Troubleshoot SSL/HTTPS key generation
If you are getting errors with your new SSL certificate one of the first things to check is that the intermediary certificates have been loaded correctly. You can do this via Internet Explorer, and every other modern web browser, the steps differ slightly.
Load Internet Explorer and visit the HTTPs URL for your PaperCut NG/MF server then click the padlock near the URL bar as below.
Then click View Certificates and navigate to the Certificate Path and verify it is correct.
If the path is invalid, confirm that you have correctly inserted the required intermediary certificates. See Creating and installing a purchased SSL Certificate.
A quick way to easily validate the chain output by the server. This requires either Linux or Cygwin with openssl’s packages installed:
openssl s_client -connect [server]:[port] -crlf QUIT
After the text has been output, type
For example, a self-signed certificate looks like this:
openssl s_client -connect localhost:9192 -crlf CONNECTED(00000003) depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = print-server verify error:num=18:self signed certificate verify return:1 depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = print-server verify return:1 --- Certificate chain 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=print-server i:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=print-server ---
An example of a certificate that uses a chain, note the 0, 1, 2 and how the i: (issuer) matches with the s:(subject): of the next certificate.
$ openssl s_client -connect www.google.com:443 -crlf CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority ---
If you receive an error message of ERR_SSL_VERSION_OR_CIPHER_MISMATCH in your web browser or notice SSLHandshakeException: no cipher suites in common in the
[app-path]\server\logs\server.log it is likely that the certificate chain is not complete or the SSL certificate is in the wrong alias in the key-store. See Check that the correct Alias has been used in the keystore to confirm the correct alias is in use.
PaperCut NG/MF is configured to use the alias “jetty”. If your SSL certificate is installed into another alias it will not load correctly. To confirm run the following command:
keytool -list -v -keystore my-ssl-keystore-20151217 Enter keystore password: [password] Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: 17/12/2015 Entry type: PrivateKeyEntry
PrivateKeyEntry needs to be present in the
jetty Alias. If it has been imported into another alias, you can use keytool.exe to rename it. See Extended keytool.exe usage.