01T06:30:03Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42706#M17756 <HTML><HEAD></HEAD><BODY><P>Probably this is a newbie check, but... Have you added your public certificate to "cacerts"?</P></BODY></HTML> Wed, 01 Aug 2018 07:13:50 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42706#M17756 angelborroy 2018-08-01T07:13:50Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42707#M17757 <HTML><HEAD></HEAD><BODY><P><B>Angel Borroy</B>‌, thank you for your reply.&nbsp; I appreciate the newbie check since I am not too familiar with certs or keystores so any help in this area is appreciated.&nbsp; I thought it might be best to give you more details on what I did in the way of certs and keystores.</P><P></P><P>Performed the following in the $HOME directory</P><P></P><P>Instructions for Generating Repository SSL Keystores<BR />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</P><P></P><P>I generated my own certificate.</P><P></P><P><IMG src="https://connect.hyland.com/legacyfs/online/alfresco/emoticons/info.png" /> Generate the repository public/private key pair in a keystore:</P><P>$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>(ii) Generate a certificate request for the repository key</P><P>$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>I then generated the CA Key and certificate and then finished the rest of the steps.</P><P></P><P>Instructions for Generating a Certificate Authority (CA) Key and Certificate<BR />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</P><P><IMG src="https://connect.hyland.com/legacyfs/online/alfresco/emoticons/info.png" /> Generate the CA private key</P><P>$ openssl genrsa -des3 -out ca.key 1024</P><P></P><P></P><P>(ii) Generate the CA self-signed certificate</P><P>$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt</P><P></P><P>I then picked back up where I left off above.</P><P></P><P>(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.</P><P>$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365</P><P></P><P></P><P>(iv) Import the Alfresco CA key into the repository key store</P><P>$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P>(v) Import the CA-signed repository certificate into the repository keystore</P><P>$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;</P><P></P><P></P><P>(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.</P><P>keytool -importkeystore -srckeystore ssl.keystore -srcstorepass&nbsp;&lt;password&gt; -srcstoretype JCEKS -srcalias ssl.repo -srckeypass&nbsp;&lt;password&gt; -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco</P><P></P><P>(vi) Create a repository truststore containing the Alfresco CA certificate</P><P></P><P></P><P>***** This line kept failing for me.&nbsp; Maybe you have some insight into why it failed?********<BR />keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass &lt;store password&gt;<BR />*** This one executed just fine.*****<BR />keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass &lt;store password&gt;</P><P><BR />(vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.</P><P>cp -f * /store/alf_data/keystore/</P><P><BR />(viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.</P><P></P><P></P><P></P><P>Are any of the steps above what you mean by "Have you added your public certificate to "cacerts"??</P><P>Do you mean to add it to ./jre/lib/security/cacerts?&nbsp; If so can you give more details?</P><P></P><P>Thank you for the newbie check.</P></BODY></HTML> Thu, 02 Aug 2018 00:41:24 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42707#M17757 dkeidel 2018-08-02T00:41:24Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42708#M17758 <HTML><HEAD></HEAD><BODY><P>Yes, you have to add your "ca.crt" to "jre/lib/security/cacerts"</P><P></P><P>On the other hand, you have to understand that "ca.key" is the private part of the certificate to be stored in "keystores" and "ca.crt" is the public part of the certificate to be stored in "truststores". This is why your line is failing.</P><P></P><P>Check also this blog post:&nbsp;<A href="https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/" rel="nofollow noopener noreferrer">https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/</A>&nbsp;</P></BODY></HTML> Thu, 02 Aug 2018 07:14:08 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42708#M17758 angelborroy 2018-08-02T07:14:08Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42709#M17759 <HTML><HEAD></HEAD><BODY><P><B>Angel Borroy</B>‌ thank you for the reply.&nbsp; Could you please provide for me the exact command to execute to add "ca.crt" to "jre/lib/security/cacerts"?