If CAS is running on another machine, import the certificate there. Make sure the java that is starting tomcat is the same as the java that is using the keytool.
Ray On Mon, 2018-01-08 at 22:06 +0100, Florent Thomas wrote: Hi Ray, great thanks for your answer. Actually, the front is the place where the certificate has been defined. let's encrypt only knows my front and I created the java keystore on the front and then transfer everything to the other machine CAS. Is it a bad way to proceed ? regards 2018-01-08 21:15 GMT+01:00 Ray Bon <[email protected]<mailto:[email protected]>>: Florent, Have you added the certificate to your apache FRONT? Ray On Sun, 2018-01-07 at 16:35 -0800, Florent Thomas wrote: Hello everyone, Happy new year. I have an issue I don't succeed to find out a solution with proxying. I'm running the latets 5.2 graddle overlay and have an apache reverse proxy in front of the CAS instance. WAN <==> FRONT (HTTPS) <==> CAS (AJP) The SSL is provided by Let's encrypt. I made a keystore and ad the cert into the keystore and then add it into my cas server. (Thanks to https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ and https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl) I added the certificate into the global keystore with success and check that the cert are either in the global keystore and the one use by cas. Both are knowing my domain. The /etc/hosts of my CAS instance have the domain associated to it IP. Here is my conf : #server.port=8080 cas.server.name: https://domain.tld cas.server.prefix: https://domain.tld/cas #Service Déclarations cas.serviceRegistry.initFromJson=true cas.serviceRegistry.config.location=file:/etc/cas/config # LDAP Authetification Source logging.config: file:/etc/cas/config/log4j2.xml #Proxy part working with AJP reverse proxy : #Activate the options for secure connexions # https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406- cas.server.ajp.secure=true cas.server.ajp.enabled=true #cas.server.ajp.proxyPort=443 cas.server.ajp.protocol=AJP/1.3 cas.server.ajp.asyncTimeout=5000 cas.server.ajp.scheme=https cas.server.ajp.maxPostSize=20971520 cas.server.ajp.port=8080 cas.server.ajp.enableLookups=false cas.server.ajp.redirectPort=443 cas.server.ajp.allowTrace=true cas.server.ajp.attributes.attributeName=attributeValue # SSL server.ssl.enabled=true #https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl #https://github.com/apereo/cas-gradle-overlay-template#deployment server.ssl.keyStore=file:/etc/cas/cas-auth.jks server.ssl.keyStorePassword=11111 server.ssl.keyPassword=11111 With this conf, I succeed in using directly the web login but I also need to use Oauth and during the callback, I have a java.security.cert.CertificateException: No name matching And it's really weird because all the keystore are macthing my domain.tld. Any advice / help woul be appreciated. regards -- Ray Bon Programmer analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected]<mailto:[email protected]> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515449053.1878.35.camel%40uvic.ca.
