Re: After applying self-signed certificate, server is up but cannot connect with browser
Hi Christopher,
We are still not capable to apply our self certifications...
Is there any document/guide (even a scratch notes you might have :) ) for a
walkthrough for the whole procedure (e.g A-Z from creating the
certifications and applying them)? We decided to start the procedure from
scratch...
I can see only some hints in forums but no organized document or
procedure...
Thanks,
Barc
On Sat, May 23, 2015 at 10:22 AM, Ori Raz fcb...@gmail.com wrote:
Thank you Christopher.
Appreciate all your help. Please let me know if any additional info is
required for the issue.
Regarding the ssl connection, if I use with and without the -tls1 flag
with the original certificate then it both cases it works fine.
After doing the steps I mentioned initially, both are not working.
Thanks,
Barc
On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/22/15 10:03 AM, Ori Raz wrote:
Thank you Christopher for your reply.
I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting
this:
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
tomcat -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
Enter keystore password: keytool error: java.lang.Exception: Public
keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
keytool -import -trustcacerts -alias tomcat -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
Enter keystore password: keytool error: java.lang.Exception:
Certificate not imported, alias tomcat already exists
primeusr@sagi-vzadik-01 [~]#
Regarding the import you wrote - $ keytool -import -alias
${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
Isnt that this one or am I missing something: keytool -importcert
-file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
tomcat
I'll have a look at that later when I have more time.
as mentioned, catalina-date.log is empty... I cannot see any
other relevant logs (if you can point me to other log -please do :)
)
If I try to connect to ssl localy, then with the original
certificate it workes, but with the new one - here is the output:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
10.56.57.65:8443 CONNECTED(0003) 4954:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
s_client -connect 127.0.0.1:8443 CONNECTED(0003)
5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:583:
Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
ssl3 is dead and the handshake won't even work anymore.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
R3LXaV99hAp7Aj0IsPpF
=KyJc
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
Thank you Christopher.
Appreciate all your help. Please let me know if any additional info is
required for the issue.
Regarding the ssl connection, if I use with and without the -tls1 flag with
the original certificate then it both cases it works fine.
After doing the steps I mentioned initially, both are not working.
Thanks,
Barc
On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/22/15 10:03 AM, Ori Raz wrote:
Thank you Christopher for your reply.
I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting
this:
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
tomcat -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
Enter keystore password: keytool error: java.lang.Exception: Public
keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
keytool -import -trustcacerts -alias tomcat -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
Enter keystore password: keytool error: java.lang.Exception:
Certificate not imported, alias tomcat already exists
primeusr@sagi-vzadik-01 [~]#
Regarding the import you wrote - $ keytool -import -alias
${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
Isnt that this one or am I missing something: keytool -importcert
-file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
tomcat
I'll have a look at that later when I have more time.
as mentioned, catalina-date.log is empty... I cannot see any
other relevant logs (if you can point me to other log -please do :)
)
If I try to connect to ssl localy, then with the original
certificate it workes, but with the new one - here is the output:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
10.56.57.65:8443 CONNECTED(0003) 4954:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
s_client -connect 127.0.0.1:8443 CONNECTED(0003)
5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:583:
Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
ssl3 is dead and the handshake won't even work anymore.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
R3LXaV99hAp7Aj0IsPpF
=KyJc
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
Thank you Christopher for your reply.
I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting this:
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't
match
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias
tomcat already exists
primeusr@sagi-vzadik-01 [~]#
Regarding the import you wrote -
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt
-keystore${HOSTNAME}.jks
Isnt that this one or am I missing something:
keytool -importcert -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
tomcat
as mentioned, catalina-date.log is empty... I cannot see any other
relevant logs (if you can point me to other log -please do :) )
If I try to connect to ssl localy, then with the original certificate it
workes, but with the new one - here is the output:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 10.56.57.65:8443
CONNECTED(0003)
4954:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 127.0.0.1:8443
CONNECTED(0003)
5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
Thanks,
Barc
On Fri, May 22, 2015 at 3:17 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/22/15 8:18 AM, Ori Raz wrote:
We got an application based on tomcat 7.0.23 and all working fine.
We are trying to apply our self-signed certificate and encountering
some problems.
I hope that the procedure I did is correct :)
This is the procedure we followed:
1. copy the certificate file under this location:
/opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer
2. remove existing entries: keytool -delete -alias tomcat
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore
keytool -delete -alias tomcat -keystore
/opt/primecentral/XMP_Platform/jre/lib/security/cacerts
It's not necessary to remove the existing certs. If you load the
CA-signed certificate into your keystore (making sure to use the
original alias, if any), it should update the certificate.
Also, you need to first import the CA's root and intermediate
certificates, first, like this:
$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks
(That last one is your signed certificate, returned from the CA).
