Re: ofbiz and SSL & apache
I took a bit time, but what finally helped me to fix it was a combination of this procedure https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup and this 2nd one: https://ilhicas.com/2018/04/08/How-to-use-letsencrypt-jks.html Apache Proxy in from of Tomcat: Has somebody here sucesfully implemented an apache proxy for tomcat that redirects traffic to ofbiz as well to the other webser services (all php based)? Thanks for your help. Wolfgang On Tue, 2019-02-19 at 12:52 +0100, Michael Brohl wrote: > You will need to store a certificate for the domain you want to use. > > Maybe you should create your own keystore containing only your > certificate and point to this file instead of the original. > > Regards, > > Michael > > > Am 19.02.19 um 12:22 schrieb Wolfgang Paul Rauchholz: > > I am trying to get SSL working w/o apache for the time being. > > > > I followed your procedure and could sucesfully import. Thanks. > > Great! > > > > I went the into the following file: > > /usr/local/ofbiz/framework/catalina/ofbiz-component.xml and changed > > the > > following two lines: > > > > > value="framework/base/config/ofbiz.jks"/> > > > > > > Which seems not to be the right, because firefox still complaints > > When I call https:www.wo-lar.com:8443/myportal/control/main. I get > > a > > "Your connection is not secure". www.wo-lar.com:8443 uses an > > invalid > > security certificate. > > > > > > When I run :8443:/myportal/control/main I get the > > same > > error message. But I can look at hte certificate and that tells me > > that > > it still points to the wrong certificate: > > Common name: ofbiz-vm.apache.org > > > > Any thoughts? > > > > Wolfgang > > > > > > > > > > On Tue, 2019-02-19 at 11:53 +0100, Michael Brohl wrote: > > > Hi Wolfgang, > > > > > > if you already have a ceritificate, you should skip steps 2 > > > andhttps://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup > > > 3! > > > > > > If I understand the steps correctly, with the certreq command you > > > now > > > have a certificate request with alias "ssl" in your keystore. > > > Later > > > you > > > try to import a certificate which is not based on your > > > certificate > > > request under the same alias "ssl". > > > > > > Just import your certificate with another alias and you should be > > > fine. > > > > > > Remember: if you use an Apache Webserver before your OFBiz > > > instance, > > > you > > > do not need to import the certificate in the keystore! > > > > > > Regards, > > > > > > Michael Brohl > > > ecomify GmbH > > > www.ecomify.de > > > > > > > > > Am 19.02.19 um 11:26 schrieb Wolfgang Paul Rauchholz: > > > > How does this procedure work in case of an existing letsencrypt > > > > certificate? > > > > > > > > Because I have an existing certificate, can I skip steps 3? > > > > I continued directly with step 4, uploading and conveting > > > > cert.pem > > > > to > > > > cert.der. > > > > > > > > But importe step 5 throws out an error: keytool error: > > > > java.lang.Exception: Public keys in reply and keystore don't > > > > match: > > > > > > > > > > > > 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore > > > > [keystore > > > > name]" > > > > 2. Run: "keytool -certreq -alias ssl -keyalg RSA -file > > > > certreq.csr > > > > -keystore [keystore name]" > > > > 3. Submit the CSR to a signing authority (Thawte, Verisign, > > > > etc) > > > > 4. Download your certificate from the signing authority. Please > > > > remember to download the Certificate in PKCS#7 format. If you > > > > get a > > > > certificate in pem format don't convert to PKCS#7/P7B Format > > > > but > > > > der > > > > format > > > > 5. Import the Certificate into the keystore by running: > > > > "keytool -import -alias ssl -trustcacerts -file > > > > mysignedcert.cer > > > > -keystore [keystore name]" > > > > > > > > > > > > Thanks, Wolfgang > > > > > > > > On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: > > > > > You will have to import your certificate to the Java keystore > > > > > and > > > > > configure Tomcat to use it [1,2]. > > > > > > > > > > The standard way would be to run OFBiz behind an Apache > > > > > webserver > > > > > with > > > > > the virtual hosts configured to use the certificate. > > > > > > > > > > Regards, > > > > > > > > > > Michael Brohl > > > > > ecomify GmbH > > > > > www.ecomify.de > > > > > > > > > > [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html > > > > > > > > > > [2] > > > > > > > > > https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup > > > > > Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: > > > > > > Would you please point me
