RE: [OT] Request: Encryption requirements for TLS and SSL for Tomcat

2021-06-09 Thread John.E.Gregg 
Emen-Eddine,


> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, June 09, 2021 9:08 AM
> To: users@tomcat.apache.org
> Subject: Re: [OT] Request: Encryption requirements for TLS and SSL for
> Tomcat
> 
> Emen-Eddine,
> 
> On 6/8/21 08:10, Emen-Eddine AISSAOUI wrote:
> > Hello,
> >
> > I am contacting you regarding the cipher suite recommandations for TLS
> > and SSL for Tomcat.
> >
> > This is an urgent request for a customer feedback.
> 
> Since this is a customer who is presumably paying YOU for YOUR services, this
> is probably an urgent request for YOU. If your customer(s) want to pay US to
> help them, it may become urgent for US.
> 
> > Could you please tell us which cipher suites are used and necessary
> > and if there is any particular prequesites regarding TLS and SSL
> > encryption for the proper functioning of Tomcat ?
> 
> Tomcat will use a combination of your configuration and system (JVM)
> support to determine which cipher suites will be used. Assuming at least one
> cipher suite is in that set, Tomcat will "work". None are actually necessary.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

If you're looking for actual cipher suite recommendations, I'm not going to 
make any but I will show you some useful resources.

This is a list of the supported Java 11 cipher suites "sorted by order of 
preference."  Hopefully good security is one of their preferences!

https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2

This is another useful site with information on whether a cipher suite is 
recommended or not.

https://ciphersuite.info/cs/

You can cross reference the lists from those two sites.

John


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Request: Encryption requirements for TLS and SSL for Tomcat

2021-06-09 Thread Christopher Schultz 

Emen-Eddine,

On 6/8/21 08:10, Emen-Eddine AISSAOUI wrote:

Hello,

I am contacting you regarding the cipher suite recommandations for 
TLS and SSL for Tomcat.


This is an urgent request for a customer feedback.


Since this is a customer who is presumably paying YOU for YOUR services,
this is probably an urgent request for YOU. If your customer(s) want to
pay US to help them, it may become urgent for US.

Could you please tell us which cipher suites are used and necessary 
and if there is any particular prequesites regarding TLS and SSL 
encryption for the proper functioning of Tomcat ?


Tomcat will use a combination of your configuration and system (JVM) 
support to determine which cipher suites will be used. Assuming at least 
one cipher suite is in that set, Tomcat will "work". None are actually 
necessary.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Request: Encryption requirements for TLS and SSL for Tomcat

2021-06-08 Thread Olaf Kock 

On 08.06.21 14:10, Emen-Eddine AISSAOUI wrote:
> Hello,
>
> I am contacting you regarding the cipher suite recommandations for TLS and 
> SSL for Tomcat.
>
> Could you please tell us which cipher suites are used and necessary and if 
> there is any particular prequesites regarding TLS and SSL encryption for the 
> proper functioning of Tomcat ?
>
> This is an urgent request for a customer feedback.

Are you asking for the Java prerequisites? Bitsize for keys requirement?
What do you call "proper functioning" of Tomcat? Because it functions
quite properly with any (supported) TLS settings.

In general, the recommendations for ciphers are independent of the app
server, it's rather a common industry standard (changing over time), but
heavily depends on the devices you need to support.

Can't go without this rant with regards to your urgency: If you have
customers paying /you/ for that information, how much of that money are
you willing to share for a quicker answer, /tailored/ to your
(customer's) /exact/ needs? 

Olaf

Request: Encryption requirements for TLS and SSL for Tomcat

2021-06-08 Thread Emen-Eddine AISSAOUI 
Hello,

I am contacting you regarding the cipher suite recommandations for TLS and SSL 
for Tomcat.

Could you please tell us which cipher suites are used and necessary and if 
there is any particular prequesites regarding TLS and SSL encryption for the 
proper functioning of Tomcat ?

This is an urgent request for a customer feedback.

Thank you in advance.

Kind Regards,
Emen-Eddine

Re: [OT] Install Comodo SSL in Tomcat

2020-01-29 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 1/29/20 2:26 PM, logo wrote:
> Chris,
> 
>> Am 29.01.2020 um 16:59 schrieb Christopher Schultz
>> :
>> 
> Peter,
> 
> On 1/28/20 6:02 PM, logo wrote:
>  honorCipherOrder="true" protocols="TLSv1.2+TLSv1.3" 
> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POL
Y13
>
> 
05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA
> -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA2
56
>
> 
:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SH
> A256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-S
HA
>
> 
:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:D
> HE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-
AE
>
> 
S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
> :AES128-SHA:AES256-SHA:!DSS">
> 
> 
>  certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p 12"
> certificateKeystorePassword="changeit" 
> certificateKeyAlias="tomcat" type="RSA" />
> 
 
> P12 is created with
 
> openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key
> -certfile chain.pem -out tomcat.p12 -name tomcat -CAfile
> ca.crt -caname root -passout pass:changeit
 
 
> Seems to be valid and working ;-) .
> 
> Hmm. What version of Java? Perhaps Java has gotten better about 
> detecting the type of keystore? Also, Tomcat respects the value of 
> -Djavax.net.ssl.keyStoreType so if (a) you are explicitly setting
> it to PKCS12 or (b) your Java version is doing that, then you don't
> need to specify it, as it's the default.
> 
>> openjdk 11.0.6+10-post-Debian-1 and no JAVA_OPTS for certs…

It must just be the new default. :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4yELkACgkQHPApP6U8
pFgBfBAAvtW/NMZo/AVXYUFsA5GocrYfZDqwgE2B95M+9tFbBKTetuYBqzrOTKSx
AKiIU+0MGmqx0DUEPCgLh3prakJJtimhW+7JzM8i1nPEyhv242w8Y4+tsp9kwE5H
TQYsYhci3ydxQGP2QnwxbZdlxkgn4ngnEA1d6TuCp77E4Bi8rlglG7sB1IQhM3O9
yMY/60HBuIa3XTrdEdo2g5AKzQJ7AwjjWKpn3g0LtZBX0F3l/1S6jJIhCeLKHaWv
YbeIzJRUmGFE0XA6fTQXpN7XqWM617wlETdoSkWaGqUdAy2oHs6lO3mctqlQL4h6
TotSju1OKch7nbCntCludoNHVqawzSDSQSClkox3BnJ6jVIivVxUQ/8Ccs4opecv
XFChhCxBnnwd/rBwo1oNtP6K3/ekBtcHOIJhxtZ72BIhFbAT7PZeBstz4vN5isUQ
zzJo4prGhqd4CbgAKGvB5LtvpD3gltTgrtoKEz7k0XwMQ3AlqM2SjxE749HBeNlB
ZEeAIsrKTMzu+1UYXDOo2YOf7im8+5jCSuQJaL0DmgiLrIEEqi3hVPz3W07ZWAOh
766uqw0n7/HzTJ61bOO+gif3UGWS0b+fvLtNW+wHA6B0eMxgV9jWJudXtoOiRL8j
am6Ewv4dG6eJUlJcC2ZzHeLZMygoYbjY5rIBqb0o3O5CuiNNA3Q=
=Cz2L
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-29 Thread logo 
Chris,

