Re: After applying self-signed certificate, server is up but cannot connect with browser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/27/15 3:29 AM, Ori Raz wrote:
> Hi Christopher, We are still not capable to apply our self
> certifications...
>
> Is there any document/guide (even a scratch notes you might have :)
> ) for a walkthrough for the whole procedure (e.g A-Z from creating
> the certifications and applying them)? We decided to start the
> procedure from scratch...
>
> I can see only some hints in forums but no organized document or
> procedure...
What about this one?
http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Quick_Start
- -chris
> On Sat, May 23, 2015 at 10:22 AM, Ori Raz
> wrote:
>
>> Thank you Christopher. Appreciate all your help. Please let me
>> know if any additional info is required for the issue. Regarding
>> the ssl connection, if I use with and without the -tls1 flag with
>> the original certificate then it both cases it works fine. After
>> doing the steps I mentioned initially, both are not working.
>>
>> Thanks, Barc
>>
>> On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
> Ori,
>
> On 5/22/15 10:03 AM, Ori Raz wrote:
> Thank you Christopher for your reply.
>
> I always make a backup before changes :) luckily :)
>
> I reverted back and tried without deleting the entries and
> getting this:
>
> primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts
> -alias tomcat -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce
r
>
>
>
>
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> Enter keystore password: keytool error:
> java.lang.Exception: Public keys in reply and keystore
> don't match primeusr@sagi-vzadik-01 [~]# keytool -import
> -trustcacerts -alias tomcat -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce
r
>
>
>
>
- -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
> Enter keystore password: keytool error:
> java.lang.Exception: Certificate not imported, alias
> already exists primeusr@sagi-vzadik-01 [~]#
>
>
> Regarding the import you wrote - $ keytool -import -alias
> ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
>
> Isnt that this one or am I missing something: keytool
> -importcert -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce
r
>
>
>
>
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
> tomcat
>
> I'll have a look at that later when I have more time.
>
> as mentioned, catalina-.log is empty... I cannot see
> any other relevant logs (if you can point me to other log
> -please do :) )
>
>
> If I try to connect to ssl localy, then with the original
> certificate it workes, but with the new one - here is the
> output: primeusr@sagi-vzadik-01 [~]# openssl s_client
> -connect 10.56.57.65:8443 CONNECTED(0003)
> 4954:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]#
> openssl s_client -connect 127.0.0.1:8443
> CONNECTED(0003) 5050:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:583:
>
> Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2),
> since ssl3 is dead and the handshake won't even work anymore.
>
> -chris
>>>
>>>
- -
>>>
>>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVZzd5AAoJEBzwKT+lPKRYpZYP/iOwWOjo/c6s6ghDahKDXvQM
fdm4HjLbMkXrhhqH7KsqUxQc/MTckv/Gx6Hl1glXoRvSwGVB1jvwwt/YA+H6vEX5
rN/2EfpJmcUq1vtPTBNdfehSrZeg9PKDrWuZT7gyBgurtPOh3trZDfRSQVBbunvf
CD2oIQ2YHYyJ1mqGl6t0n65Y0YNDoxIB5sxQNE0njykYghIUtuw50Pq6cqKEL45B
Nq1SPwUM0HU9MjA+58WzoqTzsPz9s1o0mNwaIZyxB2C1Gny5GPfUGnrjaVE1FhUp
U6xXQFW5pl7/W2j1sh+2sJ/PY96dn5M/5XvWfHoh+4D9O9Y+/Cdk5T0iIQ/K/leV
l1dHELEIQp4oDMawmOAhLXdf6pzSmgapR4DfaX5WgNRPp0XQ2cI8tco1duQ8KGZv
uBFo8wtYo+bIxlk59GmdRhR+2RTVyBHEfKJibE95e5djV1xfkZzUK7V6xkjVxyw1
ExCSJEKRphgDe1awi7SXVtVu/88r1Oy5HOkWM1DkYYQBCLnn2HHyoRkf44w1V9qv
NY6LVRofFrohUR/L3aUG+ZIbn2Icydmn8CsIgPwStrMt8x4O4q42MBsWxIYw52EO
SU53WGeBUp8xPKgTk4OIO5R0Q8siSpNGDWnsLS+I+exv2lmsAcmTnf4Fa4gn8Okf
AgoluzfntLqqOUatRvNk
=bksW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
Hi Christopher,
We are still not capable to apply our self certifications...