Re: ofbiz and SSL & apache
That is what I thought I did: 0) shut down ogbiz1) keytool -import -alias -trustcacerts -file cert.der -keystore .jks2) keytool -import -alias ofbiz -trustcacerts -file cert.der -keystore .jks3) cp name.jks to /usr/local/ofbiz/framework/base/config/4) edit file /usr/local/ofbiz/framework/catalina/ofbiz-component.xml row 147: row 150: 5) start ofbiz What am I doing wrong? Thanks for hwlping. Wolfgang On Tue, 2019-02-19 at 12:52 +0100, Michael Brohl wrote: > You will need to store a certificate for the domain you want to use. > > Maybe you should create your own keystore containing only your > certificate and point to this file instead of the original. > > Regards, > > Michael > > > Am 19.02.19 um 12:22 schrieb Wolfgang Paul Rauchholz: > > I am trying to get SSL working w/o apache for the time being. > > I followed your procedure and could sucesfully import. Thanks. > > Great! > > I went the into the following > > file:/usr/local/ofbiz/framework/catalina/ofbiz-component.xml and > > changed thefollowing two lines: > > > name="keystoreFile"value="framework/base/config/ofbiz.jks"/> > > > > Which seems not to be the right, because firefox still > > complaintsWhen I call https: > > www.wo-lar.com:8443/myportal/control/main. I get a"Your connection > > is not secure". www.wo-lar.com:8443 uses an invalidsecurity > > certificate. > > > > When I run :8443:/myportal/control/main I get the > > sameerror message. But I can look at hte certificate and that tells > > me thatit still points to the wrong certificate:Common name: ofbiz- > > vm.apache.org > > Any thoughts? > > Wolfgang > > > > > > > > On Tue, 2019-02-19 at 11:53 +0100, Michael Brohl wrote: > > > Hi Wolfgang, > > > if you already have a ceritificate, you should skip steps 2 and > > > 3! > > > If I understand the steps correctly, with the certreq command > > > younowhave a certificate request with alias "ssl" in your > > > keystore. Lateryoutry to import a certificate which is not based > > > on your certificaterequest under the same alias "ssl". > > > Just import your certificate with another alias and you should > > > befine. > > > Remember: if you use an Apache Webserver before your OFBiz > > > instance,youdo not need to import the certificate in the > > > keystore! > > > Regards, > > > Michael Brohlecomify GmbHwww.ecomify.de > > > > > > Am 19.02.19 um 11:26 schrieb Wolfgang Paul Rauchholz: > > > > How does this procedure work in case of an existing > > > > letsencryptcertificate? > > > > Because I have an existing certificate, can I skip steps 3?I > > > > continued directly with step 4, uploading and conveting > > > > cert.pemtocert.der. > > > > But importe step 5 throws out an error: keytool > > > > error:java.lang.Exception: Public keys in reply and keystore > > > > don't match: > > > > > > > > 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore > > > > [keystorename]"2. Run: "keytool -certreq -alias ssl -keyalg RSA > > > > -file certreq.csr-keystore [keystore name]"3. Submit the CSR to > > > > a signing authority (Thawte, Verisign, etc)4. Download your > > > > certificate from the signing authority. Pleaseremember to > > > > download the Certificate in PKCS#7 format. If you get > > > > acertificate in pem format don't convert to PKCS#7/P7B Format > > > > butderformat5. Import the Certificate into the keystore by > > > > running:"keytool -import -alias ssl -trustcacerts -file > > > > mysignedcert.cer-keystore [keystore name]" > > > > > > > > Thanks, Wolfgang > > > > On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: > > > > > You will have to import your certificate to the Java keystore > > > > > and > > > > > configure Tomcat to use it [1,2]. > > > > > > > > > > The standard way would be to run OFBiz behind an Apache > > > > > webserver > > > > > with > > > > > the virtual hosts configured to use the certificate. > > > > > > > > > > Regards, > > > > > > > > > > Michael Brohl > > > > > ecomify GmbH > > > > > www.ecomify.de > > > > > > > > > > [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html > > > > > > > > > > [2] > > > > > > > > > https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup > > > > > Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: > > > > > > Would you please point me to a procedure how to setup ofbiz > > > > > > to > > > > > > use > > > > > > my letsencrypt certificates? > > > > > > I don't seem to be able to find one. > > > > > > > > > > > > Is it possible to ruj Ofbiz under Apache webser? > > > > > > > > > > > > > > > > > > Thank you, Wolfgang > > > > > > > > > > > > > > > > > >
Re: ofbiz and SSL & apache
You will need to store a certificate for the domain you want to use. Maybe you should create your own keystore containing only your certificate and point to this file instead of the original. Regards, Michael Am 19.02.19 um 12:22 schrieb Wolfgang Paul Rauchholz: I am trying to get SSL working w/o apache for the time being. I followed your procedure and could sucesfully import. Thanks. Great! I went the into the following file: /usr/local/ofbiz/framework/catalina/ofbiz-component.xml and changed the following two lines: Which seems not to be the right, because firefox still complaints When I call https:www.wo-lar.com:8443/myportal/control/main. I get a "Your connection is not secure". www.wo-lar.com:8443 uses an invalid security certificate. When I run :8443:/myportal/control/main I get the same error message. But I can look at hte certificate and that tells me that it still points to the wrong certificate: Common name: ofbiz-vm.apache.org Any thoughts? Wolfgang On Tue, 2019-02-19 at 11:53 +0100, Michael Brohl wrote: Hi Wolfgang, if you already have a ceritificate, you should skip steps 2 and 3! If I understand the steps correctly, with the certreq command you now have a certificate request with alias "ssl" in your keystore. Later you try to import a certificate which is not based on your certificate request under the same alias "ssl". Just import your certificate with another alias and you should be fine. Remember: if you use an Apache Webserver before your OFBiz instance, you do not need to import the certificate in the keystore! Regards, Michael Brohl ecomify GmbH www.ecomify.de Am 19.02.19 um 11:26 schrieb Wolfgang Paul Rauchholz: How does this procedure work in case of an existing letsencrypt certificate? Because I have an existing certificate, can I skip steps 3? I continued directly with step 4, uploading and conveting cert.pem to cert.der. But importe step 5 throws out an error: keytool error: java.lang.Exception: Public keys in reply and keystore don't match: 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore [keystore name]" 2. Run: "keytool -certreq -alias ssl -keyalg RSA -file certreq.csr -keystore [keystore name]" 3. Submit the CSR to a signing authority (Thawte, Verisign, etc) 4. Download your certificate from the signing authority. Please remember to download the Certificate in PKCS#7 format. If you get a certificate in pem format don't convert to PKCS#7/P7B Format but der format 5. Import the Certificate into the keystore by running: "keytool -import -alias ssl -trustcacerts -file mysignedcert.cer -keystore [keystore name]" Thanks, Wolfgang On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: You will have to import your certificate to the Java keystore and configure Tomcat to use it [1,2]. The standard way would be to run OFBiz behind an Apache webserver with the virtual hosts configured to use the certificate. Regards, Michael Brohl ecomify GmbH www.ecomify.de [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html [2] https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: Would you please point me to a procedure how to setup ofbiz to use my letsencrypt certificates? I don't seem to be able to find one. Is it possible to ruj Ofbiz under Apache webser? Thank you, Wolfgang smime.p7s Description: S/MIME Cryptographic Signature
Re: ofbiz and SSL & apache