> Am 29.01.2020 um 16:59 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
> On 1/28/20 6:02 PM, logo wrote:
>>> >> protocols="TLSv1.2+TLSv1.3" 
>>> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13
> 05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA
> - -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
> :DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SH
> A256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA
> :ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:D
> HE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AE
> S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
> :AES128-SHA:AES256-SHA:!DSS">
>>> 
>>> 
> >> certificateKeystorePassword="changeit" 
>>> certificateKeyAlias="tomcat" type="RSA" /> 
>> 
>>> P12 is created with
>> 
>>> openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -certfile
>>> chain.pem -out tomcat.p12 -name tomcat -CAfile ca.crt -caname
>>> root -passout pass:changeit
>> 
>> 
>>> Seems to be valid and working ;-) .
> 
> Hmm. What version of Java? Perhaps Java has gotten better about
> detecting the type of keystore? Also, Tomcat respects the value of
> - -Djavax.net.ssl.keyStoreType so if (a) you are explicitly setting it
> to PKCS12 or (b) your Java version is doing that, then you don't need
> to specify it, as it's the default.

openjdk 11.0.6+10-post-Debian-1 and no JAVA_OPTS for certs…

> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xq8sACgkQHPApP6U8
> pFiQoBAAh85sDX5Q0aSMLyU5wQCsP2CPrA0iiaLwiU/rZ4Xr38mn8xW1lKAodjX8
> enLvHnRsfvQk+spXtNCsN4W0lh1ZCt2Y9bkO44AtlsCMHTaCgx3XgzuXUSxmkg1+
> ZsNv0jEWqslI0MwEZIzs8tlPbEg3EydjSF8kXf5fcygxA50FfR1o1ysY0cJNO2Z2
> 1pJDdueZPy0TzBquVAX9b+d9ElZk8QeavSJ4H8lFkj9Mjdj4XeqevuT/VayJKe34
> hBrdCJfXgLh+xq251eMxjSSIxXC5B3tK0SE5IeyZyBxd5KBq4HmN8q/rJcWmvfMd
> U+HUlvG0GugoodPnz2XklbJlW1J78uuhT81/sWp2PIiig7So/QSOJgpCuInJAdoh
> wCaO1aZfYABxJSCbbZGEtT22ybilgA9rnocsuGjI5Wrxo3dBxzMQ9Y0QB56/bkEN
> ZT2NnynXfEwVMlXqgnSqxga1hCW82wCfw8meZtye5Pc7QyvJDoEUqveakvNvjEIy
> 3OminOdu6KuIEjcLy2OJLs2voBqDuZToOwg3xSYEq07pPapd9xqnKcRGihv4j6aQ
> y5JZq+4oc0i4e286KB1OhDGposRcfWJfFWNSwk7ijKVlA6aAF/OfM9EAAlm3fWU7
> AkkpJslBQrxghCUhhPSrdUfNOCEQpHzOaCEUlyLRk1pY/52FGwQ=
> =ANtK
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-29 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 1/28/20 6:02 PM, logo wrote:
>> > protocols="TLSv1.2+TLSv1.3" 
>> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13
05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA
- -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SH
A256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA
:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:D
HE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AE
S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
:AES128-SHA:AES256-SHA:!DSS">
>>
>> 
> certificateKeystorePassword="changeit" 
>> certificateKeyAlias="tomcat" type="RSA" /> 
> 
>> P12 is created with
> 
>> openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -certfile
>> chain.pem -out tomcat.p12 -name tomcat -CAfile ca.crt -caname
>> root -passout pass:changeit
> 
> 
>> Seems to be valid and working ;-) .

Hmm. What version of Java? Perhaps Java has gotten better about
detecting the type of keystore? Also, Tomcat respects the value of
- -Djavax.net.ssl.keyStoreType so if (a) you are explicitly setting it
to PKCS12 or (b) your Java version is doing that, then you don't need
to specify it, as it's the default.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xq8sACgkQHPApP6U8
pFiQoBAAh85sDX5Q0aSMLyU5wQCsP2CPrA0iiaLwiU/rZ4Xr38mn8xW1lKAodjX8
enLvHnRsfvQk+spXtNCsN4W0lh1ZCt2Y9bkO44AtlsCMHTaCgx3XgzuXUSxmkg1+
ZsNv0jEWqslI0MwEZIzs8tlPbEg3EydjSF8kXf5fcygxA50FfR1o1ysY0cJNO2Z2
1pJDdueZPy0TzBquVAX9b+d9ElZk8QeavSJ4H8lFkj9Mjdj4XeqevuT/VayJKe34
hBrdCJfXgLh+xq251eMxjSSIxXC5B3tK0SE5IeyZyBxd5KBq4HmN8q/rJcWmvfMd
U+HUlvG0GugoodPnz2XklbJlW1J78uuhT81/sWp2PIiig7So/QSOJgpCuInJAdoh
wCaO1aZfYABxJSCbbZGEtT22ybilgA9rnocsuGjI5Wrxo3dBxzMQ9Y0QB56/bkEN
ZT2NnynXfEwVMlXqgnSqxga1hCW82wCfw8meZtye5Pc7QyvJDoEUqveakvNvjEIy
3OminOdu6KuIEjcLy2OJLs2voBqDuZToOwg3xSYEq07pPapd9xqnKcRGihv4j6aQ
y5JZq+4oc0i4e286KB1OhDGposRcfWJfFWNSwk7ijKVlA6aAF/OfM9EAAlm3fWU7
AkkpJslBQrxghCUhhPSrdUfNOCEQpHzOaCEUlyLRk1pY/52FGwQ=
=ANtK
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread logo 
Chris,



> Am 28.01.2020 um 19:35 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
> On 1/28/20 12:24 PM, Peter Kreuser wrote:
>>> Am 28.01.2020 um 18:02 schrieb Christopher Schultz 
>>> :
>>> 
>>> You have to say certificateKeystoreType="PKCS12" (for 
>>> , or keystoreType="PKCS12" for ) as well
>>> in your config.
>> 
>> You don‘t need that in the new SSLHostConfig, right? I don‘t have 
>> that attribute and it works... ???
> 
> I'd need to see your configuration, and know what type of keystore you
> are using.
> 

 
   


P12 is created with

openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -certfile chain.pem 
-out tomcat.p12 -name tomcat -CAfile ca.crt -caname root -passout pass:changeit 


Seems to be valid and working ;-) .


Peter

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wfw4ACgkQHPApP6U8
> pFhm5A//e0VNCvCklGGFfNNxNdamDuzbaZZ3e/aCQeW85dat+rsHZDZKrPgb5MYz
> 7nwjgxooe0TcvkaXzaB/pJGD21ImntWtiTl42MyvPXmZl0PXyXjRGA2/XcQj/Yji
> vTWyVKl1TiH5s0fiIZrQZ0M6lTfQ7T2eVnTzX5MjQwin9zDzRDPl77Dbatn57d4H
> heMY4GgS7XfHrH/EN5jJvU+vXOKI/bS61ujM28+A1dJnEECduIZbsTQTSDah903t
> X/09b8jqUTPJNAQLIfk5/KQS2arhP2Nsoplsy+8a/KOJisRLRWZpoSga4N/CBc3D
> CoslAJM1w+za6BV+xKuZSP795ZiuqF34jnb36LTOkiaXcCrKrm4B35ImvCtSOgYX
> FvC4NJq+t4f3AVnvNkqaN6ygJifveI4g86C46r8A40YUFSydbQoKiwrDUGvbN+jq
> 568014A/p7n0k4N48KPyVZmH8x8NwlBE3n0V4/KW1kXikGUDcyFOoXp+g+nMhRpV
> l/I9US8rrBnJbkIlZLOibxI5LzRQ0mqMmspHaqzkl7zGWnP3EwvI1KysgpkotJ+i
> shAaY5z1IWg6i5w1iZK/JzOkpixBBZR4ckMAanZXV5UQaW06Swkc81C4vfpJoNAO
> qZINTga45uXg2/Wt5xkNjkv9+P5KVnPiVb3YhtGH4b1wRaI9qaQ=
> =E1yB
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 1/28/20 12:24 PM, Peter Kreuser wrote:
>> Am 28.01.2020 um 18:02 schrieb Christopher Schultz 
>> :
>> 
>> You have to say certificateKeystoreType="PKCS12" (for 
>> , or keystoreType="PKCS12" for ) as well
>> in your config.
> 
> You don‘t need that in the new SSLHostConfig, right? I don‘t have 
> that attribute and it works... ???