Is there any document/guide (even a scratch notes you might have :) ) for a
walkthrough for the whole procedure (e.g A-Z from creating the
certifications and applying them)? We decided to start the procedure from
scratch...
I can see only some hints in forums but no organized document or
procedure...
Thanks,
Barc
On Sat, May 23, 2015 at 10:22 AM, Ori Raz wrote:
> Thank you Christopher.
> Appreciate all your help. Please let me know if any additional info is
> required for the issue.
> Regarding the ssl connection, if I use with and without the -tls1 flag
> with the original certificate then it both cases it works fine.
> After doing the steps I mentioned initially, both are not working.
>
> Thanks,
> Barc
>
> On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Ori,
>>
>> On 5/22/15 10:03 AM, Ori Raz wrote:
>> > Thank you Christopher for your reply.
>> >
>> > I always make a backup before changes :) luckily :)
>> >
>> > I reverted back and tried without deleting the entries and getting
>> > this:
>> >
>> > primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
>> > tomcat -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
>> > Enter keystore password: keytool error: java.lang.Exception: Public
>> > keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
>> > keytool -import -trustcacerts -alias tomcat -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
>> > Enter keystore password: keytool error: java.lang.Exception:
>> > Certificate not imported, alias already exists
>> > primeusr@sagi-vzadik-01 [~]#
>> >
>> >
>> > Regarding the import you wrote - $ keytool -import -alias
>> > ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
>> >
>> > Isnt that this one or am I missing something: keytool -importcert
>> > -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
>> > tomcat
>>
>> I'll have a look at that later when I have more time.
>>
>> > as mentioned, catalina-.log is empty... I cannot see any
>> > other relevant logs (if you can point me to other log -please do :)
>> > )
>> >
>> >
>> > If I try to connect to ssl localy, then with the original
>> > certificate it workes, but with the new one - here is the output:
>> > primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
>> > 10.56.57.65:8443 CONNECTED(0003) 4954:error:14077410:SSL
>> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> > failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
>> > s_client -connect 127.0.0.1:8443 CONNECTED(0003)
>> > 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
>> > alert handshake failure:s23_clnt.c:583:
>>
>> Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
>> ssl3 is dead and the handshake won't even work anymore.
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
>> haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
>> bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
>> Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
>> tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
>> 4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
>> 2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
>> uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
>> QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
>> YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
>> j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
>> R3LXaV99hAp7Aj0IsPpF
>> =KyJc
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
Re: After applying self-signed certificate, server is up but cannot connect with browser
Thank you Christopher.
Appreciate all your help. Please let me know if any additional info is
required for the issue.
Regarding the ssl connection, if I use with and without the -tls1 flag with
the original certificate then it both cases it works fine.
After doing the steps I mentioned initially, both are not working.
Thanks,
Barc
On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ori,
>
> On 5/22/15 10:03 AM, Ori Raz wrote:
> > Thank you Christopher for your reply.
> >
> > I always make a backup before changes :) luckily :)
> >
> > I reverted back and tried without deleting the entries and getting
> > this:
> >
> > primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
> > tomcat -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> > Enter keystore password: keytool error: java.lang.Exception: Public
> > keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
> > keytool -import -trustcacerts -alias tomcat -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
> > Enter keystore password: keytool error: java.lang.Exception:
> > Certificate not imported, alias already exists
> > primeusr@sagi-vzadik-01 [~]#
> >
> >
> > Regarding the import you wrote - $ keytool -import -alias
> > ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
> >
> > Isnt that this one or am I missing something: keytool -importcert
> > -file
> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
> >
> >
> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
> > tomcat
>
> I'll have a look at that later when I have more time.