&nbsp; I ask since&nbsp;when I read you blog post you left in your last comment I see the following command:</P><P></P><P>keytool –import –trustcacerts -storetype JKS -providerName SUN –file ca.cer –alias ca.ssl –keystore ssl.truststore</P><P></P><P>I think in this command the cert is being imported into the truststore ssl.truststore instead of&nbsp;<SPAN>"jre/lib/security/cacerts".&nbsp; I also do not know what to use of the other options such as -alias, -providerName, etc.</SPAN></P></BODY></HTML> Thu, 02 Aug 2018 21:14:56 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42709#M17759 dkeidel 2018-08-02T21:14:56Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42710#M17760 <HTML><HEAD></HEAD><BODY><P>You can import your public part of the certificate to default JVM truststore (jre/lib/security/cacerts) or to specific Tomcat connector truststore (<A href="https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/tomcat/server.xml#L97" rel="nofollow noopener noreferrer">https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/tomcat/server.xml#L97</A>).&nbsp;</P><P></P><P>In the sample I provided you, second alternative is followed.</P><P></P><P>You can use any alias and the same "storetype"and "providerName" values.</P></BODY></HTML> Fri, 03 Aug 2018 06:58:53 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42710#M17760 angelborroy 2018-08-03T06:58:53Z https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42711#M17761 <HTML><HEAD></HEAD><BODY><P><B>Angel Borroy</B>‌ I tried the following command:</P><P></P><P>sudo /opt/jdk1.8.0_181/bin/keytool -importcert -alias alfreco.ca -file ca.crt -keystore /opt/jdk1.8.0_181/jre/lib/security/cacerts</P><P></P><P>I did not use&nbsp;-storetype JCEKS&nbsp;as I was getting&nbsp;errors:&nbsp; java.io.IOException: Invalid keystore format alfresco</P><P></P><P>I verified that the public part was imported by running:</P><P></P><P class=""><SPAN class="">$ keytool -v -list -keystore &nbsp; &nbsp; /opt/jdk1.8.0_181/jre/lib/security/cacerts | grep alfre</SPAN></P><P class=""><SPAN class="">Enter keystore password:<SPAN class="">&nbsp; </SPAN>changeit</SPAN></P><P class=""><SPAN class="">Alias name: alfreco.ca</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">So it was added.</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">I am still getting the same error message:</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">Allow unsafe renegotiation: false</SPAN></P><P class=""><SPAN class="">Allow legacy hello messages: true</SPAN></P><P class=""><SPAN class="">Is initial handshake: true</SPAN></P><P class=""><SPAN class="">Is secure renegotiation: false</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, setSoTimeout(60000) called</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, setSoTimeout(60000) called</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">%% No cached client session</SPAN></P><P class=""><SPAN class="">*** ClientHello, TLSv1.2</SPAN></P><P class=""><SPAN class="">RandomCookie:<SPAN class="">&nbsp; </SPAN>GMT: 1533728767 bytes = { 20, 9, 35, 168, 110, 145, 179, 254, 79, 224, 90, 9, 190, 251, 255, 83, 113, 48, 114, 129, 178, 177, 28, 212, 138, 245, 92, 204 }</SPAN></P><P class=""><SPAN class="">Session ID:<SPAN class="">&nbsp; </SPAN>{}</SPAN></P><P class=""><SPAN class="">Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]</SPAN></P><P class=""><SPAN class="">Compression Methods:<SPAN class="">&nbsp; </SPAN>{ 0 }</SPAN></P><P class=""><SPAN class="">Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}</SPAN></P><P class=""><SPAN class="">Extension ec_point_formats, formats: [uncompressed]</SPAN></P><P class=""><SPAN class="">Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA</SPAN></P><P class=""><SPAN class="">Extension extended_master_secret</SPAN></P><P class=""><SPAN class="">***</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, WRITE: TLSv1.2 Handshake, length = 199</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, READ: TLSv1.2 Alert, length = 2</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, RECV TLSv1.2 ALERT:<SPAN class="">&nbsp; </SPAN>fatal, handshake_failure</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called closeSocket()</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called close()</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called closeInternal(true)</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called close()</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called