Choose your language

Choose your login

Contact us

Troubleshoot SSL/HTTPS key generation

This page applies to:

Verify certificate path in Windows

If you are getting errors with your new SSL certificate one of the first things to check is that the intermediary certificates have been loaded correctly. You can do this via Internet Explorer, and every other modern web browser, the steps differ slightly.

Load Internet Explorer and visit the HTTPs URL for your PaperCut NG/MF server then click the padlock near the URL bar as below.

Then click View Certificates and navigate to the Certificate Path and verify it is correct.

If the path is invalid, confirm that you have correctly inserted the required intermediary certificates. See Creating and installing a purchased SSL Certificate .

Verify certificate path via command line with OpenSSL

A quick way to easily validate the chain output by the server. This requires either Linux or Cygwin with openssl’s packages installed:

openssl s_client -connect [server]:[port] -crlf
QUIT

After the text has been output, type QUIT.

For example, a self-signed certificate looks like this:

openssl s_client -connect localhost:9192 -crlf
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = print-server
verify error:num=18:self signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = print-server
verify return:1
--- Certificate chain
0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=print-server
i:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=print-server
---

An example of a certificate that uses a chain, note the 0, 1, 2 and how the i: (issuer) matches with the s:(subject): of the next certificate.

$ openssl s_client -connect www.google.com:443 -crlf
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc/ng-mf/CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc/ng-mf/CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority ---

ERR_SSL_VERSION_OR_CIPHER_MISMATCH & SSLHandshakeException: no cipher suites in common

If you receive an error message of ERR_SSL_VERSION_OR_CIPHER_MISMATCH in your web browser or notice SSLHandshakeException: no cipher suites in common in the [app-path]\server\logs\server.log it is likely that the certificate chain is not complete or the SSL certificate is in the wrong alias in the key-store. See Check that the correct Alias has been used in the keystore to confirm the correct alias is in use.

Check that the correct Alias has been used in the keystore

PaperCut NG/MF is configured to use the alias “jetty”. If your SSL certificate is installed into another alias it will not load correctly. To confirm run the following command:

keytool -list -v -keystore my-ssl-keystore-20151217
Enter keystore password: [password]

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jetty
Creation date: 17/12/2015
Entry type: PrivateKeyEntry

The PrivateKeyEntry needs to be present in the jetty Alias. If it has been imported into another alias, you can use keytool.exe to rename it. See Extended keytool.exe usage .

Comments