Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Mon, Jul 18, 2016 at 10:47 AM, André Warnier (tomcat) 
wrote:

> On 18.07.2016 16:33, Sean Son wrote:
>
>> On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
>> ognjen.d.blagoje...@gmail.com> wrote:
>>
>> Sean,
>>>
>>> On 13.7.2016 21:56, Sean Son wrote:
>>>
>>> Thank you for your answer guys. Is there anywhere in the Tomcat config
 files that I would need to specify the DNS name?  Like in Apache we
 would specify the DNS name in a Virtualhost.


>>> Take a look at context xml, attribute "name" in Host element [1], and
>>> attribute "defaultHost" in Engine element [2].
>>>
>>> -Ognjen
>>>
>>> ps. Please, write your answers below the quotes, that is standard on
>>> Tomcat mailing lists.
>>>
>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
>>> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>> Unfortunately I was not able to make any sense of those two links. In
>> which
>> file, would the Host element or Engine element appear in? I do not see
>> anything of the sort in context.xml ?
>>
>> Why is tomcat so confusing?
>>
>>
> Maybe less confusing if you start here :
> http://tomcat.apache.org/tomcat-8.0-doc/config/index.html
> and then work you way down to the 2 links above.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thank you Andre! I will do that.

Re: Need help setting up SSL on Tomcat 8

[tomcat]

On 18.07.2016 16:33, Sean Son wrote:

On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:


Sean,

On 13.7.2016 21:56, Sean Son wrote:


Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we
would specify the DNS name in a Virtualhost.



Take a look at context xml, attribute "name" in Host element [1], and
attribute "defaultHost" in Engine element [2].

-Ognjen

ps. Please, write your answers below the quotes, that is standard on
Tomcat mailing lists.

[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Unfortunately I was not able to make any sense of those two links. In which
file, would the Host element or Engine element appear in? I do not see
anything of the sort in context.xml ?

Why is tomcat so confusing?



Maybe less confusing if you start here :
http://tomcat.apache.org/tomcat-8.0-doc/config/index.html
and then work you way down to the 2 links above.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 13.7.2016 21:56, Sean Son wrote:
>
>> Thank you for your answer guys. Is there anywhere in the Tomcat config
>> files that I would need to specify the DNS name?  Like in Apache we
>> would specify the DNS name in a Virtualhost.
>>
>
> Take a look at context xml, attribute "name" in Host element [1], and
> attribute "defaultHost" in Engine element [2].
>
> -Ognjen
>
> ps. Please, write your answers below the quotes, that is standard on
> Tomcat mailing lists.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Unfortunately I was not able to make any sense of those two links. In which
file, would the Host element or Engine element appear in? I do not see
anything of the sort in context.xml ?

Why is tomcat so confusing?

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 13.7.2016 21:56, Sean Son wrote:
>
>> Thank you for your answer guys. Is there anywhere in the Tomcat config
>> files that I would need to specify the DNS name?  Like in Apache we
>> would specify the DNS name in a Virtualhost.
>>
>
> Take a look at context xml, attribute "name" in Host element [1], and
> attribute "defaultHost" in Engine element [2].
>
> -Ognjen
>
> ps. Please, write your answers below the quotes, that is standard on
> Tomcat mailing lists.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thanks for the links and sorry bad habit of mine Lol   Today i will set up
a DNS record for the server and test out the SSL. I will let you all know
what I see.

Thanks!

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

Sean,

On 13.7.2016 21:56, Sean Son wrote:

Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we
would specify the DNS name in a Virtualhost.


Take a look at context xml, attribute "name" in Host element [1], and 
attribute "defaultHost" in Engine element [2].


-Ognjen

ps. Please, write your answers below the quotes, that is standard on 
Tomcat mailing lists.


