Hi Ray, Finally, the option was to not set the /etc hosts !
Le dimanche 14 janvier 2018 22:12:56 UTC+1, Florent Thomas a écrit : > > Hi Ray, > > I remade many tests and still have the issue. To be sure I made an ansible > script to generate my certs etc... > I'm really struggling with the way to debug this. > > In summary, here is what I've done : > * copy all the certs from the front that is the owner of the domain.tld in > the DNS registry into the CAS VM > * In the CAS Set the domain.tld in my /etc/hosts file associated to both > 127.0.0.1 and the IP > * Generate a keystore with the SAN:dns option > * Convert the Keystore into PKCS12 > * Use part 2 and 3 from > https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ > > to import the domain.tld let's encrypt cert into the CAS keystore > * Checked that the alias domain.tld is correctly in the Keystore => Ok > * Export the cert from the keystore following > https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl > instructions > * checking that the alias domain.tld is present into the cacerts => Ok > * Running CAS => Ok > * Login into CAS => Ok > * Trying to log using Oauth2 protocol => redirection cause > > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: > No name matching > > > Please be advice that with latest JDK8, some keytoolms options have to be > done wth -J-Duser.language=en to foce the language > > Any advice or guidance will be appreciated. > > regards > > Le lundi 8 janvier 2018 23:04:21 UTC+1, rbon a écrit : >> >> If CAS is running on another machine, import the certificate there. >> Make sure the java that is starting tomcat is the same as the java that >> is using the keytool. >> >> Ray >> >> On Mon, 2018-01-08 at 22:06 +0100, Florent Thomas wrote: >> >> Hi Ray, great thanks for your answer. >> Actually, the front is the place where the certificate has been defined. >> let's encrypt only knows my front and I created the java keystore on the >> front and then transfer everything to the other machine CAS. >> Is it a bad way to proceed ? >> >> regards >> >> 2018-01-08 21:15 GMT+01:00 Ray Bon <[email protected]>: >> >> Florent, >> >> Have you added the certificate to your apache FRONT? >> >> Ray >> >> On Sun, 2018-01-07 at 16:35 -0800, Florent Thomas wrote: >> >> Hello everyone, >> >> Happy new year. >> >> I have an issue I don't succeed to find out a solution with proxying. >> >> I'm running the latets 5.2 graddle overlay and have an apache reverse >> proxy in front of the CAS instance. >> >> WAN <==> FRONT (HTTPS) <==> CAS (AJP) >> >> The SSL is provided by Let's encrypt. I made a keystore and ad the cert >> into the keystore and then add it into my cas server. >> (Thanks to >> https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ >> >> and >> https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl) >> >> I added the certificate into the global keystore with success and check >> that the cert are either in the global keystore and the one use by cas. >> Both are knowing my domain. >> The /etc/hosts of my CAS instance have the domain associated to it IP. >> >> Here is my conf : >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> * #server.port=8080 cas.server.name: https://domain.tld >> cas.server.prefix: https://domain.tld/cas #Service Déclarations >> cas.serviceRegistry.initFromJson=true >> cas.serviceRegistry.config.location=file:/etc/cas/config # LDAP >> Authetification Source logging.config: file:/etc/cas/config/log4j2.xml >> #Proxy part working with AJP reverse proxy : #Activate the options for >> secure connexions # >> https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406- >> >> <https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406-> >> >> cas.server.ajp.secure=true cas.server.ajp.enabled=true >> #cas.server.ajp.proxyPort=443 cas.server.ajp.protocol=AJP/1.3 >> cas.server.ajp.asyncTimeout=5000 cas.server.ajp.scheme=https >> cas.server.ajp.maxPostSize=20971520 cas.server.ajp.port=8080 >> cas.server.ajp.enableLookups=false cas.server.ajp.redirectPort=443 >> cas.server.ajp.allowTrace=true >> cas.server.ajp.attributes.attributeName=attributeValue # SSL >> server.ssl.enabled=true >> #https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl >> <https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl> >> #https://github.com/apereo/cas-gradle-overlay-template#deployment >> <https://github.com/apereo/cas-gradle-overlay-template#deployment> >> server.ssl.keyStore=file:/etc/cas/cas-auth.jks >> server.ssl.keyStorePassword=11111 server.ssl.keyPassword=11111 *With >> this conf, I succeed in using directly the web login but I also need to use >> Oauth and during the callback, I have a >> >> java.security.cert.CertificateException: No name matching >> >> And it's really weird because all the keystore are macthing my domain.tld. >> >> Any advice / help woul be appreciated. >> >> regards >> >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems2507218831 | CLE 019 | [email protected] >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/35b2cc51-3c9c-4b6e-b23e-33fb7f249552%40apereo.org.
