Re: Facing issue while configuring SSL
Román, On 15.7.2016 5:01, Román Valoria wrote: The SSL Certificate was created using the wrong FQDN, which meant that the hostname to IP address resolution done by the browser was failing. The telnet command was done using the wrong FQDN, while openssl using localhost. On top of that, since the FQDN to IP was not working, Devendra had created a host alias in the local host file, which further complicated troubleshooting. Great. Thanks for detailed feedback. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Facing issue while configuring SSL
Dear all: The issue was solved, it was compounded by several factors, once full path to the certificates was used. The SSL Certificate was created using the wrong FQDN, which meant that the hostname to IP address resolution done by the browser was failing. The telnet command was done using the wrong FQDN, while openssl using localhost. On top of that, since the FQDN to IP was not working, Devendra had created a host alias in the local host file, which further complicated troubleshooting. After removing all aliasing from the local host file, and doing an nslookup from another machine in the network using the short host name, I manage to obtain the FQDN and the IP address. Then when connecting from another machine with either, we had the certificate warning (as the SSL certificate CN does not match the real FQDN). This was also further complicated by the server.xml APR parameter SSLVerifyClient, which was set as optional and thus I was getting a pop-up window to chose a certificate upon connection from a browser. So after we changed the SSLVerifyClient to none and once we re-issue the SSL certificate with the correct FQDN, we should be fine. The certificate is still being generated, but I am sure this will definitively fix the issue. Thanks for your support. Bottom line, the error message was correct all the way along, we were simply configuring the SSL certificates parameters on the server.xml with a relative path and we should have used an absolute path. On Thu, Jul 14, 2016 at 8:22 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Devendra, > > On 14.7.2016 10:38, Devendra Sengar wrote: > >> But the tomcat server is started without any error but won't able to open >> the home page of tomcat giving the error like: >> This site can’t be reached >> The webpage at *https://:8443/* might be temporarily down or it >> may have moved permanently to a new web address. >> >> If i telnet the server then its not able to connect but if i use openssl >> s_client -connect it shows the certificate information. >> Any suggestion? >> > > Symptoms you are describing are very strange. It is unlikely that > telnetting to HTTPS port (which basicaly just opens TCP connection) won't > work, while connecting with openssl (which opens TCP connection AND starts > HTTPS handshake) does work. > > Could you test one more time, and send us exact commands you used, and > exact output you got. Also, send us Tomcat log messages so we could verify > HTTPS APR connector port. > > -Ognjen > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Facing issue while configuring SSL
Devendra, On 14.7.2016 10:38, Devendra Sengar wrote: But the tomcat server is started without any error but won't able to open the home page of tomcat giving the error like: This site can’t be reached The webpage at *https://:8443/* might be temporarily down or it may have moved permanently to a new web address. If i telnet the server then its not able to connect but if i use openssl s_client -connect it shows the certificate information. Any suggestion? Symptoms you are describing are very strange. It is unlikely that telnetting to HTTPS port (which basicaly just opens TCP connection) won't work, while connecting with openssl (which opens TCP connection AND starts HTTPS handshake) does work. Could you test one more time, and send us exact commands you used, and exact output you got. Also, send us Tomcat log messages so we could verify HTTPS APR connector port. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Facing issue while configuring SSL
2016-07-14 4:38 GMT-04:00 Devendra Sengar: > If i am giving the full path of the certificate like > c:/tomcat/conf/ then its taking the file, as the error i was > getting "SEVERE: Failed to initialize end point associated with > ProtocolHandler ["http-apr-443"]" that's no more. > > But the tomcat server is started without any error but won't able to open > the home page of tomcat giving the error like: > This site can’t be reached > The webpage at *https://:8443/* might be temporarily down or it > may have moved permanently to a new web address. > > If i telnet the server then its not able to connect but if i use openssl > s_client -connect it shows the certificate information. > Any suggestion? > > Yes, specify the path as ${catalina.base}/conf/ since your file seems to be in the conf directory of your Tomcat instance. I'm not sure about the C: in the pathname. However, ${catalina.base}/conf/ is portable and enables you to move you instance into another directory without having to modify all the configuration files. - Daniel Savard
Re: Facing issue while configuring SSL