I am trying to get SSL working w/o apache for the time being. I followed your procedure and could sucesfully import. Thanks. Great! I went the into the following file: /usr/local/ofbiz/framework/catalina/ofbiz-component.xml and changed the following two lines: Which seems not to be the right, because firefox still complaints When I call https:www.wo-lar.com:8443/myportal/control/main. I get a "Your connection is not secure". www.wo-lar.com:8443 uses an invalid security certificate. When I run :8443:/myportal/control/main I get the same error message. But I can look at hte certificate and that tells me that it still points to the wrong certificate: Common name: ofbiz-vm.apache.org Any thoughts? Wolfgang On Tue, 2019-02-19 at 11:53 +0100, Michael Brohl wrote: > Hi Wolfgang, > > if you already have a ceritificate, you should skip steps 2 and 3! > > If I understand the steps correctly, with the certreq command you > now > have a certificate request with alias "ssl" in your keystore. Later > you > try to import a certificate which is not based on your certificate > request under the same alias "ssl". > > Just import your certificate with another alias and you should be > fine. > > Remember: if you use an Apache Webserver before your OFBiz instance, > you > do not need to import the certificate in the keystore! > > Regards, > > Michael Brohl > ecomify GmbH > www.ecomify.de > > > Am 19.02.19 um 11:26 schrieb Wolfgang Paul Rauchholz: > > How does this procedure work in case of an existing letsencrypt > > certificate? > > > > Because I have an existing certificate, can I skip steps 3? > > I continued directly with step 4, uploading and conveting cert.pem > > to > > cert.der. > > > > But importe step 5 throws out an error: keytool error: > > java.lang.Exception: Public keys in reply and keystore don't match: > > > > > > 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore [keystore > > name]" > > 2. Run: "keytool -certreq -alias ssl -keyalg RSA -file certreq.csr > > -keystore [keystore name]" > > 3. Submit the CSR to a signing authority (Thawte, Verisign, etc) > > 4. Download your certificate from the signing authority. Please > > remember to download the Certificate in PKCS#7 format. If you get a > > certificate in pem format don't convert to PKCS#7/P7B Format but > > der > > format > > 5. Import the Certificate into the keystore by running: > > "keytool -import -alias ssl -trustcacerts -file mysignedcert.cer > > -keystore [keystore name]" > > > > > > Thanks, Wolfgang > > > > On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: > > > You will have to import your certificate to the Java keystore and > > > configure Tomcat to use it [1,2]. > > > > > > The standard way would be to run OFBiz behind an Apache webserver > > > with > > > the virtual hosts configured to use the certificate. > > > > > > Regards, > > > > > > Michael Brohl > > > ecomify GmbH > > > www.ecomify.de > > > > > > [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html > > > > > > [2] > > > > > > > https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup > > > > > > Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: > > > > Would you please point me to a procedure how to setup ofbiz to > > > > use > > > > my letsencrypt certificates? > > > > I don't seem to be able to find one. > > > > > > > > Is it possible to ruj Ofbiz under Apache webser? > > > > > > > > > > > > Thank you, Wolfgang > > > > > > > > > > > > > >
Re: ofbiz and SSL & apache
Hi Wolfgang, if you already have a ceritificate, you should skip steps 2 and 3! If I understand the steps correctly, with the certreq command you now have a certificate request with alias "ssl" in your keystore. Later you try to import a certificate which is not based on your certificate request under the same alias "ssl". Just import your certificate with another alias and you should be fine. Remember: if you use an Apache Webserver before your OFBiz instance, you do not need to import the certificate in the keystore! Regards, Michael Brohl ecomify GmbH www.ecomify.de Am 19.02.19 um 11:26 schrieb Wolfgang Paul Rauchholz: How does this procedure work in case of an existing letsencrypt certificate? Because I have an existing certificate, can I skip steps 3? I continued directly with step 4, uploading and conveting cert.pem to