Syncrify » Knowledge base
|Subject:||Syncrify won't start after applying HTTPS certificate|
|Creation date:||7/30/10 11:23 AM|
|Last modified on:||10/1/10 9:25 AM|
Common problems with HTTPS certificate
If you decide to purchase an SSL certificate and miss one or more steps during setup, Syncrify won't be able to start the web server using that certificate.
You see a similar error in Syncrify log after applying the HTTP certificate.
2010-07-29 11:27:08,634 ERROR http11.Http11BaseProtocol - Error initializing endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
There are two possible reasons for this error:
- Incorrect password - Ensure you specified the correct password for your certificate in server.properties file. Refer to the last step in this document.
- Your keystore was not created correctly - this is a bit more complicated to resolve. The following section talks about the keystore and methods to see if it is correct.
A keystore, as the name implies, contains a bunch of private keys. You always create a store by generating a private key for yourself. Since your private key is not trusted by anyone on the Internet, you need some other entity to build a trust relationships. This entity is called certificate authority (CA). When you purchase a key from a CA, they send you their certificate, which you have to add in your keystore. Therefore, at the very least your keystore should contain 2 entries:
- Your private key
- A trusted certificate entry from a CA
Use the following command to confirm if these two entries exist in the keystore.
keytool -list -keystore syncrify.keystore
The above command assumes you have JDK 1.6 installed on your machine and keytool
is in your PATH.
This command will prompt you for your password. Once the password has been entered, you should see something similar to the following:
C:\Syncrify\htdocs\sslCert>keytool -list -keystore syncrify.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Dec 10, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): A4:C6:02:18:9C:12:32:27:58:89:AE:96:C0:D5:8A:C2
intermed, Dec 10, 2008, trustedCertEntry,
Certificate fingerprint (MD5): D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
cross, Dec 10, 2008, trustedCertEntry,
Certificate fingerprint (MD5): 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
In the above example, the keystore contains 3 entries:
- A private key that you created before submitting a CSR to a CA.
- An intermediary certificate, which was required by the CA where this certificate was purchased from
- A certificate from the CA
Ensure your keystore contains at least two entries, first PrivateKeyEntry and then one trustedCertEntry. You need additional entries, like the second entry in the example above, if your CA depend on them. Most CA depend on additional entities to create a trust relationship.
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share
with other users? Please add it below. Your name and tip will appear at the
end of the document text.