[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-07-13 15:56 GMT-04:00 Sean Son :

> Thank you for your answer guys. Is there anywhere in the Tomcat config
> files that I would need to specify the DNS name?  Like in Apache we would
> specify the DNS name in a Virtualhost.
>
>
No.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we would
specify the DNS name in a Virtualhost.

On Wed, Jul 13, 2016 at 7:56 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 12.7.2016 14:49, Sean Son wrote:
>
>> Hello thank you for your response. I am currently only accessing the
>> server using IP address only. We do not have a DNS record set up for the
>> server as of yet. It will be something like webapp.example.com
>>
>
> Once there is a DNS record in place, and you access your server using
> FQDN, your error will be gone.
>
> If you are the only one who access the server, and you find that warning
> particularly annoying, you may enter FQDN and IP address in hosts file, and
> access server using FQDN, before your DNS admins do their job.
>
> -Ognjen
>
>

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

Sean,

On 12.7.2016 14:49, Sean Son wrote:

Hello thank you for your response. I am currently only accessing the
server using IP address only. We do not have a DNS record set up for the
server as of yet. It will be something like webapp.example.com


Once there is a DNS record in place, and you access your server using 
FQDN, your error will be gone.


If you are the only one who access the server, and you find that warning 
particularly annoying, you may enter FQDN and IP address in hosts file, 
and access server using FQDN, before your DNS admins do their job.


-Ognjen


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-07-12 14:34 GMT-04:00 Sean Son :

> Are there any logs on the tomcat server that I should check in order to fix
> this SSL issue? or is this strictly a certificate related issue?
>

At my opinion, it is a DNS issue. Your certificate specify the
SubjectAlternativeName field with two DNS entries. If none of these can be
resolved for your server, the certificate is considered invalid.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Tue, Jul 12, 2016 at 8:49 AM, Sean Son 
wrote:

>
>
> On Mon, Jul 11, 2016 at 6:25 PM, Ognjen Blagojevic <
> ognjen.d.blagoje...@gmail.com> wrote:
>
>> On 11.7.2016 16:29, Sean Son wrote:
>>
>>> Here is the certificate path:
>>>
>>> - Go Daddy Root Certificate Authority - G2
>>>- Go Daddy Secure Certificate Authority - G2
>>>   - *.example.com 
>>>
>>>
>> That looks Ok.
>>
>> Did you, perhaps, tried to access server on subdomain of example.com?
>> Wildcard certificate "*.example.com" is valid for "www.example.com", but
>> not for "www.department.example.com".
>>
>> -Ognjen
>>
>>
>>
> Hello thank you for your response. I am currently only accessing the
> server using IP address only. We do not have a DNS record set up for the
> server as of yet. It will be something like webapp.example.com
>
>
> Thanks
>
>
>

Are there any logs on the tomcat server that I should check in order to fix
this SSL issue? or is this strictly a certificate related issue?

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Mon, Jul 11, 2016 at 6:25 PM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> On 11.7.2016 16:29, Sean Son wrote:
>
>> Here is the certificate path:
>>
>> - Go Daddy Root Certificate Authority - G2
>>- Go Daddy Secure Certificate Authority - G2
>>   - *.example.com 
>>
>>
> That looks Ok.
>
> Did you, perhaps, tried to access server on subdomain of example.com?
> Wildcard certificate "*.example.com" is valid for "www.example.com", but
> not for "www.department.example.com".
>
> -Ognjen
>
>
>
Hello thank you for your response. I am currently only accessing the server
using IP address only. We do not have a DNS record set up for the server as
of yet. It will be something like webapp.example.com


Thanks

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

On 11.7.2016 16:29, Sean Son wrote:

Here is the certificate path:

- Go Daddy Root Certificate Authority - G2
   - Go Daddy Secure Certificate Authority - G2
  - *.example.com 



That looks Ok.

Did you, perhaps, tried to access server on subdomain of example.com? 
Wildcard certificate "*.example.com" is valid for "www.example.com", but 
not for "www.department.example.com".


