Hi Ray, great thanks for your answer. Actually, the front is the place where the certificate has been defined. let's encrypt only knows my front and I created the java keystore on the front and then transfer everything to the other machine CAS. Is it a bad way to proceed ?
regards 2018-01-08 21:15 GMT+01:00 Ray Bon <[email protected]>: > Florent, > > Have you added the certificate to your apache FRONT? > > Ray > > On Sun, 2018-01-07 at 16:35 -0800, Florent Thomas wrote: > > Hello everyone, > > Happy new year. > > I have an issue I don't succeed to find out a solution with proxying. > > I'm running the latets 5.2 graddle overlay and have an apache reverse > proxy in front of the CAS instance. > > WAN <==> FRONT (HTTPS) <==> CAS (AJP) > > The SSL is provided by Let's encrypt. I made a keystore and ad the cert > into the keystore and then add it into my cas server. > (Thanks to https://maximilian-boehm.com/en-gb/blog/create-a-java- > keystore-jks-from-let-s-encrypt-certificates-1884000/ and > https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl) > > I added the certificate into the global keystore with success and check > that the cert are either in the global keystore and the one use by cas. > Both are knowing my domain. > The /etc/hosts of my CAS instance have the domain associated to it IP. > > Here is my conf : > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * #server.port=8080 cas.server.name: https://domain.tld cas.server.prefix: > https://domain.tld/cas #Service Déclarations > cas.serviceRegistry.initFromJson=true > cas.serviceRegistry.config.location=file:/etc/cas/config # LDAP > Authetification Source logging.config: file:/etc/cas/config/log4j2.xml > #Proxy part working with AJP reverse proxy : #Activate the options for > secure connexions # > https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406- > <https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406-> > cas.server.ajp.secure=true cas.server.ajp.enabled=true > #cas.server.ajp.proxyPort=443 cas.server.ajp.protocol=AJP/1.3 > cas.server.ajp.asyncTimeout=5000 cas.server.ajp.scheme=https > cas.server.ajp.maxPostSize=20971520 cas.server.ajp.port=8080 > cas.server.ajp.enableLookups=false cas.server.ajp.redirectPort=443 > cas.server.ajp.allowTrace=true > cas.server.ajp.attributes.attributeName=attributeValue # SSL > server.ssl.enabled=true > #https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl > <https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl> > #https://github.com/apereo/cas-gradle-overlay-template#deployment > <https://github.com/apereo/cas-gradle-overlay-template#deployment> > server.ssl.keyStore=file:/etc/cas/cas-auth.jks > server.ssl.keyStorePassword=11111 server.ssl.keyPassword=11111 *With this > conf, I succeed in using directly the web login but I also need to use > Oauth and during the callback, I have a > > java.security.cert.CertificateException: No name matching > > And it's really weird because all the keystore are macthing my domain.tld. > > Any advice / help woul be appreciated. > > regards > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems2507218831 <(250)%20721-8831> | CLE > 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANcWW4uaNchvgp%2BNhUwLmKuZMAXE5dwFJPMNzuHibGtqDKQ0JQ%40mail.gmail.com.