>
> > as mentioned, catalina-.log is empty... I cannot see any
> > other relevant logs (if you can point me to other log -please do :)
> > )
> >
> >
> > If I try to connect to ssl localy, then with the original
> > certificate it workes, but with the new one - here is the output:
> > primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
> > 10.56.57.65:8443 CONNECTED(0003) 4954:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> > failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
> > s_client -connect 127.0.0.1:8443 CONNECTED(0003)
> > 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:583:
>
> Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
> ssl3 is dead and the handshake won't even work anymore.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
> haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
> bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
> Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
> tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
> 4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
> 2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
> uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
> QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
> YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
> j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
> R3LXaV99hAp7Aj0IsPpF
> =KyJc
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: After applying self-signed certificate, server is up but cannot connect with browser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/22/15 10:03 AM, Ori Raz wrote:
> Thank you Christopher for your reply.
>
> I always make a backup before changes :) luckily :)
>
> I reverted back and tried without deleting the entries and getting
> this:
>
> primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
> tomcat -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>
>
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> Enter keystore password: keytool error: java.lang.Exception: Public
> keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
> keytool -import -trustcacerts -alias tomcat -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>
>
- -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
> Enter keystore password: keytool error: java.lang.Exception:
> Certificate not imported, alias already exists
> primeusr@sagi-vzadik-01 [~]#
>
>
> Regarding the import you wrote - $ keytool -import -alias
> ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
>
> Isnt that this one or am I missing something: keytool -importcert
> -file
> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>
>
- -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
> tomcat
I'll have a look at that later when I have more time.
> as mentioned, catalina-.log is empty... I cannot see any
> other relevant logs (if you can point me to other log -please do :)
> )
>
>
> If I try to connect to ssl localy, then with the original
> certificate it workes, but with the new one - here is the output:
> primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
> 10.56.57.65:8443 CONNECTED(0003) 4954:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
> s_client -connect 127.0.0.1:8443 CONNECTED(0003)
> 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:583:
Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
ssl3 is dead and the handshake won't even work anymore.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
R3LXaV99hAp7Aj0IsPpF
=KyJc
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
Thank you Christopher for your reply.
I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting this:
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't
match
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias
already exists
primeusr@sagi-vzadik-01 [~]#
Regarding the import you wrote -
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt
-keystore${HOSTNAME}.jks
Isnt that this one or am I missing something:
keytool -importcert -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
tomcat
as mentioned, catalina-.log is empty... I cannot see any other
relevant logs (if you can point me to other log -please do :) )
If I try to connect to ssl localy, then with the original certificate it
workes, but with the new one - here is the output:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 10.56.57.65:8443
CONNECTED(0003)
4954:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 127.0.0.1:8443
CONNECTED(0003)
5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
Thanks,
Barc
On Fri, May 22, 2015 at 3:17 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ori,
>
> On 5/22/15 8:18 AM, Ori Raz wrote:
> > We got an application based on tomcat 7.0.23 and all working fine.
> >
> > We are trying to apply our self-signed certificate and encountering
> > some problems.
> >
> > I hope that the procedure I did is correct :)
> >
> > This is the procedure we followed:
> >
> > 1. copy the certificate file under this location:
> > /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer
> >
> > 2. remove existing entries: keytool -delete -alias tomcat
> > -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> > keytool -delete -alias tomcat -keystore
> > /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
>
> It's not necessary to remove the existing certs. If you load the
> CA-signed certificate into your keystore (making sure to use the
> original alias, if any), it should update the certificate.
