Solved

https keystore certificate error signed fields invalid.

  • 19 September 2018
  • 16 replies
  • 117 views
B
Badge

I'm setting up a dev server and wanted to import a certificate. I followed the steps but when i import keytool -import -alias tomcat -keystore tomcat.keystore -file <name> I get an error "signed fields invalid". Also, because the IT Contracting agency manages the certificates they applied it to the server i needed to export the PFX file to use in the keytool script. Any thoughts???

icon

Best answer by jlutherthomas 18 October 2018, 04:18

View original

16 replies

J
Badge +2

Hi @brianapeters

If you're importing a pfx you may want to read this and follow these steps: https://knowledge.safe.com/questions/25131/how-can-i-use-an-ssl-wildcard-certificate-from-a-p.html

One thing you'll need to make sure is when you create the tomcat keystone file it needs to have the exact same password as the certificate that you're importing.

B
Badge

Hi @brianapeters

If you're importing a pfx you may want to read this and follow these steps: https://knowledge.safe.com/questions/25131/how-can-i-use-an-ssl-wildcard-certificate-from-a-p.html

One thing you'll need to make sure is when you create the tomcat keystone file it needs to have the exact same password as the certificate that you're importing.

Thank you, this got me a step further. The: "keytool -importkeystore -srckeystore c:\\temp\\my_keystore.pfx -srcstoretype pkcs12" Seemed to work with "Import command completed: 1 entries successfully imported, 0 entries failed or

 

cancelled"

 

 

I did use the same password when creating the keystore using fme instructions and exporting the pfx. My fme appliction serivce will not start? I dont see logs files in the folder mentioned? If i delete the tomcat.keystore and run the import again it will create another but still dont work? I must be missing something?

 

 

J
Badge +2
Thank you, this got me a step further. The: "keytool -importkeystore -srckeystore c:\\temp\\my_keystore.pfx -srcstoretype pkcs12" Seemed to work with "Import command completed: 1 entries successfully imported, 0 entries failed or

 

cancelled"

 

 

I did use the same password when creating the keystore using fme instructions and exporting the pfx. My fme appliction serivce will not start? I dont see logs files in the folder mentioned? If i delete the tomcat.keystore and run the import again it will create another but still dont work? I must be missing something?

 

 

Is it in Windows Services where the FME Server Web Application won't start?

 

What does the catalina log file say? You should be able to find this in the tomcat log folder in your FME Server System Share resources folder.
B
Badge
Is it in Windows Services where the FME Server Web Application won't start?

 

What does the catalina log file say? You should be able to find this in the tomcat log folder in your FME Server System Share resources folder.
This is the error i get?

 

 

--------------------------------------------------------------------------------------

 

19-Sep-2018 10:37:45.653 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 108 column 5: The string "--" is not permitted within comments.

 

--------------------------------------------------------------------------------------

 

B
Badge
This is the error i get?

 

 

--------------------------------------------------------------------------------------

 

19-Sep-2018 10:37:45.653 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 108 column 5: The string "--" is not permitted within comments.

 

--------------------------------------------------------------------------------------

 

19-Sep-2018 13:20:12.413 WARNING [1] org.apache.catalina.startup.Catalina.load Catalina.start using conf/server.xml: The string "--" is not permitted within comments.19-Sep-2018 13:20:12.413 SEVERE [1] org.apache.catalina.startup.Catalina.start Cannot start server. Server instance is not configured.

 

 

B
Badge
Is it in Windows Services where the FME Server Web Application won't start?

 

What does the catalina log file say? You should be able to find this in the tomcat log folder in your FME Server System Share resources folder.
catalina2018-09-19.txt

 

 

B
Badge
Is it in Windows Services where the FME Server Web Application won't start?

 

What does the catalina log file say? You should be able to find this in the tomcat log folder in your FME Server System Share resources folder.
making progress... looksl ike there was a type-o and a missing "-->" after i went line by line reviewing.

 

 

 

 

 

J
Badge +2
making progress... looksl ike there was a type-o and a missing "-->" after i went line by line reviewing.

 

 

 

 

 

That's great that you managed to find it. Does the web app server start now?
B
Badge
That's great that you managed to find it. Does the web app server start now?
I'm still having issues... but different. I can connect using https://localhost/ but the issued url https://fme-dev.company.com/ is not working?

 

 

 

J
Badge +2
I'm still having issues... but different. I can connect using https://localhost/ but the issued url https://fme-dev.company.com/ is not working?

 

 

 

What's the hostname of FME Server that you gave when you installed it?

 

What are the service urls set to?

 

B
Badge
making progress... looksl ike there was a type-o and a missing "-->" after i went line by line reviewing.

 

 

 

 

 

not sure were to look for this?

 

 

B
Badge
What's the hostname of FME Server that you gave when you installed it?

 

What are the service urls set to?

 

ok, much more progress... so i found that the alias wasn't assigned to the server. It was requested but.... well contractors? Now that it was assigned the web url works and brings up the FME Server login, but the certificate is showing as unsecured. Do you think this is an issue with the creation of the certificate or how it is imported into the keystore?

 

 

B
Badge
What's the hostname of FME Server that you gave when you installed it?

 

What are the service urls set to?

 

Jennifer, do you have time to talk and maybe take a look at this? It just isnt working.

 

 

J
Badge +2
Jennifer, do you have time to talk and maybe take a look at this? It just isnt working.

 

 

Hi Brian. You can raise a support case here. However if you can log into FME Server ok and it's just the browser reporting that the certificate is unsecured, that'd be best addressed with your security/certificate people to make sure your certificate is good and properly verified through a Certificate Authority, or you can look at how to import/trust the certificate with your browser.

 

 

B
Badge
Hi Brian. You can raise a support case here. However if you can log into FME Server ok and it's just the browser reporting that the certificate is unsecured, that'd be best addressed with your security/certificate people to make sure your certificate is good and properly verified through a Certificate Authority, or you can look at how to import/trust the certificate with your browser.

 

 

I guess that is my problem... The browser isn't working and the the group creating the certificate does not have any idea why this is happening. I just wanted someone to look at it and see if the can identify what we are missing?

 

J
Badge +2

Update for this question:

 

Through direct support the HTTPS/SSL configuration got to a nearly good place, with the FME Server web ui working, but jobs wouldn't run: 'Error submitting the job'.

 

In the tomcat localhost log we identified a pkix path building error.

 

 

In order to resolve this issue, we configured FME Server using the steps in this article, put together to help any other users who may be importing pfx certificates.

Reply


Community Stats

28,664
Posts
109,338
Replies
36,533
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.