If i am giving the full path of the certificate like c:/tomcat/conf/ then its taking the file, as the error i was getting "SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"]" that's no more. But the tomcat server is started without any error but won't able to open the home page of tomcat giving the error like: This site can’t be reached The webpage at *https://:8443/* might be temporarily down or it may have moved permanently to a new web address. If i telnet the server then its not able to connect but if i use openssl s_client -connect it shows the certificate information. Any suggestion? Thanks, Devendra On Wed, Jul 13, 2016 at 1:54 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 13.07.2016 07:02, Devendra Sengar wrote: > >> File is there and permission is also fine and having proper openssl.cnf. >> >> Any other view? >> > > Really "shooting in the dark" here, since I am neither a Windows nor an > SSL specialist : > The error message mentions "no such process". Assuming (and that may be a > naive assumption) that the error message reflects the reality, could it not > be that the handling of these SSL keys/cartificates under Windows, requires > some background Windows "cryptographic service" to be active, and that it > is not ? > (or some DLL to be found somewhere, where it isn't) > > > >> Thanks, >> Devendra >> >> On Tue, Jul 12, 2016 at 9:10 PM, André Warnier (tomcat) <a...@ice-sa.com> >> wrote: >> >> On 12.07.2016 16:33, Harrie Robins wrote: >>> >>> java.lang.Exception: Unable to load certificate key >>>> conf/localhost-key.pem (error:02001003:system library:fopen:No such >>>> process >>>> >>>> If I'm correct you are either missing correct rights to this file or it >>>> is not in the given location. >>>> A second possibility is missing password for key file. >>>> >>>> >>> Alternatively, searching Google for error:02001003, there are a number of >>> hits there which point to the same kind of message, most of which seem to >>> be for Windows and OpenSSL, and most of which mention the need for a >>> proper >>> "openssl.cnf" in the proper location. >>> This may or may not be relevant to your problem. >>> >>> >>> >>> SSLPassword="pass" >>>> >>>> Regards, >>>> >>>> Harrie >>>> >>>> -Original Message- >>>> From: Devendra Sengar [mailto:dssen...@gmail.com] >>>> Sent: dinsdag 12 juli 2016 10:50 >>>> To: users@tomcat.apache.org >>>> Subject: Facing issue while configuring SSL >>>> >>>> Hi, >>>> >>>> This is regarding the configuration of Tomcat SSL using the APR library >>>> on Java 6. >>>> >>>> While starting the server I am getting the below error: >>>> >>>> SEVERE: Failed to initialize end point associated with ProtocolHandler >>>> ["http-apr-443"] >>>> java.lang.Exception: Unable to load certificate key >>>> conf/localhost-key.pem (error:02001003:system library:fopen:No such >>>> process) >>>> >>>> I am trying to implement SSL using independent libraries for OpenSSL, >>>> Tomcat Native and Apache Portable Runtime. >>>> >>>> I have downloaded precompiled versions of OpenSSL and Tomcat Native (see >>>> them attached). I have tried compiling the Apache Portable Runtime using >>>> Visual Studio (find it also attached). >>>> >>>> I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for >>>> Windows (using the 64-bit distro, not the installer one). >>>> >>>> We are restricted by our applicatioin to use Oracle Java 6 Updated 115 >>>> 64-bit. >>>> >>>> The versions of the libraries I am using are the latest available >>>> online, >>>> again see the binaries attached. >>>> >>>> The parameters used in the server.xml file are: >>>> >>>> For Tomcat 7.0.6: >>>> >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>> port="443" maxThreads="200" >>>> scheme="https" secure="true" SSLEnabled="true" >>>> SSLCertificateFile="conf/localhost-cert.pem" >>>> SSLCertificateKeyFi
Re: Facing issue while configuring SSL
On 13.07.2016 07:02, Devendra Sengar wrote: File is there and permission is also fine and having proper openssl.cnf. Any other view? Really "shooting in the dark" here, since I am neither a Windows nor an SSL specialist : The error message mentions "no such process". Assuming (and that may be a naive assumption) that the error message reflects the reality, could it not be that the handling of these SSL keys/cartificates under Windows, requires some background Windows "cryptographic service" to be active, and that it is not ? (or some DLL to be found somewhere, where it isn't) Thanks, Devendra On Tue, Jul 12, 2016 at 9:10 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: On 12.07.2016 16:33, Harrie Robins wrote: java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process If I'm correct you are either missing correct rights to this file or it is not in the given location. A second possibility is missing password for key file. Alternatively, searching Google for error:02001003, there are a number of hits there which point to the same kind of message, most of which seem to be for Windows and OpenSSL, and most of which mention the need for a proper "openssl.cnf" in the proper location. This may or may not be relevant to your problem. SSLPassword="pass" Regards, Harrie -Original Message- From: Devendra Sengar [mailto:dssen...