>
> Also, you need to first import the CA's root and intermediate
> certificates, first, like this:
>
> $ keytool -import -alias [Authority.CA] -trustcacerts -file
> [authority's CA cert] -keystore ${HOSTNAME}.jks
> $ keytool -import -alias [Authority.intermediate] -trustcacerts -file
> [authority's intermediate cert] -keystore ${HOSTNAME}.jks
> $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
> ${HOSTNAME}.jks
>
> (That last one is your signed certificate, returned from the CA).
>
> If, as you did your "delete", you managed to delete your server's key,
> then your keystore is worthless. I hope you had a backup, because
> without the server key, the certificate is worthless and you have to
> re-start the entire process.
>
> > After the restart of tomcat, I get the message that server started
> > and catalina is empty (normal as there is no error...) hence all
> > looks good.
> >
> > I can also see that tomcat process is up and port is listening: tcp
> > 0 0 0.0.0.0:84430.0.0.0:* LISTEN
> > 18724/java
> >
> > But, when trying to open browser to the server, then I get "This
> > page cannot be displayed".
> >
> > I cannot locate any errors/exception in the server side.
> >
> > Can anyone please assist? we are in a dead end :)
>
> If there is a problem loading the certificate, Tomcat should emit an
> error message. Please check all log files, not just catalina.out
> (although it should have the error in there).
>
> Can you connect to the server using openssl?
>
> $ openssl s_client -connect 10.56.57.65:8443
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74
> F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+
> /YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m
> X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M
> dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8
> rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB
> K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq
Re: After applying self-signed certificate, server is up but cannot connect with browser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ori,
On 5/22/15 8:18 AM, Ori Raz wrote:
> We got an application based on tomcat 7.0.23 and all working fine.
>
> We are trying to apply our self-signed certificate and encountering
> some problems.
>
> I hope that the procedure I did is correct :)
>
> This is the procedure we followed:
>
> 1. copy the certificate file under this location:
> /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer
>
> 2. remove existing entries: keytool -delete -alias tomcat
> -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> keytool -delete -alias tomcat -keystore
> /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
It's not necessary to remove the existing certs. If you load the
CA-signed certificate into your keystore (making sure to use the
original alias, if any), it should update the certificate.
Also, you need to first import the CA's root and intermediate
certificates, first, like this:
$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks
(That last one is your signed certificate, returned from the CA).
If, as you did your "delete", you managed to delete your server's key,
then your keystore is worthless. I hope you had a backup, because
without the server key, the certificate is worthless and you have to
re-start the entire process.
> After the restart of tomcat, I get the message that server started
> and catalina is empty (normal as there is no error...) hence all
> looks good.
>
> I can also see that tomcat process is up and port is listening: tcp
> 0 0 0.0.0.0:84430.0.0.0:* LISTEN
> 18724/java
>
> But, when trying to open browser to the server, then I get "This
> page cannot be displayed".
>
> I cannot locate any errors/exception in the server side.
>
> Can anyone please assist? we are in a dead end :)
If there is a problem loading the certificate, Tomcat should emit an
error message. Please check all log files, not just catalina.out
(although it should have the error in there).
Can you connect to the server using openssl?