I'd need to see your configuration, and know what type of keystore you
are using.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wfw4ACgkQHPApP6U8
pFhm5A//e0VNCvCklGGFfNNxNdamDuzbaZZ3e/aCQeW85dat+rsHZDZKrPgb5MYz
7nwjgxooe0TcvkaXzaB/pJGD21ImntWtiTl42MyvPXmZl0PXyXjRGA2/XcQj/Yji
vTWyVKl1TiH5s0fiIZrQZ0M6lTfQ7T2eVnTzX5MjQwin9zDzRDPl77Dbatn57d4H
heMY4GgS7XfHrH/EN5jJvU+vXOKI/bS61ujM28+A1dJnEECduIZbsTQTSDah903t
X/09b8jqUTPJNAQLIfk5/KQS2arhP2Nsoplsy+8a/KOJisRLRWZpoSga4N/CBc3D
CoslAJM1w+za6BV+xKuZSP795ZiuqF34jnb36LTOkiaXcCrKrm4B35ImvCtSOgYX
FvC4NJq+t4f3AVnvNkqaN6ygJifveI4g86C46r8A40YUFSydbQoKiwrDUGvbN+jq
568014A/p7n0k4N48KPyVZmH8x8NwlBE3n0V4/KW1kXikGUDcyFOoXp+g+nMhRpV
l/I9US8rrBnJbkIlZLOibxI5LzRQ0mqMmspHaqzkl7zGWnP3EwvI1KysgpkotJ+i
shAaY5z1IWg6i5w1iZK/JzOkpixBBZR4ckMAanZXV5UQaW06Swkc81C4vfpJoNAO
qZINTga45uXg2/Wt5xkNjkv9+P5KVnPiVb3YhtGH4b1wRaI9qaQ=
=E1yB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread Peter Kreuser 
Chris,

> Am 28.01.2020 um 18:02 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
>> On 1/28/20 11:30 AM, Peter Kreuser wrote:
>> Peter Kreuser
>>> Am 28.01.2020 um 16:34 schrieb Christopher Schultz
>>> :
>>> 
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>> 
>>> Peter,
>>> 
>>> On 1/27/20 3:35 PM, logo wrote:
 Could you try openssl pkcs12 -export -in my.crt -inkey my.key
 -name tomcat -certfile my.ca-bundle -out my.jks  <<—  the
 output of pkcs12 is already a jks!!!  and -name tomcat is the
 alias
>>> 
>>> openssl cannot generate JKS files (fortunately!). If there is a
>>> format worse than PKCS12, it's JKS. pkcs12 creates PKCS12 files.
>> Oh I remember that... Dang. Never mind JKS,
>> 
>>> Java can read PKCS12 files and they are even deprecating JKS and
>>> JCEKS in favor of PKCS12, so you don't even have to use keytool
>>> anymore.
>> 
>> That was my point. With the openssl oneliner, tomcat/java would be
>> able to read the created p12 file. So name it appropriately my.p12
>> and Léonard should be fine, right?
> 
> You have to say certificateKeystoreType="PKCS12" (for ,
> or keystoreType="PKCS12" for ) as well in your config.

You don‘t need that in the new SSLHostConfig, right? I don‘t have that 
attribute and it works... ???

Peter

> - -chris
> 
>>> -BEGIN PGP SIGNATURE- Comment: Using GnuPG with
>>> Thunderbird - https://www.enigmail.net/
>>> 
>>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wVGYACgkQHPApP6U8 
>>> pFhaXw//dJcRnA6Q8HUWWgubTA6jlPu85e4LoOxk4qExgCD9P5z3YnqS1Y6YqsmP 
>>> yrTykv/A2vA84ZgAetDU1IASQ08MYXsl4poSFMMOdLRPKEd1MlBzWo+yfR0+e79M 
>>> fWaZ6TbSioXTktWyLZspAaAM5ElFsvgRpktY6pY1+R042BoIj/NwQOsN7OiWWPE+ 
>>> sJVFRODD9cZ45MvuRdCli07hDqBmFrpOCdYYz2FIp2ANdce2N4W8GF64AgnQ5K6T 
>>> 6ofA5HeLjWLmJgrrPuO09lNF2DROufBICz6sDP81UdrfLYEYQO2csFQx+8VSArFy 
>>> Ph3iEp17HR/hkf3ztRe+5frXQxba9vKHyzVrT3nDjMCvVTUUN41kOd41PkAmyqAx 
>>> Jy6hAwRRiXP5a47g7RXfNF5wDzY7taKVwVblRLa8qrzi3ub3VYmpdIH29g0b3W8F 
>>> YbTMTQLUyzDog4yPyTcGwDqkBw8B9Z9dOg+ak005mrjsGBBx/FDpSvgQo0kOvmrG 
>>> YvrUvShrnBpPM3BC27Y46WnqwrJMGbrk2FeHtlvrlND+QFZ50IiTf/VPBGisN8+h 
>>> pjUcC1UfvTWgH6YpBtdjSJkAjJZAQWchGG1WflR4St1aIyML95yDkZQcbrLHzgN/ 
>>> hgzocAzSWakkYppdwzgfuIdwpOsjzh1ld5fuoo0ibwhpBQdmMew= =NdCj 
>>> -END PGP SIGNATURE-
>>> 
>>> -
>>> 
>>> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
>> -
>> 
>> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4waQgACgkQHPApP6U8
> pFg1BhAAl9GJyuglklWROZOWmor0dOQoFtPsPqDi/4FvGiU9QbbodNJv2FEfa+To
> XU3VpD9AfUasuRcNcvvWaYCg+wsbeglYvp94RtO++mQsT7uMqJ1efynWJ+YH/Hbd
> aTgD9GFIzQjBWpo/5OU9ws2kxGlKKRM+z8haQ0MklRY6R84IZKN7IW7B0Xm4uuWn
> +qfBapA0j8SJQ6RQiA5paujFTmx3WYW1rVMSZR7lXcxwLs1lrvaRWvWN4gUMhqA+
> QHf9LZATcA4FDj5vkWetMN4pbC266rTdKMl4Uss0WeED6u2CmX/tCfWA3hqc1tL5
> 2WyZTnnuT8n5SIXRFaqlqMP29PHXE9vTjvZ/ydsUNB72vOh6C3ucFShs98mu5rNW
> WtC0k1Z7pBwh9pIkeFUY1d/p2AkWxHG4lfTN9fiE60nXn317xGhKQzYx46DSbibq
> qum/RVt98uzM2pft9a76n+xhA+YBb0Poq+4XpIWb6wIVrJ6GV8AAwX1s3vDXMjvR
> IC8MsR1nI3YD69slKH6q1zzQsAuh6+qGbNG3DnQYP+WsTwuD0LlGcjkGwPyUMceo
> A7BioOSzdVtiwMjtsYAGux/9auc3403vPb3GPXOXBvjP23x7eGW4PZhTlT7k2DRg
> P5WpfVUPyZ0tJU41xA+eEQ/iBMg0Qn8sOAYy+FQf8obhrUgybpw=
> =Z1+f
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 1/28/20 11:30 AM, Peter Kreuser wrote:
> Peter Kreuser
>> Am 28.01.2020 um 16:34 schrieb Christopher Schultz
>> :
>> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Peter,
>> 
>> On 1/27/20 3:35 PM, logo wrote:
>>> Could you try openssl pkcs12 -export -in my.crt -inkey my.key
>>> -name tomcat -certfile my.ca-bundle -out my.jks  <<—  the
>>> output of pkcs12 is already a jks!!!  and -name tomcat is the
>>> alias
>> 
>> openssl cannot generate JKS files (fortunately!). If there is a
>> format worse than PKCS12, it's JKS. pkcs12 creates PKCS12 files.
> Oh I remember that... Dang. Never mind JKS,
> 
>> Java can read PKCS12 files and they are even deprecating JKS and
>> JCEKS in favor of PKCS12, so you don't even have to use keytool
>> anymore.
> 
> That was my point. With the openssl oneliner, tomcat/java would be
> able to read the created p12 file. So name it appropriately my.p12
> and Léonard should be fine, right?