@gmail.com] Sent: dinsdag 12 juli 2016 10:50 To: users@tomcat.apache.org Subject: Facing issue while configuring SSL Hi, This is regarding the configuration of Tomcat SSL using the APR library on Java 6. While starting the server I am getting the below error: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"] java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process) I am trying to implement SSL using independent libraries for OpenSSL, Tomcat Native and Apache Portable Runtime. I have downloaded precompiled versions of OpenSSL and Tomcat Native (see them attached). I have tried compiling the Apache Portable Runtime using Visual Studio (find it also attached). I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for Windows (using the 64-bit distro, not the installer one). We are restricted by our applicatioin to use Oracle Java 6 Updated 115 64-bit. The versions of the libraries I am using are the latest available online, again see the binaries attached. The parameters used in the server.xml file are: For Tomcat 7.0.6: For Tomcat 7.0.70 The library files are in the tomcat bin folder as openssl.exe, tcnative-1.dll and libapr-1.dll. tcnative-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing openssl.exe: https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing libapr-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing The same certificates files mentioned in the server.xml file were used and work in a brand new Apache web server. Please let us know your opinion of what can cause those errors? Can it be because of a APR dll not compiled properly? Any other idea? Thanks, Devendra - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Facing issue while configuring SSL
File is there and permission is also fine and having proper openssl.cnf. Any other view? Thanks, Devendra On Tue, Jul 12, 2016 at 9:10 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 12.07.2016 16:33, Harrie Robins wrote: > >> java.lang.Exception: Unable to load certificate key >> conf/localhost-key.pem (error:02001003:system library:fopen:No such process >> >> If I'm correct you are either missing correct rights to this file or it >> is not in the given location. >> A second possibility is missing password for key file. >> > > Alternatively, searching Google for error:02001003, there are a number of > hits there which point to the same kind of message, most of which seem to > be for Windows and OpenSSL, and most of which mention the need for a proper > "openssl.cnf" in the proper location. > This may or may not be relevant to your problem. > > > >> SSLPassword="pass" >> >> Regards, >> >> Harrie >> >> -Original Message----- >> From: Devendra Sengar [mailto:dssen...@gmail.com] >> Sent: dinsdag 12 juli 2016 10:50 >> To: users@tomcat.apache.org >> Subject: Facing issue while configuring SSL >> >> Hi, >> >> This is regarding the configuration of Tomcat SSL using the APR library >> on Java 6. >> >> While starting the server I am getting the below error: >> >> SEVERE: Failed to initialize end point associated with ProtocolHandler >> ["http-apr-443"] >> java.lang.Exception: Unable to load certificate key >> conf/localhost-key.pem (error:02001003:system library:fopen:No such process) >> >> I am trying to implement SSL using independent libraries for OpenSSL, >> Tomcat Native and Apache Portable Runtime. >> >> I have downloaded precompiled versions of OpenSSL and Tomcat Native (see >> them attached). I have tried compiling the Apache Portable Runtime using >> Visual Studio (find it also attached). >> >> I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for >> Windows (using the 64-bit distro, not the installer one). >> >> We are restricted by our applicatioin to use Oracle Java 6 Updated 115 >> 64-bit. >> >> The versions of the libraries I am using are the latest available online, >> again see the binaries attached. >> >> The parameters used in the server.xml file are: >> >> For Tomcat 7.0.6: >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>port="443" maxThreads="200" >>scheme="https" secure="true" SSLEnabled="true" >>SSLCertificateFile="conf/localhost-cert.pem" >>SSLCertificateKeyFile="conf/localhost-key.pem" >>SSLCertificateChainFile="conf/ca.crt" >>SSLVerifyClient="optional" SSLProtocol="TLSv1" >>SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"/> >> >> For Tomcat 7.0.70 >> >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>port="443" maxThreads="200" >>scheme="https" secure="true" SSLEnabled="true" >>SSLCertificateFile="conf/localhost-cert.pem" >>SSLCertificateKeyFile="conf/localhost-key.pem" >>SSLCertificateChainFile="conf/ca.crt" >>SSLVerifyClient="optional" SSLProtocol="TLSv1_2" >>SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"/> >> >> The library files are in the tomcat bin folder as openssl.exe, >> tcnative-1.dll and libapr-1.dll. >> >> tcnative-1.dll: >> >> https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing >> openssl.exe: >> >> https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing >> libapr-1.dll: >> >> https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing >> >> >> The same certificates files mentioned in the server.xml file were used >> and work in a brand new Apache web server. >> >> Please let us know your opinion of what can cause those errors? >> >> Can it be because of a APR dll not compiled properly? >> >> Any other idea? >> >> Thanks, >> Devendra >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Facing issue while configuring SSL