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Here is the certificate path:

- Go Daddy Root Certificate Authority - G2
   - Go Daddy Secure Certificate Authority - G2
  - *.example.com


Thanks

On Fri, Jul 8, 2016 at 6:23 PM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> On 7.7.2016 23:17, Daniel Savard wrote:
>
>> Certificate Error
> There are issues with the site's certificate chain
> (net::ERR_CERT_COMMON_NAME_INVALID).
>
> Looks like adding the keyAlias to the connector did not fix anything
> unfortunately.
>
>

>>> Did you examined the received certificate in the browser. Usually this
>> help
>> to identify why it failed. In this case, the chain of certification seems
>> to be the problem.
>>
>
> +1
>
> What is your certification path / certificate hierarchy?
>
> In Firefox: click on padlock icon, click on arrow, More information, View
> Certificate, Details, Certificate Hierarchy
>
> In Chrome: click on padlock icon, Details, View Certificate, Certification
> path.
>
>
> -Ognjen
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

On 7.7.2016 23:17, Daniel Savard wrote:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.






Did you examined the received certificate in the browser. Usually this help
to identify why it failed. In this case, the chain of certification seems
to be the problem.


+1

What is your certification path / certificate hierarchy?

In Firefox: click on padlock icon, click on arrow, More information, 
View Certificate, Details, Certificate Hierarchy


In Chrome: click on padlock icon, Details, View Certificate, 
Certification path.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-07-07 14:53 GMT-04:00 Sean Son :

>
>
> On Thu, Jul 7, 2016 at 12:24 PM, Sean Son <
> linuxmailinglistsem...@gmail.com> wrote:
>
>> Copying Daniel and Ognjen on this
>>
>> On Thu, Jul 7, 2016 at 12:02 PM, Sean Son <
>> linuxmailinglistsem...@gmail.com> wrote:
>>
>>> Hello
>>>
>>>  I tried adding the keyAlias to the connector and when i restarted
>>> Tomcat, and i browsed to the sever page, I got this error:
>>>
>>> Certificate Error
>>> There are issues with the site's certificate chain
>>> (net::ERR_CERT_COMMON_NAME_INVALID).
>>>
>>> Looks like adding the keyAlias to the connector did not fix anything
>>> unfortunately.
>>>
>>
>
Did you examined the received certificate in the browser. Usually this help
to identify why it failed. In this case, the chain of certification seems
to be the problem.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Thu, Jul 7, 2016 at 12:24 PM, Sean Son 
wrote:

> Copying Daniel and Ognjen on this
>
> On Thu, Jul 7, 2016 at 12:02 PM, Sean Son <
> linuxmailinglistsem...@gmail.com> wrote:
>
>> Hello
>>
>>  I tried adding the keyAlias to the connector and when i restarted
>> Tomcat, and i browsed to the sever page, I got this error:
>>
>> Certificate Error
>> There are issues with the site's certificate chain
>> (net::ERR_CERT_COMMON_NAME_INVALID).
>>
>> Looks like adding the keyAlias to the connector did not fix anything
>> unfortunately.
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
>> wrote:
>>
>>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>>
>>> > So I should modify my  connector to look like this?
>>> >
>>> > >> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>>> > keystorePass="password"
>>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>>> > SSLEnabled="true" scheme="https" secure="true"
>>> >clientAuth="false" sslProtocol="TLS" />
>>> >
>>> >
>>> Yes.
>>>
>>> -
>>> Daniel Savard
>>>
>>
>>
>
Sorry I noticed that this is the connector configuration in my server.xml
file:



I updated it with the keyAlias information.  This connector was provided to
me by someone.  Unfortunately I am still getting the same error message.