You have to say certificateKeystoreType="PKCS12" (for ,
or keystoreType="PKCS12" for ) as well in your config.

- -chris

>> -BEGIN PGP SIGNATURE- Comment: Using GnuPG with
>> Thunderbird - https://www.enigmail.net/
>> 
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wVGYACgkQHPApP6U8 
>> pFhaXw//dJcRnA6Q8HUWWgubTA6jlPu85e4LoOxk4qExgCD9P5z3YnqS1Y6YqsmP 
>> yrTykv/A2vA84ZgAetDU1IASQ08MYXsl4poSFMMOdLRPKEd1MlBzWo+yfR0+e79M 
>> fWaZ6TbSioXTktWyLZspAaAM5ElFsvgRpktY6pY1+R042BoIj/NwQOsN7OiWWPE+ 
>> sJVFRODD9cZ45MvuRdCli07hDqBmFrpOCdYYz2FIp2ANdce2N4W8GF64AgnQ5K6T 
>> 6ofA5HeLjWLmJgrrPuO09lNF2DROufBICz6sDP81UdrfLYEYQO2csFQx+8VSArFy 
>> Ph3iEp17HR/hkf3ztRe+5frXQxba9vKHyzVrT3nDjMCvVTUUN41kOd41PkAmyqAx 
>> Jy6hAwRRiXP5a47g7RXfNF5wDzY7taKVwVblRLa8qrzi3ub3VYmpdIH29g0b3W8F 
>> YbTMTQLUyzDog4yPyTcGwDqkBw8B9Z9dOg+ak005mrjsGBBx/FDpSvgQo0kOvmrG 
>> YvrUvShrnBpPM3BC27Y46WnqwrJMGbrk2FeHtlvrlND+QFZ50IiTf/VPBGisN8+h 
>> pjUcC1UfvTWgH6YpBtdjSJkAjJZAQWchGG1WflR4St1aIyML95yDkZQcbrLHzgN/ 
>> hgzocAzSWakkYppdwzgfuIdwpOsjzh1ld5fuoo0ibwhpBQdmMew= =NdCj 
>> -END PGP SIGNATURE-
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4waQgACgkQHPApP6U8
pFg1BhAAl9GJyuglklWROZOWmor0dOQoFtPsPqDi/4FvGiU9QbbodNJv2FEfa+To
XU3VpD9AfUasuRcNcvvWaYCg+wsbeglYvp94RtO++mQsT7uMqJ1efynWJ+YH/Hbd
aTgD9GFIzQjBWpo/5OU9ws2kxGlKKRM+z8haQ0MklRY6R84IZKN7IW7B0Xm4uuWn
+qfBapA0j8SJQ6RQiA5paujFTmx3WYW1rVMSZR7lXcxwLs1lrvaRWvWN4gUMhqA+
QHf9LZATcA4FDj5vkWetMN4pbC266rTdKMl4Uss0WeED6u2CmX/tCfWA3hqc1tL5
2WyZTnnuT8n5SIXRFaqlqMP29PHXE9vTjvZ/ydsUNB72vOh6C3ucFShs98mu5rNW
WtC0k1Z7pBwh9pIkeFUY1d/p2AkWxHG4lfTN9fiE60nXn317xGhKQzYx46DSbibq
qum/RVt98uzM2pft9a76n+xhA+YBb0Poq+4XpIWb6wIVrJ6GV8AAwX1s3vDXMjvR
IC8MsR1nI3YD69slKH6q1zzQsAuh6+qGbNG3DnQYP+WsTwuD0LlGcjkGwPyUMceo
A7BioOSzdVtiwMjtsYAGux/9auc3403vPb3GPXOXBvjP23x7eGW4PZhTlT7k2DRg
P5WpfVUPyZ0tJU41xA+eEQ/iBMg0Qn8sOAYy+FQf8obhrUgybpw=
=Z1+f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread Peter Kreuser 
Chris,



Peter Kreuser
> Am 28.01.2020 um 16:34 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
> On 1/27/20 3:35 PM, logo wrote:
>> Could you try
>> openssl pkcs12 -export -in my.crt -inkey my.key -name tomcat
>> -certfile my.ca-bundle -out my.jks  <<—  the output of pkcs12 is
>> already a jks!!!  and -name tomcat is the alias
> 
> openssl cannot generate JKS files (fortunately!). If there is a format
> worse than PKCS12, it's JKS. pkcs12 creates PKCS12 files.
Oh I remember that... Dang. Never mind JKS,

> Java can read PKCS12 files and they are even deprecating JKS and JCEKS
> in favor of PKCS12, so you don't even have to use keytool anymore.

That was my point. With the openssl oneliner, tomcat/java would be able to read 
the created p12 file.
So name it appropriately my.p12 and Léonard should be fine, right?

Peter

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wVGYACgkQHPApP6U8
> pFhaXw//dJcRnA6Q8HUWWgubTA6jlPu85e4LoOxk4qExgCD9P5z3YnqS1Y6YqsmP
> yrTykv/A2vA84ZgAetDU1IASQ08MYXsl4poSFMMOdLRPKEd1MlBzWo+yfR0+e79M
> fWaZ6TbSioXTktWyLZspAaAM5ElFsvgRpktY6pY1+R042BoIj/NwQOsN7OiWWPE+
> sJVFRODD9cZ45MvuRdCli07hDqBmFrpOCdYYz2FIp2ANdce2N4W8GF64AgnQ5K6T
> 6ofA5HeLjWLmJgrrPuO09lNF2DROufBICz6sDP81UdrfLYEYQO2csFQx+8VSArFy
> Ph3iEp17HR/hkf3ztRe+5frXQxba9vKHyzVrT3nDjMCvVTUUN41kOd41PkAmyqAx
> Jy6hAwRRiXP5a47g7RXfNF5wDzY7taKVwVblRLa8qrzi3ub3VYmpdIH29g0b3W8F
> YbTMTQLUyzDog4yPyTcGwDqkBw8B9Z9dOg+ak005mrjsGBBx/FDpSvgQo0kOvmrG
> YvrUvShrnBpPM3BC27Y46WnqwrJMGbrk2FeHtlvrlND+QFZ50IiTf/VPBGisN8+h
> pjUcC1UfvTWgH6YpBtdjSJkAjJZAQWchGG1WflR4St1aIyML95yDkZQcbrLHzgN/
> hgzocAzSWakkYppdwzgfuIdwpOsjzh1ld5fuoo0ibwhpBQdmMew=
> =NdCj
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Install Comodo SSL in Tomcat

2020-01-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 1/27/20 3:35 PM, logo wrote:
> Could you try
> 
> openssl pkcs12 -export -in my.crt -inkey my.key -name tomcat
> -certfile my.ca-bundle -out my.jks  <<—  the output of pkcs12 is
> already a jks!!!  and -name tomcat is the alias

openssl cannot generate JKS files (fortunately!). If there is a format
worse than PKCS12, it's JKS. pkcs12 creates PKCS12 files.