cert.der. But importe step 5 throws out an error: keytool error: java.lang.Exception: Public keys in reply and keystore don't match: 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore [keystore name]" 2. Run: "keytool -certreq -alias ssl -keyalg RSA -file certreq.csr -keystore [keystore name]" 3. Submit the CSR to a signing authority (Thawte, Verisign, etc) 4. Download your certificate from the signing authority. Please remember to download the Certificate in PKCS#7 format. If you get a certificate in pem format don't convert to PKCS#7/P7B Format but der format 5. Import the Certificate into the keystore by running: "keytool -import -alias ssl -trustcacerts -file mysignedcert.cer -keystore [keystore name]" Thanks, Wolfgang On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: You will have to import your certificate to the Java keystore and configure Tomcat to use it [1,2]. The standard way would be to run OFBiz behind an Apache webserver with the virtual hosts configured to use the certificate. Regards, Michael Brohl ecomify GmbH www.ecomify.de [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html [2] https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: Would you please point me to a procedure how to setup ofbiz to use my letsencrypt certificates? I don't seem to be able to find one. Is it possible to ruj Ofbiz under Apache webser? Thank you, Wolfgang smime.p7s Description: S/MIME Cryptographic Signature
Re: ofbiz and SSL & apache
How does this procedure work in case of an existing letsencrypt certificate? Because I have an existing certificate, can I skip steps 3? I continued directly with step 4, uploading and conveting cert.pem to cert.der. But importe step 5 throws out an error: keytool error: java.lang.Exception: Public keys in reply and keystore don't match: 1. Run: "keytool -genkey -keyalg RSA -alias ssl -keystore [keystore name]" 2. Run: "keytool -certreq -alias ssl -keyalg RSA -file certreq.csr -keystore [keystore name]" 3. Submit the CSR to a signing authority (Thawte, Verisign, etc) 4. Download your certificate from the signing authority. Please remember to download the Certificate in PKCS#7 format. If you get a certificate in pem format don't convert to PKCS#7/P7B Format but der format 5. Import the Certificate into the keystore by running: "keytool -import -alias ssl -trustcacerts -file mysignedcert.cer -keystore [keystore name]" Thanks, Wolfgang On Mon, 2019-02-18 at 11:35 +0100, Michael Brohl wrote: > You will have to import your certificate to the Java keystore and > configure Tomcat to use it [1,2]. > > The standard way would be to run OFBiz behind an Apache webserver > with > the virtual hosts configured to use the certificate. > > Regards, > > Michael Brohl > ecomify GmbH > www.ecomify.de > > [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html > > [2] > https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup > > > Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: > > Would you please point me to a procedure how to setup ofbiz to use > > my letsencrypt certificates? > > I don't seem to be able to find one. > > > > Is it possible to ruj Ofbiz under Apache webser? > > > > > > Thank you, Wolfgang > > > > > > > >
Re: ofbiz and SSL & apache
You will have to import your certificate to the Java keystore and configure Tomcat to use it [1,2]. The standard way would be to run OFBiz behind an Apache webserver with the virtual hosts configured to use the certificate. Regards, Michael Brohl ecomify GmbH www.ecomify.de [1] https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html [2] https://cwiki.apache.org/confluence/display/OFBiz/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateSetup Am 18.02.19 um 10:53 schrieb wp.rauchh...@gmail.com: Would you please point me to a procedure how to setup ofbiz to use my letsencrypt certificates? I don't seem to be able to find one. Is it possible to ruj Ofbiz under Apache webser? Thank you, Wolfgang smime.p7s Description: S/MIME Cryptographic Signature
ofbiz and SSL & apache
Would you please point me to a procedure how to setup ofbiz to use my letsencrypt certificates? I don't seem to be able to find one. Is it possible to ruj Ofbiz under Apache webser? Thank you, Wolfgang