On 12.07.2016 16:33, Harrie Robins wrote: java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process If I'm correct you are either missing correct rights to this file or it is not in the given location. A second possibility is missing password for key file. Alternatively, searching Google for error:02001003, there are a number of hits there which point to the same kind of message, most of which seem to be for Windows and OpenSSL, and most of which mention the need for a proper "openssl.cnf" in the proper location. This may or may not be relevant to your problem. SSLPassword="pass" Regards, Harrie -Original Message- From: Devendra Sengar [mailto:dssen...@gmail.com] Sent: dinsdag 12 juli 2016 10:50 To: users@tomcat.apache.org Subject: Facing issue while configuring SSL Hi, This is regarding the configuration of Tomcat SSL using the APR library on Java 6. While starting the server I am getting the below error: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"] java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process) I am trying to implement SSL using independent libraries for OpenSSL, Tomcat Native and Apache Portable Runtime. I have downloaded precompiled versions of OpenSSL and Tomcat Native (see them attached). I have tried compiling the Apache Portable Runtime using Visual Studio (find it also attached). I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for Windows (using the 64-bit distro, not the installer one). We are restricted by our applicatioin to use Oracle Java 6 Updated 115 64-bit. The versions of the libraries I am using are the latest available online, again see the binaries attached. The parameters used in the server.xml file are: For Tomcat 7.0.6: For Tomcat 7.0.70 The library files are in the tomcat bin folder as openssl.exe, tcnative-1.dll and libapr-1.dll. tcnative-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing openssl.exe: https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing libapr-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing The same certificates files mentioned in the server.xml file were used and work in a brand new Apache web server. Please let us know your opinion of what can cause those errors? Can it be because of a APR dll not compiled properly? Any other idea? Thanks, Devendra - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Facing issue while configuring SSL
java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process If I'm correct you are either missing correct rights to this file or it is not in the given location. A second possibility is missing password for key file. SSLPassword="pass" Regards, Harrie -Original Message- From: Devendra Sengar [mailto:dssen...@gmail.com] Sent: dinsdag 12 juli 2016 10:50 To: users@tomcat.apache.org Subject: Facing issue while configuring SSL Hi, This is regarding the configuration of Tomcat SSL using the APR library on Java 6. While starting the server I am getting the below error: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"] java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process) I am trying to implement SSL using independent libraries for OpenSSL, Tomcat Native and Apache Portable Runtime. I have downloaded precompiled versions of OpenSSL and Tomcat Native (see them attached). I have tried compiling the Apache Portable Runtime using Visual Studio (find it also attached). I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for Windows (using the 64-bit distro, not the installer one). We are restricted by our applicatioin to use Oracle Java 6 Updated 115 64-bit. The versions of the libraries I am using are the latest available online, again see the binaries attached. The parameters used in the server.xml file are: For Tomcat 7.0.6: For Tomcat 7.0.70 The library files are in the tomcat bin folder as openssl.exe, tcnative-1.dll and libapr-1.dll. tcnative-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing openssl.exe: https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing libapr-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing The same certificates files mentioned in the server.xml file were used and work in a brand new Apache web server. Please let us know your opinion of what can cause those errors? Can it be because of a APR dll not compiled properly? Any other idea? Thanks, Devendra - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Facing issue while configuring SSL
Hi, This is regarding the configuration of Tomcat SSL using the APR library on Java 6. While starting the server I am getting the below error: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-443"] java.lang.Exception: Unable to load certificate key conf/localhost-key.pem (error:02001003:system library:fopen:No such process) I am trying to implement SSL using independent libraries for OpenSSL, Tomcat Native and Apache Portable Runtime. I have downloaded precompiled versions of OpenSSL and Tomcat Native (see them attached). I have tried compiling the Apache Portable Runtime using Visual Studio (find it also attached). I am running those libraries on either Tomcat 7.0.6 or 7.0.70 64-bit for Windows (using the 64-bit distro, not the installer one). We are restricted by our applicatioin to use Oracle Java 6 Updated 115 64-bit. The versions of the libraries I am using are the latest available online, again see the binaries attached. The parameters used in the server.xml file are: For Tomcat 7.0.6: For Tomcat 7.0.70 The library files are in the tomcat bin folder as openssl.exe, tcnative-1.dll and libapr-1.dll. tcnative-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWQ1ZCckhodHBvQk0/view?usp=sharing openssl.exe: https://drive.google.com/file/d/0ByilOlQCXOkWQk9KUUJSb3ZqeW8/view?usp=sharing libapr-1.dll: https://drive.google.com/file/d/0ByilOlQCXOkWV09NTi0tNWxhZnM/view?usp=sharing The same certificates files mentioned in the server.xml file were used and work in a brand new Apache web server. Please let us know your opinion of what can cause those errors? Can it be because of a APR dll not compiled properly? Any other idea? Thanks, Devendra