Java can read PKCS12 files and they are even deprecating JKS and JCEKS
in favor of PKCS12, so you don't even have to use keytool anymore.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wVGYACgkQHPApP6U8
pFhaXw//dJcRnA6Q8HUWWgubTA6jlPu85e4LoOxk4qExgCD9P5z3YnqS1Y6YqsmP
yrTykv/A2vA84ZgAetDU1IASQ08MYXsl4poSFMMOdLRPKEd1MlBzWo+yfR0+e79M
fWaZ6TbSioXTktWyLZspAaAM5ElFsvgRpktY6pY1+R042BoIj/NwQOsN7OiWWPE+
sJVFRODD9cZ45MvuRdCli07hDqBmFrpOCdYYz2FIp2ANdce2N4W8GF64AgnQ5K6T
6ofA5HeLjWLmJgrrPuO09lNF2DROufBICz6sDP81UdrfLYEYQO2csFQx+8VSArFy
Ph3iEp17HR/hkf3ztRe+5frXQxba9vKHyzVrT3nDjMCvVTUUN41kOd41PkAmyqAx
Jy6hAwRRiXP5a47g7RXfNF5wDzY7taKVwVblRLa8qrzi3ub3VYmpdIH29g0b3W8F
YbTMTQLUyzDog4yPyTcGwDqkBw8B9Z9dOg+ak005mrjsGBBx/FDpSvgQo0kOvmrG
YvrUvShrnBpPM3BC27Y46WnqwrJMGbrk2FeHtlvrlND+QFZ50IiTf/VPBGisN8+h
pjUcC1UfvTWgH6YpBtdjSJkAjJZAQWchGG1WflR4St1aIyML95yDkZQcbrLHzgN/
hgzocAzSWakkYppdwzgfuIdwpOsjzh1ld5fuoo0ibwhpBQdmMew=
=NdCj
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Install comodo SSL to Tomcat

2020-01-28 Thread Léonard WAMBERGUE 
Hello everyone,

So yesterday, it was possible to access to my website by 8443 port and i get an 
A by ssl test website. But now, i’m facing a new trouble with my tomcat and the 
website isn’t accessible by none of 8443 or 8080. I don’t remember changing 
Something sensible but i had to reinstall apache for phpMyAdmin. 
I have thisi'm facing a new trouble error in my Catalina.out :
27-Jan-2020 21:30:03.107 INFO [http-nio-194.5.159.189-8080-exec-7] 
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request 
header
 Note: further occurrences of HTTP request parsing errors will be logged at 
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method 
name. HTTP method names must be tokens
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:415)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
27-Jan-2020 21:30:03.112 INFO [http-nio-194.5.159.189-8080-exec-8] 
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request 
header
 Note: further occurrences of HTTP request parsing errors will be logged at 
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method 
name. HTTP method names must be tokens
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:415)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
8-Jan-2020 08:41:33.041 INFO [http-nio-194.5.159.189-8080-exec-1] 
org.apache.coyote.http11.Http11Processor.service Error parsing HT$
 Note: further occurrences of HTTP request parsing errors will be logged at 
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method 
name. HTTP method names must be tokens
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:415)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)

Thank in advance for helping me and sorry for had sent my email to logo.

Provenance : Courrier pour Windows 10

Re: Install Comodo SSL in Tomcat

2020-01-27 Thread Felix Schumacher 


Am 27.01.20 um 21:24 schrieb logo:
> Leonard,
>
> Please respond to the list!!! Easiest as respond to all...
>
>
>> Am 27.01.2020 um 17:48 schrieb Léonard WAMBERGUE
:
>>
>> Ok so i put 8443 in my connector but not yet the alias. Now i have in
my browser the error : ERR_CONNECTION_TIMED_OUT.
>>  
>> I have this error in Catalina out with context.xml :
>>  
>> 27-Jan-2020 16:40:12.646 SEVERE [main]
org.apache.catalina.startup.ContextConfig.processContextConfig Parse
error in context.xml for [/host-manager]
>> org.xml.sax.SAXParseException; systemId:
file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber:
19; columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:306)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3085)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>>  
>> And this :
>>  
>
>
>
>> 27-Jan-2020 16:40:12.639 WARNING [main]
org.apache.catalina.startup.SetContextPropertiesRule.begin
[SetContextPropertiesRule]{Context} Setting property
'antiResourceLocking' to 'false' did not find a matching property.
>> 27-Jan-2020 16:40:12.641 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError Parse fatal error at
line [19] column [7]
>> org.xml.sax.SAXParseException; systemId:
file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber:
19; columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
>>  
>> But i have not find the same error it’s seem like port 8443 solve the
error in my last email. I hadn’t edit the context.xml so i don’t
understand this problem. It can be wrong installation of tomcat ?
>>  
>

> Ok, I’m at loss here. Maybe your web app did not get that far to load
before you changed the port??? Could you please put the (redacted)
content here?

Yes, context.xml will be parsed after server.xml.

Have a look at the context.xml file mentioned in the error trace and
look at line 19 column 7. There will probably be an umlaut with a wrong
enconding. The parser expects utf-8 (mentionend in the first line of the
xml file?) but I suspect it finds iso-8859-1 (or something similar). On
linux you could use the 'file' command to get information about the
encoding.

Regards

 Felix


>
> Peter
>
>
>> Thank for helping me !
>>  
>> Provenance : Courrier
<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10
>>  
>> De : logo <mailto:l...@kreuser.name>
>> Envoyé le :lundi 27 janvier 2020 17:32
>> À : Tomcat Users List <mailto:users@tomcat.apache.org>
>> Cc : Léonard WAMBERGUE <mailto:leonard.wambergue...@gmail.com>
>> Objet :Re: RE : Install Comodo SSL in Tomcat
>>  
>> Leonard,
>>  
>>  
>> Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
>>> Ok so i have find this error (severe) in my Catalina.out about
>>> connector :
>>>
>>> 27-Jan-2020 10:52:23.625 INFO [main]
>>> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
>>> ["http-nio-194.5.159.189-8080"]
>>> 27-Jan-2020 10:52:23.760 INFO [main]
>>> org.apache.coyote.AbstractProtocol.init Initializing Prot