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Copying Daniel and Ognjen on this

On Thu, Jul 7, 2016 at 12:02 PM, Sean Son 
wrote:

> Hello
>
>  I tried adding the keyAlias to the connector and when i restarted Tomcat,
> and i browsed to the sever page, I got this error:
>
> Certificate Error
> There are issues with the site's certificate chain
> (net::ERR_CERT_COMMON_NAME_INVALID).
>
> Looks like adding the keyAlias to the connector did not fix anything
> unfortunately.
>
>
>
>
>
>
>
> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
> wrote:
>
>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>
>> > So I should modify my  connector to look like this?
>> >
>> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>> > keystorePass="password"
>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>> > SSLEnabled="true" scheme="https" secure="true"
>> >clientAuth="false" sslProtocol="TLS" />
>> >
>> >
>> Yes.
>>
>> -
>> Daniel Savard
>>
>
>

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Hello

 I tried adding the keyAlias to the connector and when i restarted Tomcat,
and i browsed to the sever page, I got this error:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.







On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
wrote:

> 2016-07-07 10:52 GMT-04:00 Sean Son :
>
> > So I should modify my  connector to look like this?
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >maxThreads="150" keystoreFile="conf/tomcat.jks"
> > keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> > SSLEnabled="true" scheme="https" secure="true"
> >clientAuth="false" sslProtocol="TLS" />
> >
> >
> Yes.
>
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-07-07 10:52 GMT-04:00 Sean Son :

> So I should modify my  connector to look like this?
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="150" keystoreFile="conf/tomcat.jks"
> keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" />
>
>
Yes.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

So I should modify my  connector to look like this?



On Wed, Jul 6, 2016 at 6:50 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 5.7.2016 17:14, Sean Son wrote:
>
>> Hello Daniel and all
>>
>> Here is the output.. the full output
>>
>> http://pastebin.com/AQckw6ig
>>
>
> Keytool output indicates that there are two entries in keystore:
>
> 1. Entry with alias "root", created Jun 16, 2016, which is intermediate
> certificate for Go Daddy:
>
> Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
> Issuer: CN=Go Daddy Root Certificate Authority - G2 ...
>
> This is "trustedCertEntry", which means that it does not contain a private
> key, and therefore may not be used for encryption necessary for TLS / HTTPS
> communication.
>
>
> 2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created Jun
> 16, 2016. This is certificate for domain example.com, signed by Go Daddy:
>
> Owner: CN=*.example.com, OU=Domain Control Validated
> Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...
>
> This is PrivateKeyEntry which means that it contains private and public
> key pair, and since owner is different from issuer it means it also
> contains associated certificate. This entry may be used to encrypt data for
> TLS / HTTPS communication.
>
>
> Therefore, you must point Tomcat to use second entry from your keystore.
> Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your
> connector configuration.
>
> -Ognjen
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

Sean,

On 5.7.2016 17:14, Sean Son wrote:

Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig


Keytool output indicates that there are two entries in keystore:

1. Entry with alias "root", created Jun 16, 2016, which is intermediate 
certificate for Go Daddy:


Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
Issuer: CN=Go Daddy Root Certificate Authority - G2 ...

This is "trustedCertEntry", which means that it does not contain a 
private key, and therefore may not be used for encryption necessary for 
TLS / HTTPS communication.



2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created 
Jun 16, 2016. This is certificate for domain example.com, signed by Go 
Daddy:


Owner: CN=*.example.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...

This is PrivateKeyEntry which means that it contains private and public 
key pair, and since owner is different from issuer it means it also 
contains associated certificate. This entry may be used to encrypt data 
for TLS / HTTPS communication.



