After importing new SSL certificate into keystore tomcat.keystore, the Foglight Management Server (FMS) is not accessible through HTTPS any more.
In the logs filess these error messages appear:
ERROR [forge-startup] org.apache.coyote.http11.Http11Protocol - Failed to start end point associated with ProtocolHandler ["http-bio-0.0.0.0-8443"]
java.io.IOException: Cannot recover key[...]
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
or
ERROR [forge-startup] org.apache.catalina.core.StandardService - Failed to start connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
[...]Caused by: org.apache.catalina.LifecycleException: service.getName(): "Forge"; Protocol handler start failed
[...]
Caused by: java.io.IOException: Cannot recover key
[...]Caused by: java.security.UnrecoverableKeyException: Cannot recover key[...]
This can happen when a 3rd party wildcard certificate was imported with both the private and public keys.
Even if the certificate was imported successfully into the keystore, the certificate key can have a different password than the keystore password.
Another potential root cause could be a second/invalid alias in the keystore.
First make sure that there is no second/duplicate/invalid alias in the keystore. Please use this command to list all keys:
/$FMS_HOME/jre/bin/keytool -list -keystore /$FMS_HOME/config/tomcat.keystore
If there is such an alias, please delete it with the following command:
/$FMS_HOME/jre/bin/keytool -keystore tomcat.keystore -storepass nitrogen -alias YourAliasName -delete
Replace YourAliasName with the name of the problematic alias.
Once these steps are done, please restart the FMS and check if the connection works again. If not, please continue with the next steps.
Update the key password using this command (from [FMS_HOME]/jre/bin directory):
[FMS_HOME]/jre/bin/keytool -keypasswd -alias tomcat -new nitrogen -keystore ../../config/tomcat.keystore
This will prompt for the keystore password (nitrogen), and the key password (whichever was provided by CA).
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center