$ openssl s_client -connect 10.56.57.65:8443
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74
F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+
/YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m
X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M
dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8
rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB
K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq/2bZSx
XJ0BHaFbVw+JVTVCzwng6VrNr32Ji7uKD275/mcGLbCIlCzKWd1QaPKtTD/nD5AB
PtWMAzWKoSYJgJlWhlAiF2TEyHjZ6tU8B33hpoU7AxMCqaeY2YavRwaibWENKCLc
RJXExcMK1+59etSLdqI5IwN33fcChBksGMN+bokRZB6RvvyNz+PtH6oNpN87DHnO
IanB5Lp8p5YPig/AiYa5fLPoH40RjmmB1grUF4H7iuKkEt5Epw5BICPcgRxDePJU
uEva2cy+32ZIgIC3q9+V
=xi4N
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
Hello David, Thanks for replying. https://10.56.57.65:8443/ This is the same url that we used before applying our certification. Thanks, Barc On Fri, May 22, 2015 at 2:41 PM, David kerber wrote: > On 5/22/2015 8:18 AM, Ori Raz wrote: > >> Hello experts, >> >> We got an application based on tomcat 7.0.23 and all working fine. >> >> We are trying to apply our self-signed certificate and encountering some >> problems. >> >> I hope that the procedure I did is correct :) >> >> This is the procedure we followed: >> >> 1. copy the certificate file under this location: >> /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer >> >> 2. remove existing entries: >> keytool -delete -alias tomcat -keystore >> /opt/primecentral/install/utils/sslgen/prime.keystore >> keytool -delete -alias tomcat -keystore >> /opt/primecentral/XMP_Platform/jre/lib/security/cacerts >> >> 3. insert new entries: >> keytool -importcert -file >> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer >> -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias >> tomcat >> keytool -import -alias tomcat -keystore >> /opt/primecentral/XMP_Platform/jre/lib/security/cacerts -trustcacerts >> -file >> /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer >> >> once done - restarted the tomcat. >> >> >> >> After the restart of tomcat, I get the message that server started and >> catalina is empty (normal as there is no error...) hence all looks good. >> >> I can also see that tomcat process is up and port is listening: >> tcp0 0 0.0.0.0:84430.0.0.0:* >> LISTEN 18724/java >> >> But, when trying to open browser to the server, then I get "This page >> cannot be displayed". >> > > What is the full url you're entering in your browser? > > > > >> I cannot locate any errors/exception in the server side. >> >> Can anyone please assist? we are in a dead end :) >> >> Thanks a lot, >> >> Barc >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: After applying self-signed certificate, server is up but cannot connect with browser
On 5/22/2015 8:18 AM, Ori Raz wrote: Hello experts, We got an application based on tomcat 7.0.23 and all working fine. We are trying to apply our self-signed certificate and encountering some problems. I hope that the procedure I did is correct :) This is the procedure we followed: 1. copy the certificate file under this location: /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer 2. remove existing entries: keytool -delete -alias tomcat -keystore /opt/primecentral/install/utils/sslgen/prime.keystore keytool -delete -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts 3. insert new entries: keytool -importcert -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias tomcat keytool -import -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts -trustcacerts -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer once done - restarted the tomcat. After the restart of tomcat, I get the message that server started and catalina is empty (normal as there is no error...) hence all looks good. I can also see that tomcat process is up and port is listening: tcp0 0 0.0.0.0:84430.0.0.0:* LISTEN 18724/java But, when trying to open browser to the server, then I get "This page cannot be displayed". What is the full url you're entering in your browser? I cannot locate any errors/exception in the server side. Can anyone please assist? we are in a dead end :) Thanks a lot, Barc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
After applying self-signed certificate, server is up but cannot connect with browser
Hello experts, We got an application based on tomcat 7.0.23 and all working fine. We are trying to apply our self-signed certificate and encountering some problems. I hope that the procedure I did is correct :) This is the procedure we followed: 1. copy the certificate file under this location: /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer 2. remove existing entries: keytool -delete -alias tomcat -keystore /opt/primecentral/install/utils/sslgen/prime.keystore keytool -delete -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts 3. insert new entries: keytool -importcert -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias tomcat keytool -import -alias tomcat -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts -trustcacerts -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer once done - restarted the tomcat. After the restart of tomcat, I get the message that server started and catalina is empty (normal as there is no error...) hence all looks good. I can also see that tomcat process is up and port is listening: tcp0 0 0.0.0.0:84430.0.0.0:* LISTEN 18724/java But, when trying to open browser to the server, then I get "This page cannot be displayed". I cannot locate any errors/exception in the server side. Can anyone please assist? we are in a dead end :) Thanks a lot, Barc
