Yeah, that's why I'm trying to get the chain included, so it will pass the scanner. It works fine in any browser I test in, but we get a weekly scan report and it keeps coming up as chain invalid. Just trying to get it to clear the scan. I'm about half a minute away from putting it behind a reverse proxy.
On Thursday, November 3, 2022 at 3:22:53 PM UTC-4 richard.frovarp wrote: > Browsers will insert the intermediate certificates if they know them. So > you can't trust the browser. Scanners look for the chain with no prior > knowledge, and thus are more reliable in determining if you have everything > setup correctly. > > On 11/3/22 12:47, Ray Bon wrote: > > Michael, > > I have not run the embedded tomcat so I do not know where the logs are or > if they are the same in the console on startup. > When you are on the cas site, you can click the lock icon beside the url. > You can then get access to the certificate(s) and view them. (Steps vary a > bit between browsers.) You should see your host cert, the intermediates, > and the root CA. > If those certs are as you expect, perhaps the scanning tool can provide > more details on what it thinks is amiss. > > Ray > > On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Ray, > > So bare with me here, because I've only been doing this for about 6 > months, and it's felt very piecemeal (as in I am pretty sure there's a > better way to do it but I'm not familiar enough with it to figure it out > yet). > > Yes, I think we're running the embedded Tomcat as I start our cas with a > "sudo ./gradlew clean copyCasConfiguration build run" --- I then watch the > screen for output and I don't see any errors regarding any of the stores. > > The tomcat.jks certificate is consistently sent by the webserver as > evidenced by loading the site and getting proper SSL. It's just when I run > a qualys ssl scan on our instance it says that we're missing the > certificate chain, which I thought I specified to include by adding the > lines "server.ssl.truststore=file:/path/to/ssl/chain.jks > server.ssl.truststorepassword=thepassword2" to the cas.properties. > > I've tried changing it to server.ssl.trust-store and > server.ssl.trust-store-password but I don't get errors with that either... > Which leads me to believe I'm missing the errors as they happen or > something else entirely is wrong. > > I don't see any errors during page access either. > > On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote: > > Michael, > > I assume you are running embedded tomcat and the process running tomcat > has read access to the .jks. > What certificate is being sent when you browse to cas/login? > Are there any log errors on tomcat startup or page access? > > Ray > > On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello all, > > I'm struggling with getting CAS to send the certificate chain properly and > wondering if maybe I'm using the wrong lines in the config. > > Before this project I had: > server.ssl.key-store=file:/path/to/ssl/tomcat.jks > server.ssl.key-store-password=thepassword > > After some googling, I added > server.ssl.truststore=file:/path/to/ssl/chain.jks > server.ssl.truststorepassword=thepassword2 > > However, when I run SSL scans against the site, it still reports that the > chain isn't being sent. > > Is it different keys? Or should I just bake the chain into the tomcat > file? Are there any aliases I should use specifically? > > Thanks. > -M > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4af0a116-b3a2-459e-b7c4-5becfbe07484n%40apereo.org.