Therefore, you must point Tomcat to use second entry from your keystore. 
Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your 
connector configuration.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Fri, Jul 1, 2016 at 6:14 PM, Daniel Savard 
wrote:

> 2016-07-01 16:08 GMT-04:00 Christopher Schultz <
> ch...@christopherschultz.net
> >:
>
> >
> > >
> > > Thank you for the reply.  How would I go about specifying the alias
> > > of the certificate?
> >
> > You may have to re-import it, but I've had bad experiences with Java
> > keystores so ALWAYS keep a backup in case you host something.
> >
> > The first item in your keystore certainly looks like a certificate to
> > me. It's the *second* item that is a private key.
> >
> > What if you add these attributes to your connector:
> >
> > keyAlias="root"
> >
> > ?
> >
> > If that doesn't work, try using a tool like Portecle to try to adjust
> > some things (like the "aliases"). It's much better and safer than
> > using keytool IMO. Remember ALWAYS KEEP A BACKUP!
> >
> >
> Chris,
>
> in a keystore, the entry with the certificate created using the private key
> from that keystore is a single entry identified as PrivateKey. If you have
> a single certificate created from a private key in that keystore you will
> have only one entry, not two and it will be labeled as private key.
>
> In fact, it can be checked using the -v option to print details about each
> entry. This should be enough to identify without ambiguity which entry is
> what. This is what I recommend to do in order to understand what really is
> in the keystore. I doubt the alias root with the first entry in the
> keystore is actually the certificate needed here.
>
> Sean,
>
> print the details and you will have the alias and Common Name clearly
> identified on the output in a verbose format. Use the -v option to the
> keytool command for this. No need to post everything here if you are
> unsure.
>
> -
> Daniel Savard
>



Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-07-01 16:08 GMT-04:00 Christopher Schultz :

>
> >
> > Thank you for the reply.  How would I go about specifying the alias
> > of the certificate?
>
> You may have to re-import it, but I've had bad experiences with Java
> keystores so ALWAYS keep a backup in case you host something.
>
> The first item in your keystore certainly looks like a certificate to
> me. It's the *second* item that is a private key.
>
> What if you add these attributes to your connector:
>
> keyAlias="root"
>
> ?
>
> If that doesn't work, try using a tool like Portecle to try to adjust
> some things (like the "aliases"). It's much better and safer than
> using keytool IMO. Remember ALWAYS KEEP A BACKUP!
>
>
Chris,

in a keystore, the entry with the certificate created using the private key
from that keystore is a single entry identified as PrivateKey. If you have
a single certificate created from a private key in that keystore you will
have only one entry, not two and it will be labeled as private key.

In fact, it can be checked using the -v option to print details about each
entry. This should be enough to identify without ambiguity which entry is
what. This is what I recommend to do in order to understand what really is
in the keystore. I doubt the alias root with the first entry in the
keystore is actually the certificate needed here.

Sean,

print the details and you will have the alias and Common Name clearly
identified on the output in a verbose format. Use the -v option to the
keytool command for this. No need to post everything here if you are unsure.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 7/1/16 11:11 AM, Sean Son wrote:
> On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard
>  wrote:
> 
>> 2016-06-29 9:08 GMT-04:00 Sean Son
>> :
>> 
>>> Hello Daniel
>>> 
>>> Thank you for the information. Here is the output of the
>>> keytool command:
>>> 
>>> Keystore type: JKS Keystore provider: SUN
>>> 
>>> Your keystore contains 2 entries
>>> 
>>> root, Jun 16, 2016, trustedCertEntry, Certificate fingerprint
>>> (SHA1): 
>>> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 
>>> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016,
>>> PrivateKeyEntry, Certificate fingerprint (SHA1): 
>>> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>>> 
>>> 
>>> Is it possible that the error that I am seeing, is related to
>>> the fact that I am using a wildcard certificate?
>>> 
>> 
>> So, the first entry in the keystore isn't your certificate. As I
>> told you before, if you do not specify explicitely the alias of
>> the certificate so send, the first entry in the keystore is sent.
>> In this case, root.
>> 
>> The attribute to tell the connector which certificate to send, is
>> keyAlias, however it seems your certificate has no alias in the
>> keystore.
>> 
>> - Daniel Savard
>> 
> 
> 
> Thank you for the reply.  How would I go about specifying the alias
> of the certificate?