Fwd: Install Comodo SSL in Tomcat

2020-01-27 Thread logo 
Fwd to the list

> Anfang der weitergeleiteten Nachricht:
> 
> Von: Léonard WAMBERGUE 
> Betreff: RE : Re: Install Comodo SSL in Tomcat
> Datum: 27. Januar 2020 um 21:40:58 MEZ
> An: logo 
> 
> Peter,
>  
> Thank for your help, since my email i was able to find a solution now my 
> website can be reach by 8443. The next step is to make disappear the port in 
> url if you have any ideas but actually it’s work !
> However, i noticed that i have this in my Catalina.out :
> 27-Jan-2020 18:36:54.764 SEVERE [main] 
> org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory 
> for deployment: [/opt/tomcat/conf/Catalina/localhost]
>  
> 27-Jan-2020 19:21:35.463 WARNING [main] 
> org.apache.catalina.startup.SetAllPropertiesRule.begin 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'maxSpareThreads' to '75' did not find a matching property.
>  
> The main problem is solve !
>  
> Regards,
>  
>  
>  
> Provenance : Courrier <https://go.microsoft.com/fwlink/?LinkId=550986> pour 
> Windows 10
>  
> De : logo <mailto:l...@kreuser.name>
> Envoyé le :lundi 27 janvier 2020 21:35
> À : Tomcat Users List <mailto:users@tomcat.apache.org>
> Cc : Léonard WAMBERGUE <mailto:leonard.wambergue...@gmail.com>
> Objet :Re: Install Comodo SSL in Tomcat
>  
> Leonard,
> 
> 
> Am 27.01.2020 um 18:50 schrieb Léonard WAMBERGUE 
> mailto:leonard.wambergue...@gmail.com>>:
>  
> Peter,
>  
> I hadn’t seen that i hadn’t answered to all.
>  
> Comodo didn’t send me a key file, *they* = Hostinger, and i can download a 
> zip from their website with my certificates and my server key but i don’t 
> have the CSR.
>  
>  
> Still not helpful if your hoster has the private key - that’s not what 
> private means  If you have access to openssl you could create the CSR 
> yourself and the reissue the cert. Or think about moving to Let’s Encrypt and 
> save the money. But that’s a future step. Let’s get you to https first!!!
>  
>  
> 
> 
> The JKS file was made with :
> openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca 
> <http://my.ca/>-bundle -out my.pf
> keytool -importkeystore -srckeystore my.pfx -srcstoretype pkcs12 
> -destkeystore my.jks -deststoretype jks
> So i can’t add any alias with those 2 lines. And without alias i can’t change 
> it with -changealias
>  
>  
> Could you try
>  
> openssl pkcs12 -export -in my.crt -inkey my.key -name tomcat -certfile my.ca 
> <http://my.ca/>-bundle -out my.jks  <<—  the output of pkcs12 is already a 
> jks!!!  and -name tomcat is the alias
>  
> keytool -list -v  -keystore my.jks
>  
>  
> A onliner!
> 
> Hope this helps
>  
> Peter
> 
> 
> The connector actually look like :
> «  minSpareThreads="25" maxSpareThreads="75" 
> enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" SSLEnabled="true"  clientAuth="false" 
> sslProtocol="all"
> keystoreFile="/opt/tomcat/certs/my.jks" SSLPassword="mypass"
>  keystorePass="mypass"/> »
> Thank for helping me
>  
>  
> Provenance : Courrier <https://go.microsoft.com/fwlink/?LinkId=550986> pour 
> Windows 10
>  
> De : logo <mailto:l...@kreuser.name>
> Envoyé le :lundi 27 janvier 2020 17:32
> À : Tomcat Users List <mailto:users@tomcat.apache.org>
> Cc : Léonard WAMBERGUE <mailto:leonard.wambergue...@gmail.com>
> Objet :Re: RE : Install Comodo SSL in Tomcat
>  
> Leonard,
>  
>  
> Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
> > Ok so i have find this error (severe) in my Catalina.out about
> > connector :
> > 
> > 27-Jan-2020 10:52:23.625 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["http-nio-194.5.159.189-8080"]
> > 27-Jan-2020 10:52:23.760 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["https-openssl-nio-443"]
> > 27-Jan-2020 10:52:23.764 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> > to initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
> > at
> > org.apache.catalina.uti

Re: Install Comodo SSL in Tomcat

2020-01-27 Thread logo 
Leonard,

> Am 27.01.2020 um 18:50 schrieb Léonard WAMBERGUE 
> :
> 
> Peter,
>  
> I hadn’t seen that i hadn’t answered to all.
>  
> Comodo didn’t send me a key file, *they* = Hostinger, and i can download a 
> zip from their website with my certificates and my server key but i don’t 
> have the CSR.
>  

Still not helpful if your hoster has the private key - that’s not what private 
means  If you have access to openssl you could create the CSR yourself and 
the reissue the cert. Or think about moving to Let’s Encrypt and save the 
money. But that’s a future step. Let’s get you to https first!!!



> The JKS file was made with :
> openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca 
> <http://my.ca/>-bundle -out my.pf
> keytool -importkeystore -srckeystore my.pfx -srcstoretype pkcs12 
> -destkeystore my.jks -deststoretype jks
> So i can’t add any alias with those 2 lines. And without alias i can’t change 
> it with -changealias
>  

Could you try

openssl pkcs12 -export -in my.crt -inkey my.key -name tomcat -certfile 
my.ca-bundle -out my.jks  <<—  the output of pkcs12 is already a jks!!!  and 
-name tomcat is the alias

keytool -list -v  -keystore my.jks


A onliner!

Hope this helps

Peter

> The connector actually look like :
> «  minSpareThreads="25" maxSpareThreads="75" 
> enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" SSLEnabled="true"  clientAuth="false" 
> sslProtocol="all"
> keystoreFile="/opt/tomcat/certs/my.jks" SSLPassword="mypass"
>  keystorePass="mypass"/> »
> Thank for helping me
>  
>  
> Provenance : Courrier <https://go.microsoft.com/fwlink/?LinkId=550986> pour 
> Windows 10
>  
> De : logo <mailto:l...@kreuser.name>
> Envoyé le :lundi 27 janvier 2020 17:32
> À : Tomcat Users List <mailto:users@tomcat.apache.org>
> Cc : Léonard WAMBERGUE <mailto:leonard.wambergue...@gmail.com>
> Objet :Re: RE : Install Comodo SSL in Tomcat
>  
> Leonard,
>  
>  
> Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
> > Ok so i have find this error (severe) in my Catalina.out about
> > connector :
> >
> > 27-Jan-2020 10:52:23.625 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["http-nio-194.5.159.189-8080"]
> > 27-Jan-2020 10:52:23.760 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["https-openssl-nio-443"]
> > 27-Jan-2020 10:52:23.764 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> > to initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at
> > java.base/java.lang.reflect.Method.invoke(Method.java:566)
> > at
> > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> > at
> > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> > Caused by: java.net.SocketException: Permission denied
> > at java.base/sun.nio.ch.Net.bind0(Native Method)
> > at java.base/sun.nio.ch.Net.bi

Re: Install Comodo SSL in Tomcat

2020-01-27 Thread logo 
Leonard,

Please respond to the list!!! Easiest as respond to all...