closeInternal(true)</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called close()</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-2, called closeInternal(true)</SPAN></P><P class=""><SPAN class="">2018-08-08 23:02:39,009<SPAN class="">&nbsp; </SPAN>ERROR [solr.tracker.CoreTracker] [SolrTrackerScheduler_Worker-2] Tracking failed</SPAN></P><P class=""><SPAN class=""> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at java.io.FilterOutputStream.write(FilterOutputStream.java:97)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.methods.ByteArrayRequestEntity.writeRequest(ByteArrayRequestEntity.java:90)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:135)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:111)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:371)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1056)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.solr.tracker.CoreTracker.trackModels(CoreTracker.java:1897)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.solr.tracker.CoreTracker.trackRepository(CoreTracker.java:1227)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.solr.tracker.CoreTracker.updateIndex(CoreTracker.java:513)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.alfresco.solr.tracker.CoreTrackerJob.execute(CoreTrackerJob.java:45)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.quartz.core.JobRunShell.run(JobRunShell.java:216)</SPAN></P><P class=""><SPAN class=""><SPAN class=""> </SPAN>at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)</SPAN></P><P class=""><SPAN class="">Allow unsafe renegotiation: false</SPAN></P><P class=""><SPAN class="">Allow legacy hello messages: true</SPAN></P><P class=""><SPAN class="">Is initial handshake: true</SPAN></P><P class=""><SPAN class="">Is secure renegotiation: false</SPAN></P><P class=""><SPAN class="">Allow unsafe renegotiation: false</SPAN></P><P class=""><SPAN class="">Allow legacy hello messages: true</SPAN></P><P class=""><SPAN class="">Is initial handshake: true</SPAN></P><P class=""><SPAN class="">Is secure renegotiation: false</SPAN></P><P class=""><SPAN class="">http-bio-8443-Acceptor-0, setSoTimeout(240000) called</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-1, setSoTimeout(60000) called</SPAN></P><P class=""><SPAN class="">SolrTrackerScheduler_Worker-1, setSoTimeout(60000) called</SPAN></P><P class=""><SPAN class="">No available cipher suite for TLSv1</SPAN></P><P class=""><SPAN class="">No available cipher suite for TLSv1.1</SPAN></P><P class=""><SPAN class="">No available cipher suite for TLSv1.2</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, SEND TLSv1.2 ALERT:<SPAN class="">&nbsp; </SPAN>fatal, description = handshake_failure</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, WRITE: TLSv1.2 Alert, length = 2</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, called closeSocket()</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, IOException in getSession():<SPAN class="">&nbsp; </SPAN>javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, called close()</SPAN></P><P class=""><SPAN class="">http-bio-8443-exec-4, called closeInternal(true)</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1</SPAN></P><P class=""><SPAN class="">%% No cached client session</SPAN></P><P class=""><SPAN class="">*** ClientHello, TLSv1.2</SPAN></P><P class=""><SPAN class="">RandomCookie:<SPAN class="">&nbsp; </SPAN>GMT: 1533728767 bytes = { 12, 32, 84, 173, 43, 85, 228, 181, 255, 70, 84, 34, 78, 219, 93, 66, 8, 128, 54, 230, 220, 102, 191, 11, 169, 75, 143, 162 }</SPAN></P><P class=""><SPAN class="">Session ID:<SPAN class="">&nbsp; </SPAN>{}</SPAN></P><P class=""><SPAN class="">Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]</SPAN></P><P class=""><SPAN class="">Compression Methods:<SPAN class="">&nbsp; </SPAN>{ 0 }</SPAN></P><P class=""><SPAN class="">Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}</SPAN></P><P class=""><SPAN class="">Extension ec_point_formats, formats: [uncompressed]</SPAN></P><P class=""><SPAN class="">Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA</SPAN></P><P class=""><SPAN class="">Extension extended_master_secret</SPAN></P><P class=""><SPAN class="">***</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">I have attached a more complete catalina.out that contains just the messages from the last time I started tomcat.</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""></SPAN></P></BODY></HTML> Thu, 09 Aug 2018 06:16:26 GMT https://connect.hyland.com/t5/alfresco-forum/ssl-error-in-catalina-out/m-p/42711#M17761 dkeidel 2018-08-09T06:16:26Z