If, as you did your delete, you managed to delete your server's key,
then your keystore is worthless. I hope you had a backup, because
without the server key, the certificate is worthless and you have to
re-start the entire process.
After the restart of tomcat, I get the message that server started
and catalina is empty (normal as there is no error...) hence all
looks good.
I can also see that tomcat process is up and port is listening: tcp
0 0 0.0.0.0:84430.0.0.0:* LISTEN
18724/java
But, when trying to open browser to the server, then I get This
page cannot be displayed.
I cannot locate any errors/exception in the server side.
Can anyone please assist? we are in a dead end :)
If there is a problem loading the certificate, Tomcat should emit an
error message. Please check all log files, not just catalina.out
(although it should have the error in there).
Can you connect to the server using openssl?
$ openssl s_client -connect 10.56.57.65:8443
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74
F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+
/YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m
X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M
dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8
rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB
K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq/2bZSx
XJ0BHaFbVw+JVTVCzwng6VrNr32Ji7uKD275/mcGLbCIlCzKWd1QaPKtTD/nD5AB
After applying self-signed certificate, server is up but cannot connect with browser
Hello experts, We got an application based on tomcat 7.0.23 and all working fine. We are trying to apply our self-signed certificate and encountering some problems. I hope that the procedure I did is correct :) This is the procedure we followed: 1. copy the certificate file under this location: /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer 2. remove existing entries: keytool -delete -alias tomcat -keystore /opt/primecentral/install/utils/sslgen/prime.keystore keytool -delete -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts 3. insert new entries: keytool -importcert -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias tomcat keytool -import -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts -trustcacerts -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer once done - restarted the tomcat. After the restart of tomcat, I get the message that server started and catalina is empty (normal as there is no error...) hence all looks good. I can also see that tomcat process is up and port is listening: tcp0 0 0.0.0.0:84430.0.0.0:* LISTEN 18724/java But, when trying to open browser to the server, then I get This page cannot be displayed. I cannot locate any errors/exception in the server side. Can anyone please assist? we are in a dead end :) Thanks a lot, Barc
Re: After applying self-signed certificate, server is up but cannot connect with browser
Hello David, Thanks for replying. https://10.56.57.65:8443/ This is the same url that we used before applying our certification. Thanks, Barc On Fri, May 22, 2015 at 2:41 PM, David kerber dcker...@verizon.net wrote: On 5/22/2015 8:18 AM, Ori Raz wrote: Hello experts, We got an application based on tomcat 7.0.23 and all working fine. We are trying to apply our self-signed certificate and encountering some problems. I hope that the procedure I did is correct :) This is the procedure we followed: 1. copy the certificate file under this location: /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer 2. remove existing entries: keytool -delete -alias tomcat -keystore /opt/primecentral/install/utils/sslgen/prime.keystore keytool -delete -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts 3. insert new entries: keytool -importcert -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias tomcat keytool -import -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts -trustcacerts -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer once done - restarted the tomcat. After the restart of tomcat, I get the message that server started and catalina is empty (normal as there is no error...) hence all looks good. I can also see that tomcat process is up and port is listening: tcp0 0 0.0.0.0:84430.0.0.0:* LISTEN 18724/java But, when trying to open browser to the server, then I get This page cannot be displayed. What is the full url you're entering in your browser? I cannot locate any errors/exception in the server side. Can anyone please assist? we are in a dead end :) Thanks a lot, Barc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 5.5.23 and Multiple Content-Length Headers
Hi, In Tomcat 5.5.23 and above the following under security issue was included (CVE-2005-2090): Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers It turns out that we have mobile clients that due to technical issue send requests with multiple content-length headers. Is there a way that we can turn off this feature in the tomcat in order for us to be bale to upgrade our tomcat and still support old clients? Thanks, Ori Fine
NoClassDefFoundError: javax/servlet/http/HttpServlet
I am using an Eclipse plugin for my development environment. Instead of copying dependant classes and jars to WEB-INF after every change, the plugin includes an optional DevLoader class that extends org.apache.catalina.loader.WebappLoader, overrides start()., and adds the appropriate repositories to the classpath via addRepository(). This worked fine for Tomcat 5.0.28. When I upgraded to 5.5.12, the exact same configuration produces the an exception on application startup ...Caused by: java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet. Without the plugin, everything works as expected. Any ideas on what could have changed? My application uses Commons Logging (required by Struts), Log4J, and Xerces so those jars are being added in the manner described above. Maybe there is a conflict there? Thanks, Ori - Full exception text: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:620) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) at java.net.URLClassLoader.defineClass(URLClassLoader.java:260) at java.net.URLClassLoader.access$100(URLClassLoader.java:56) at java.net.URLClassLoader$1.run(URLClassLoader.java:195) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:870) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1305) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1187) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
