Ray, So bare with me here, because I've only been doing this for about 6 months, and it's felt very piecemeal (as in I am pretty sure there's a better way to do it but I'm not familiar enough with it to figure it out yet).
Yes, I think we're running the embedded Tomcat as I start our cas with a "sudo ./gradlew clean copyCasConfiguration build run" --- I then watch the screen for output and I don't see any errors regarding any of the stores. The tomcat.jks certificate is consistently sent by the webserver as evidenced by loading the site and getting proper SSL. It's just when I run a qualys ssl scan on our instance it says that we're missing the certificate chain, which I thought I specified to include by adding the lines "server.ssl.truststore=file:/path/to/ssl/chain.jks server.ssl.truststorepassword=thepassword2" to the cas.properties. I've tried changing it to server.ssl.trust-store and server.ssl.trust-store-password but I don't get errors with that either... Which leads me to believe I'm missing the errors as they happen or something else entirely is wrong. I don't see any errors during page access either. On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote: > Michael, > > I assume you are running embedded tomcat and the process running tomcat > has read access to the .jks. > What certificate is being sent when you browse to cas/login? > Are there any log errors on tomcat startup or page access? > > Ray > > On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello all, > > I'm struggling with getting CAS to send the certificate chain properly and > wondering if maybe I'm using the wrong lines in the config. > > Before this project I had: > server.ssl.key-store=file:/path/to/ssl/tomcat.jks > server.ssl.key-store-password=thepassword > > After some googling, I added > server.ssl.truststore=file:/path/to/ssl/chain.jks > server.ssl.truststorepassword=thepassword2 > > However, when I run SSL scans against the site, it still reports that the > chain isn't being sent. > > Is it different keys? Or should I just bake the chain into the tomcat > file? Are there any aliases I should use specifically? > > Thanks. > -M > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73419473-4555-41cc-8e60-dc1587c38b01n%40apereo.org.