> Am 27.01.2020 um 17:48 schrieb Léonard WAMBERGUE 
> :
> 
> Ok so i put 8443 in my connector but not yet the alias. Now i have in my 
> browser the error : ERR_CONNECTION_TIMED_OUT. 
>  
> I have this error in Catalina out with context.xml :
>  
> 27-Jan-2020 16:40:12.646 SEVERE [main] 
> org.apache.catalina.startup.ContextConfig.processContextConfig Parse error in 
> context.xml for [/host-manager]
> org.xml.sax.SAXParseException; systemId: 
> file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber: 19; 
> columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
> at 
> java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
> at 
> java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
> at 
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
> at 
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:306)
> at 
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3085)
> at 
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
> at 
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
> at 
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
> at 
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
> at 
> java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>  
> And this :
>  



> 27-Jan-2020 16:40:12.639 WARNING [main] 
> org.apache.catalina.startup.SetContextPropertiesRule.begin 
> [SetContextPropertiesRule]{Context} Setting property 'antiResourceLocking' to 
> 'false' did not find a matching property.
> 27-Jan-2020 16:40:12.641 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError Parse fatal error at line 
> [19] column [7]
> org.xml.sax.SAXParseException; systemId: 
> file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber: 19; 
> columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
> at 
> java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
> at 
> java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
>  
> But i have not find the same error it’s seem like port 8443 solve the error 
> in my last email. I hadn’t edit the context.xml so i don’t understand this 
> problem. It can be wrong installation of tomcat ?
>  

Ok, I’m at loss here. Maybe your web app did not get that far to load before 
you changed the port??? Could you please put the (redacted) content here?

Peter


> Thank for helping me !
>  
> Provenance : Courrier <https://go.microsoft.com/fwlink/?LinkId=550986> pour 
> Windows 10
>  
> De : logo <mailto:l...@kreuser.name>
> Envoyé le :lundi 27 janvier 2020 17:32
> À : Tomcat Users List <mailto:users@tomcat.apache.org>
> Cc : Léonard WAMBERGUE <mailto:leonard.wambergue...@gmail.com>
> Objet :Re: RE : Install Comodo SSL in Tomcat
>  
> Leonard,
>  
>  
> Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
> > Ok so i have find this error (severe) in my Catalina.out about
> > connector :
> >
> > 27-Jan-2020 10:52:23.625 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["http-nio-194.5.159.189-8080"]
> > 27-Jan-2020 10:52:23.760 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["https-openssl-nio-443"]
> > 27-Jan-2020 10:52:23.764 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> > to initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> &g

Re: RE : Install Comodo SSL in Tomcat

2020-01-27 Thread logo 

Leonard,


Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
Ok so i have find this error (severe) in my Catalina.out about 
connector :


27-Jan-2020 10:52:23.625 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["http-nio-194.5.159.189-8080"]
27-Jan-2020 10:52:23.760 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-openssl-nio-443"]
27-Jan-2020 10:52:23.764 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at 
org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at 
org.apache.catalina.startup.Catalina.load(Catalina.java:607)

at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at 
java.base/java.lang.reflect.Method.invoke(Method.java:566)

at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
at



that looks like you're trying to start a privileged port without being 
root.


try to start on port 8443, and see if you can connect.

After that you may need a natting to map port 443 to 8443. (you should 
not start tomcat as root or privileged windows user)


Peter.


java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
at
java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
at
org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:229)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:212)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more

I will add an alias to my keystore and i had seen others errors in
context.xml but i never edit this file.
Provenance : Courrier pour Windows 10

De : Christopher Schultz
Envoyé le :lundi 27 janvier 2020 14:24
À : users@tomcat.apache.org
Objet :Re: Install Comodo SSL in Tomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Léonard,

On 1/27/20 4:57 AM, Léonard WAMBERGUE wrote:

I’m resending this email because i wasn’t well subscribed to users.
I have a VPS server which turn with Ubuntu and i had install
apache/maven and tomcat.> My server version is Apache
Tomcat/9.0.30.

So i deploy my webapp with a ROOT.war file in tomcat. The website
is running on port 8080 and 80 with a redirection. Now i am trying
to install a Comodo SSL to my website and configure my 443 port in
order to use Something like https://mydomain.com.

After purchasing my comodo certificate i received a zip which
containing a key file, a bundle and .crt like mydomain.crt.

Are you sure Comodo send you a .key file? That would be very unusual.

When you applied for the certificate, did you send them a Certificate
Signing Request (CSR)? Or did *they* generate the server-key for you?
You should never let anyone else generate your server key for you.


I had already configure mydomain.jks with a keystore and configure
my connector with this code :

What is in the JKS file? Did you add anything from the ZIP file into
the JKS file?





That looks okay to me, except that you don't have a certificate
"alias" listed, so Tomcat will choose the first certificate it finds
in the store, which may not be the o

RE : Install Comodo SSL in Tomcat

2020-01-27 Thread Léonard WAMBERGUE 
Ok so i have find this error (severe) in my Catalina.out about connector :

27-Jan-2020 10:52:23.625 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["http-nio-194.5.159.189-8080"]
27-Jan-2020 10:52:23.760 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-openssl-nio-443"]
27-Jan-2020 10:52:23.764 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
at 
java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
at 
java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
at 
org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:229)
at 
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:212)
at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more

I will add an alias to my keystore and i had seen others errors in context.xml 
but i never edit this file.
Provenance : Courrier pour Windows 10

De : Christopher Schultz
Envoyé le :lundi 27 janvier 2020 14:24
À : users@tomcat.apache.org
Objet :Re: Install Comodo SSL in Tomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Léonard,

On 1/27/20 4:57 AM, Léonard WAMBERGUE wrote:
> I’m resending this email because i wasn’t well subscribed to users.
> I have a VPS server which turn with Ubuntu and i had install 
> apache/maven and tomcat.> My server version is Apache
> Tomcat/9.0.30.
> 
> So i deploy my webapp with a ROOT.war file in tomcat. The website
> is running on port 8080 and 80 with a redirection. Now i am trying
> to install a Comodo SSL to my website and configure my 443 port in
> order to use Something like https://mydomain.com.
> 
> After purchasing my comodo certificate i received a zip which 
> containing a key file, a bundle and .crt like mydomain.crt.
Are you sure Comodo send you a .key file? That would be very unusual.

When you applied for the certificate, did you send them a Certificate
Signing Request (CSR)? Or did *they* generate the server-key for you?
You should never let anyone else generate your server key for you.

> I had already configure mydomain.jks with a keystore and configure
> my connector with this code :
What is in the JKS file? Did you add anything from the ZIP file into
the JKS file?

>  minSpareThreads="25" maxSpareThreads="75" enableLookups="false" 
> disableUploadTimeout="true" acceptCount="100" scheme="https" 
> secure="true" SSLEnabled="true"  clientAuth="false"
> sslProtocol="TLS" keystoreFile="/opt/tomcat/certs/my.jks" 
> keystorePass="myPass"/>

That looks okay

Re: Install Comodo SSL in Tomcat

2020-01-27 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Léonard,

On 1/27/20 4:57 AM, Léonard WAMBERGUE wrote:
> I’m resending this email because i wasn’t well subscribed to users.
> I have a VPS server which turn with Ubuntu and i had install 
> apache/maven and tomcat.> My server version is Apache
> Tomcat/9.0.30.
> 
> So i deploy my webapp with a ROOT.war file in tomcat. The website
> is running on port 8080 and 80 with a redirection. Now i am trying
> to install a Comodo SSL to my website and configure my 443 port in
> order to use Something like https://mydomain.com.
> 
> After purchasing my comodo certificate i received a zip which 
> containing a key file, a bundle and .crt like mydomain.crt.
Are you sure Comodo send you a .key file? That would be very unusual.