You may have to re-import it, but I've had bad experiences with Java
keystores so ALWAYS keep a backup in case you host something.

The first item in your keystore certainly looks like a certificate to
me. It's the *second* item that is a private key.

What if you add these attributes to your connector:

keyAlias="root"

?

If that doesn't work, try using a tool like Portecle to try to adjust
some things (like the "aliases"). It's much better and safer than
using keytool IMO. Remember ALWAYS KEEP A BACKUP!

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXds3aAAoJEBzwKT+lPKRYioQQAIJXjzniDRnW2U9+W0d/x7M5
/6nBHRw42COjvmHMUC5fY0lQR0rESHYC3yDhkmuutpeYNJyLO/TWLYZUGnEHf7US
7S+2IcYM19AEbDnp8qvE4pMOshJwf7eRic7lBr1OfJ50CKjdzvv2EiSFwO8tdY+6
eYODI+ZBvC7/lUFZ/H9cGlxx2kQHcuzWoE2+9I5DRxzIPP04nN8sfKXHoEiPH97j
d4dQMBpbNC87P6HlcGxpoxcoCfYPpHLMae5PXdSLHnyvU6YKGCUkm5bRE4ieC9F1
ZjFIH+rJZW61wJw64PXOvMm9k6zFL2R5CIsEg3OdZa6Injh951nH3H5GEF7xvJHy
Z1heq6NmuwzHkYT0/vI4S141tscEziNqsTw2kMyV9+QFEHp1u3zin62gIoDXFaHf
jG33c1cWfl4zkWhzWeZcmEN/n6Z+N0x/RZpRugoRy0heero8VF5lgKnjn/7kHuLm
BCZgA5KrsNSYcnQCeDPqTVeKoUXmF0e92xsCAKRjYjBsSUo8Uc0rlu2GaJhYYQma
rIMKli4f5KVAd3vzj4DE8EdmLxNDfgHvftGVMbTViCMlhwwZqI8NA6wGhA+JCVeH
H29sXNh5D5txBfwz10UvEC9iGFRBWZ1jZfrSdEbb4Ra8acrrC+Er6bwgjB8MMAnX
QpMck2thv/QiUCIr7gIb
=LOtb
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard 
wrote:

> 2016-06-29 9:08 GMT-04:00 Sean Son :
>
> > Hello Daniel
> >
> > Thank you for the information. Here is the output of the keytool command:
> >
> > Keystore type: JKS
> > Keystore provider: SUN
> >
> > Your keystore contains 2 entries
> >
> > root, Jun 16, 2016, trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> > {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> > Certificate fingerprint (SHA1):
> > 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
> >
> >
> > Is it possible that the error that I am seeing, is related to the fact
> > that I am using a wildcard certificate?
> >
>
> So, the first entry in the keystore isn't your certificate. As I told you
> before, if you do not specify explicitely the alias of the certificate so
> send, the first entry in the keystore is sent. In this case, root.
>
> The attribute to tell the connector which certificate to send, is keyAlias,
> however it seems your certificate has no alias in the keystore.
>
> -
> Daniel Savard
>


Thank you for the reply.  How would I go about specifying the alias of the
certificate?

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-06-29 9:08 GMT-04:00 Sean Son :

> Hello Daniel
>
> Thank you for the information. Here is the output of the keytool command:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> root, Jun 16, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> Certificate fingerprint (SHA1):
> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>
>
> Is it possible that the error that I am seeing, is related to the fact
> that I am using a wildcard certificate?
>

So, the first entry in the keystore isn't your certificate. As I told you
before, if you do not specify explicitely the alias of the certificate so
send, the first entry in the keystore is sent. In this case, root.

