Ray, So bare with me here, because I've only been doing this for about 6 months, and it's felt very piecemeal (as in I am pretty sure there's a better way to do it but I'm not familiar enough with it to figure it out yet).
Yes, I think we're running the embedded Tomcat as I start our cas with a "sudo ./gradlew clean copyCasConfiguration build run" --- I then watch the screen for output and I don't see any errors regarding any of the stores. The tomcat.jks certificate is consistently sent by the webserver as evidenced by loading the site and getting proper SSL. It's just when I run a qualys ssl scan on our instance it says that we're missing the certificate chain, which I thought I specified to include by adding the lines "server.ssl.truststore=file:/path/to/ssl/chain.jks server.ssl.truststorepassword=thepassword2" to the cas.properties. I've tried changing it to server.ssl.trust-store and server.ssl.trust-store-password but I don't get errors with that either... Which leads me to believe I'm missing the errors as they happen or something else entirely is wrong. I don't see any errors during page access either. On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote: > Michael, > > I assume you are running embedded tomcat and the process running tomcat > has read access to the .jks. > What certificate is being sent when you browse to cas/login? > Are there any log errors on tomcat startup or page access? > > Ray > > On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello all, > > I'm struggling with getting CAS to send the certificate chain properly and > wondering if maybe I'm using the wrong lines in the config. > > Before this project I had: > server.ssl.key-store=file:/path/to/ssl/tomcat.jks > server.ssl.key-store-password=thepassword > > After some googling, I added > server.ssl.truststore=file:/path/to/ssl/chain.jks > server.ssl.truststorepassword=thepassword2 > > However, when I run SSL scans against the site, it still reports that the > chain isn't being sent. > > Is it different keys? Or should I just bake the chain into the tomcat > file? Are there any aliases I should use specifically? > > Thanks. > -M > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73419473-4555-41cc-8e60-dc1587c38b01n%40apereo.org.
