Hi Ray, I remade many tests and still have the issue. To be sure I made an ansible script to generate my certs etc... I'm really struggling with the way to debug this.
In summary, here is what I've done : * copy all the certs from the front that is the owner of the domain.tld in the DNS registry into the CAS VM * In the CAS Set the domain.tld in my /etc/hosts file associated to both 127.0.0.1 and the IP * Generate a keystore with the SAN:dns option * Convert the Keystore into PKCS12 * Use part 2 and 3 from https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ to import the domain.tld let's encrypt cert into the CAS keystore * Checked that the alias domain.tld is correctly in the Keystore => Ok * Export the cert from the keystore following https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl instructions * checking that the alias domain.tld is present into the cacerts => Ok * Running CAS => Ok * Login into CAS => Ok * Trying to log using Oauth2 protocol => redirection cause javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching Please be advice that with latest JDK8, some keytoolms options have to be done wth -J-Duser.language=en to foce the language Any advice or guidance will be appreciated. regards Le lundi 8 janvier 2018 23:04:21 UTC+1, rbon a écrit : > > If CAS is running on another machine, import the certificate there. > Make sure the java that is starting tomcat is the same as the java that is > using the keytool. > > Ray > > On Mon, 2018-01-08 at 22:06 +0100, Florent Thomas wrote: > > Hi Ray, great thanks for your answer. > Actually, the front is the place where the certificate has been defined. > let's encrypt only knows my front and I created the java keystore on the > front and then transfer everything to the other machine CAS. > Is it a bad way to proceed ? > > regards > > 2018-01-08 21:15 GMT+01:00 Ray Bon <[email protected] <javascript:>>: > > Florent, > > Have you added the certificate to your apache FRONT? > > Ray > > On Sun, 2018-01-07 at 16:35 -0800, Florent Thomas wrote: > > Hello everyone, > > Happy new year. > > I have an issue I don't succeed to find out a solution with proxying. > > I'm running the latets 5.2 graddle overlay and have an apache reverse > proxy in front of the CAS instance. > > WAN <==> FRONT (HTTPS) <==> CAS (AJP) > > The SSL is provided by Let's encrypt. I made a keystore and ad the cert > into the keystore and then add it into my cas server. > (Thanks to > https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ > > and > https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl) > > I added the certificate into the global keystore with success and check > that the cert are either in the global keystore and the one use by cas. > Both are knowing my domain. > The /etc/hosts of my CAS instance have the domain associated to it IP. > > Here is my conf : > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * #server.port=8080 cas.server.name: https://domain.tld cas.server.prefix: > https://domain.tld/cas #Service Déclarations > cas.serviceRegistry.initFromJson=true > cas.serviceRegistry.config.location=file:/etc/cas/config # LDAP > Authetification Source logging.config: file:/etc/cas/config/log4j2.xml > #Proxy part working with AJP reverse proxy : #Activate the options for > secure connexions # > https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406- > > <https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406-> > > cas.server.ajp.secure=true cas.server.ajp.enabled=true > #cas.server.ajp.proxyPort=443 cas.server.ajp.protocol=AJP/1.3 > cas.server.ajp.asyncTimeout=5000 cas.server.ajp.scheme=https > cas.server.ajp.maxPostSize=20971520 cas.server.ajp.port=8080 > cas.server.ajp.enableLookups=false cas.server.ajp.redirectPort=443 > cas.server.ajp.allowTrace=true > cas.server.ajp.attributes.attributeName=attributeValue # SSL > server.ssl.enabled=true > #https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl > <https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl> > #https://github.com/apereo/cas-gradle-overlay-template#deployment > <https://github.com/apereo/cas-gradle-overlay-template#deployment> > server.ssl.keyStore=file:/etc/cas/cas-auth.jks > server.ssl.keyStorePassword=11111 server.ssl.keyPassword=11111 *With this > conf, I succeed in using directly the web login but I also need to use > Oauth and during the callback, I have a > > java.security.cert.CertificateException: No name matching > > And it's really weird because all the keystore are macthing my domain.tld. > > Any advice / help woul be appreciated. > > regards > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems2507218831 | CLE 019 | [email protected] > <javascript:> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e75e5b8-7cd6-49d7-8a57-3bed4a571fee%40apereo.org.