The attribute to tell the connector which certificate to send, is keyAlias,
however it seems your certificate has no alias in the keystore.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Philip Hachey]

On 16-06-29 09:08 AM, Sean Son wrote:

Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks

I'm not familiar with this configuration.  My keystore -list generates this:
***
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, 11-Apr-2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...
***

That's what you should have too if you're simply following the quick 
start rules here 
[https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html].  Point your 
browser to "https://localhost:8443/;


I also get a browser warning when using this keystore, but it's 
net::ERR_CERT_AUTHORITY_INVALID which I would expect because I haven't 
registered with a root authority (i.e. it's a self-signed certificate).  
I would start with that.  If you then need to use an authority-signed 
certificate, I personally don't have any immediate knowledge when it 
comes to Tomcat, but I imagine it should be only slightly more complex.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks



On Tue, Jun 28, 2016 at 5:09 PM, Daniel Savard 
wrote:

> 2016-06-28 16:24 GMT-04:00 Sean Son :
> 
>
> >
> > as for the output to the keytool command:
> >
> > Isnt the output to that command, confidential information?
> >
> >
> No, there isn't anything confidential from the output of a simple -list. It
> doesn't display the private key or anything like that. It will  just show
> the list of certificates in your keystore.
>
> The first entry in the keystore will be the one sent back by the Tomcat
> server since you didn't specify any alias. So, I assume this is the
> intended behavior.
>
> Since you do not specify any trust store, the default trust store shipped
> with your version of Java will be used. If the clients trying to connect
> are not having certificats signed by one of these, it will fails. It may
> not be a problem in your case since you do not provide any details on the
> clients' certificates.
>
> Regards,
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

[Daniel Savard]

2016-06-28 16:24 GMT-04:00 Sean Son :


>
> as for the output to the keytool command:
>
> Isnt the output to that command, confidential information?
>
>
No, there isn't anything confidential from the output of a simple -list. It
doesn't display the private key or anything like that. It will  just show
the list of certificates in your keystore.

The first entry in the keystore will be the one sent back by the Tomcat
server since you didn't specify any alias. So, I assume this is the
intended behavior.

Since you do not specify any trust store, the default trust store shipped
with your version of Java will be used. If the clients trying to connect
are not having certificats signed by one of these, it will fails. It may
not be a problem in your case since you do not provide any details on the
clients' certificates.

Regards,
-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Here is the complete  configuration

 








as for the output to the keytool command:

Isnt the output to that command, confidential information?

Thanks

On Tue, Jun 28, 2016 at 4:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sean,
>
> On 6/28/16 2:31 PM, Sean Son wrote:
> > Hey Philip
> >
> > So i was able to get the page to connect with SSL but I noticed
> > that when I clicked on the little icon that looks like a lock next
> > to https:// in the address bar, I saw this certificate error:
> > Certificate Error There are issues with the site's certificate
> > chain (net::ERR_CERT_COMMON_NAME_INVALID).
>
> This usually means that the URL you are using contains a hostname that
> doesn't match the TLS certificate's "common name".
>
> > Does that mean that SSL has been implemented incorrectly?
> >
> > Also I am trying to get an incoming connection through port 80 to
> > tomcat, to automatically redirect to port 8443 (or 443 which ever
> > you think is easiest to implement)  without having to use a reverse
> > proxy in front of it.  In my server.xml I have the following:
> >
> >  > connectionTimeout="2" redirectPort="8443" />   Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXcti2AAoJEBzwKT+lPKRYYNAP/jimgUxO8gp1W0rOEhqeTszc
> yKjAhGQ6yjBE14mvDK+x2zO7+zw01fzqm3IbsyUeEHdSjo0YPQQl0/h15tnhatgA
> WuMYz78HyXVtB02FPc/gg82LXwI5GowpKRgd3phQ6f1UKOxpcIPZdOG2MvsbLgFG
> m8UX1qxhq34xkQBCkLv+sWd6sgAdGX3P6x/+qxCav3gr+8os5KHFofms6BUReIro
> hTRQ6XXIbB3VvOGC6uK/IXLcKtvf1v7Bv5NUsL4mWd9AFkwLl+VlSjdK055ubftp
> 6CKj5RUmJkJ06Y0Hy1dK4v9mjcMvM0VwsPcwU9E/GOKMMj0Q56EFVKQkroeLjdXj
> bYMPc8FNAG6eYUdlrSx5lfcDqhO/EmiUZXLJykBbPFmcke8jED1b31WdboMaJAce
> YuuYVUgia4+sP2w/u0bXdQB5ie6gYHecYwdhiIB/mYY74jVz6BeQ26x7EjS7w/WT
> 4eI5XbPX6JPtJe0e3WpRIe2Fk/pLQOdcHMbG+g0X69cbRtRcf7PT/feGbJzoC/qJ
> rUiE7okK98P9KawCV4lueV1b7whFAhJs6apGvIOs/1w296eZ60sM373ugF6ygc1b
> gQybFF/NgnwLrKk0A63retwLeSj2ImB0pl3NvJ9yxJZOy+OP4GalV6BJ5+yF5yz2
> UESskxe5+W3VYH8s1Ekt
> =6brz
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 6/28/16 2:31 PM, Sean Son wrote:
> Hey Philip
> 
> So i was able to get the page to connect with SSL but I noticed
> that when I clicked on the little icon that looks like a lock next
> to https:// in the address bar, I saw this certificate error: 
> Certificate Error There are issues with the site's certificate
> chain (net::ERR_CERT_COMMON_NAME_INVALID).

