Tomcat cannot restart with error "ssl_no_cypher_overlap"

Usually, this error can be seen in Tomcat servlet container restart error logs (catalina.out), or in the browser while attempting to make a secure connection to your website.

tom1

This error refers to the fact that a private key has been generated using unknown or obsolete ciphers. This means the following command has been used for keystore generation:

keytool -genkey -keysize 2048 -alias 'keystore alias' -keystore 'your keystore'.jks

By default, Tomcat keytool instance generates the private key using a DSA algorithm that is now obsolete.


The command used for test keystore is:

keytool -genkey -alias tomcat -keystore /root/ssltest/test_test_test.jks

omitted -keyalg RSA and -keysize flags.

tom2

During the certificate issuance, the public key is converted to standard RSA and embedded in the body of the signed and issued certificate. So in this case, since there is no similar algorithm overlapping, an error occurs.

The solution is rather straightforward - simply reissue the certificate with a new keystore. You must specify -keyalg RSA to make sure that the key is generated using that algorithm.

The procedure is as follows:

  1. Generate a new keystore.
    The correct command to create a new keystore is:

    keytool -genkey -keyalg RSA -keysize 2048 -alias 'keystore alias' -keystore 'your new keystore'.jks

  2. Generate a new CSR
    Once a keystore is created, a new CSR should be generated.
  3. Reissue of the certificate
    Once the CSR is obtained, check it here and proceed to the reissue.

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close