Avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH

By mhnassabi

It’s Monday morning, you navigate to your service page and you realize that the SSL certificate has expired two days ago…

And this is how my week began! Since it was such a painful task to install the certificate on my virtual TomCat 7 server last year, I decided to follow the steps given by godaddy hoping that their tutorials had been updated. I followed these steps below. I will mention the steps things went wrong (step 2.2)

  1. Stop the tomcat service
    ps -ef | grep tomcat
    sudo kill -9 #PROCESS_NUMBER
  2. Go to my home folder
    1. generate a keystore
      keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
    2. First and Last Name— Enter your website FQDN; this is where I made a mistake. Since I had a single domain certificate, I should’ve entered myhealthframe.com but I entered *.myhealthframe.com instead and wasted 1 workday! The error I received was ERR_SSL_VERSION_OR_CIPHER_MISMATCH on chrome
    3. Enter the other required information
    4. Create the CSR (Certificate Signing Request) and send it to godaddy.
      keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
  3. Download the certificates from godaddy
    1. For root certificate use gdroot-g2.crt. Download it from the repository section in GoDaddy.
      keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt
    2. For intermediate alias use gdig2.crt. You can find it in the downloaded zip file.
      keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt
    3. Finally for your domain certificate, use the numeric+alphabetic certificate.
      keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file A123456789.crt
  4. Update the server.xml file 
    Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
   maxThreads="200" scheme="https" secure="true" clientAuth="false"
   sslProtocol="TLS" keystoreFile="path/to/keystore" 
   keystorePass="the password to your keystore" compression="on" />
  5. Start the tomcat service
    …/tomcat7/bin> sudo ./startup.sh

I hope that you wouldn’t make the same mistake and this post helps you to have a much more enjoyable Monday!