This usually means that the URL you are using contains a hostname that
doesn't match the TLS certificate's "common name".

> Does that mean that SSL has been implemented incorrectly?
> 
> Also I am trying to get an incoming connection through port 80 to
> tomcat, to automatically redirect to port 8443 (or 443 which ever
> you think is easiest to implement)  without having to use a reverse
> proxy in front of it.  In my server.xml I have the following:
> 
>  connectionTimeout="2" redirectPort="8443" />  

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Hey Philip

So i was able to get the page to connect with SSL but I noticed that when I
clicked on the little icon that looks like a lock next to https:// in the
address bar, I saw this certificate error:
Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Does that mean that SSL has been implemented incorrectly?

Also I am trying to get an incoming connection through port 80 to tomcat,
to automatically redirect to port 8443 (or 443 which ever you think is
easiest to implement)  without having to use a reverse proxy in front of
it.  In my server.xml I have the following:



> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Need help setting up SSL on Tomcat 8

[Sean Son]

Thank you for your reply Philip

yes I have and it still failed.. I can try again and let you know what
errors I am running into.

Thanks!



On Tue, Jun 28, 2016 at 2:15 PM, Philip Hachey  wrote:

> Have you tried following the steps found here?:
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

[Philip Hachey]

Have you tried following the steps found here?: 
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Need help setting up SSL on Tomcat 8

[Sean Son]

Hello all

I am stuck trying to set up SSL on Tomcat 8. I have tried all sorts of
advice and still I cannot get it to work.

I attempted to use the method describe on this website:

https://sysengineers.wordpress.com/2011/03/16/tomcat-automatic-redirect-https/

but I started to see the following errors in my catalina.2016-06.26.log
file:

WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLCertificateFile' to
'/home/user/apache-tomcat-8.0.35/ssl/certificate.crt' did not find a
matching property.
28-Jun-2016 10:44:20.495 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLCertificateKeyFile' to
'/home/user/apache-tomcat-8.0.35/ssl/certificate.key' did not find a
matching property.

So what I did was install openssl-devel and apr-devel and now those errors
have disappeared, but when I try to browse to the web application or the IP
of the server, I get the following error in the browser:

took too long to respond.

Try:

   - Reloading the page
   - Checking the connection
   - Checking the proxy and the firewall

I have no idea what I am doing wrong. I set up my Connector in server.xml
exactly the same way as the example in that website that I linked. Any
suggestions will greatly be appreciated!

Thanks!

Sean