When you applied for the certificate, did you send them a Certificate
Signing Request (CSR)? Or did *they* generate the server-key for you?
You should never let anyone else generate your server key for you.

> I had already configure mydomain.jks with a keystore and configure
> my connector with this code :
What is in the JKS file? Did you add anything from the ZIP file into
the JKS file?

>  minSpareThreads="25" maxSpareThreads="75" enableLookups="false" 
> disableUploadTimeout="true" acceptCount="100" scheme="https" 
> secure="true" SSLEnabled="true"  clientAuth="false"
> sslProtocol="TLS" keystoreFile="/opt/tomcat/certs/my.jks" 
> keystorePass="myPass"/>

That looks okay to me, except that you don't have a certificate
"alias" listed, so Tomcat will choose the first certificate it finds
in the store, which may not be the one you want to use.

The contents of the JKS file are pretty important for us to see. You
can dump the file like this:

$ keytool -list -keystore /opt/tomcat/certs/my.jks -storetype JKS

> But when i’m trying to connect to https://mydomain.com i have 
> err_connection_refused and this website don’t allow connexion.
What do the logs say on startup? If the  cannot start, it
won't bind to the socket and you'll get "connection refused" on the
client side.

> I had already search many hours how to configure my ssl and i’m a 
> beginner. I had already try to configure ufw but actually it
> doesn’t work.

You came to the right place. We'll get you going.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4u5JgACgkQHPApP6U8
pFjFvw//ReeWQaEbxaGq0Ae8lzedvNHTxwjE17/rD8nCD/Yr71lsUIoJt3Ej8NAz
DsA8Idr00XRKFFmO1FkFiZ1Vw5XCxLr6fSSv5I6R66Ttj7asjGDrI6M6hfnzth4g
cL1CMk2kL0Hn/fK0N+MrBpoQHDHElDgAbtiJyivzJP9cDkLxp99KDTguBesG887Q
hyt8JmMomsXw5OyXe/sxzkyMQToiTwLw7VBRYKtklIpEXOnBo0rDOihWTPc/Ucht
tl1QI4pDqwhITOIFUgGTfwrXhxfVXARgFbHc76ZNwDNuqn/OwxKn9mxAUTq1kYaU
Ve51835QBoRz1Y3yoJ7C+MPR5FfnWnyqS+6Slx0+zu961nj889V4bali5hx0aABq
Df7QOBNPsSA2qhX8y07BAoKLro4nf3oi6a9dSKZ7njw366nntvRBYXN8fUjioJ9i
W5kWALj3wBM2gFHFQnw+srU31WiKRjezSWPKc8c51VHVTFLe2W/EHTE+XAO2179Z
mo4SIa0dPVNoV7Yvxq03YAP+WvdjcFRErB4nSYm2HRLQv5t15MEmDW0fFQaCnQL/
uww5ENscU6RKXGtGrzooN6u9CfFt3x1SrqL+oGfVEj7plKTZKwNY+4BU4+u3XqSO
oWRtTgPJUHvx0CZXJREQAJukDQLXvbQ16WfpUa2vIwZYt7blkNA=
=EBS2
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Install Comodo SSL in Tomcat

2020-01-27 Thread Léonard WAMBERGUE 
Dear Sir or Madam,

I’m resending this email because i wasn’t well subscribed to users.
I have a VPS server which turn with Ubuntu and i had install apache/maven and 
tomcat.
My server version is Apache Tomcat/9.0.30.
So i deploy my webapp with a ROOT.war file in tomcat. The website is running on 
port 8080 and 80 with a redirection. Now i am trying to install a Comodo SSL to 
my website and configure my 443 port in order to use Something like 
https://mydomain.com.

After purchasing my comodo certificate i received a zip which containing a key 
file, a bundle and .crt like mydomain.crt.
I had already configure mydomain.jks with a keystore and configure my connector 
with this code :

But when i’m trying to connect to https://mydomain.com i have 
err_connection_refused and this website don’t allow connexion. 
I had already search many hours how to configure my ssl and i’m a beginner. I 
had already try to configure ufw but actually it doesn’t work.

Thank in advance for helping me.
Regards,
Léonard W


Provenance : Courrier pour Windows 10

Re: Using existing pki certificates to enable SSL on tomcat 9

2018-12-17 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sam,

On 12/16/18 22:00, Sam G wrote:
> Hi, I've installed Apache Tomcat 9 on windows 2016 64bit server.
> Our SA has requested a PKI certificate for the windows server feom
> our CA and got one. I need help with steps involved in using that
> existing certificate to enable SSL on Tomcat.

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Importing_the_Cer
tificate

- -chris

-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwXyfkACgkQHPApP6U8
pFgY3w//fyqkDFf4aVhy0dAPXqmwXZJSiY6qIpmN5+QoSLEFqPR64Xda/QRt25TQ
JahlmGsCiYTzbfCVgXnIZ5vkAvd7Ei4A0X722RJRR9t52CGNeH61FNfykzKINPDW
GJ10ATXxhfHbjgHNQpp0ZjInLpTBI9ezZH0lW1p+eBUqdEiscIu2YQ+CtHLjum8i
Pvbkk+31iSVsg0zP13of4jIlLCxhwNe8bVCLUsTxcI7c1fgqJPonnz5w/9V7PUX+
jTx/h4EY104i9RqCoOGB6xjHCQSxKdOc4P6jiYDnhx9/6kiGvLEpVFTSIHI3NE1V
kUXB00e18UmXTzIPPKHJHUPjauWBVwLpPzHIMSB5lewarMi+z4bdyurYIENAjB40
k7tcQSaBlL+rFqz3S2STOy5CUH2OveSaA4+MhlygGfQxnQmBnOBM3zrgCgyIWmyk
TGn3XeEGCl3VYMKd2igmQAOSZ/CIDboLED3z5kECTIQ98IQUz1+aeUjB01p9DkI+
gOy4As2VsTFvYNNYYr6P+pTSGeHOXDTj7bSxbfU28/eKhnD5HY8xbTQzAc+nAgrC
u1uhpom0J7mbz8KvfnHt+LgktjAMK6t4n9NQmT+mSrGmbKP25tlrKHWcRtU+s2Hl
qZe5GI/GgYqLQgJyO9ogItbsbtJJLH4NmB6JVzohr/9D61w5aqA=
=1ny6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using existing pki certificates to enable SSL on tomcat 9

2018-12-16 Thread Sam G 
Hi,
  I've installed Apache Tomcat 9 on windows 2016 64bit server. Our SA
has requested a PKI certificate for the windows server feom our CA and got
one.
I need help with steps involved in using that existing certificate to
enable SSL on Tomcat.

Thank you
Sam

Re: Issue while configuring keystore/SSL for Tomcat 8.5.33

2018-10-18 Thread manjesh 
can you share the full debug log ?  what is the client for this SSL service
? browser or some other standalone programs
what version of JDK is being used?

On Thu, Oct 18, 2018 at 2:20 PM Sashidharan Ramamurthy <
sashidharan.ramamur...@ericsson.com> wrote:

> Any updates users of tomcat on this issue!!!
>
> -Original Message-
> From: Sashidharan Ramamurthy 
> Sent: Wednesday, October 17, 2018 4:22 PM
> To: users@tomcat.apache.org
> Subject: FW: Issue while configuring keystore/SSL for Tomcat 8.5.33
>
> Hi Tomcat user group,
>
> We have installed and deployed Tomcat Version: 8.5.33 in our machine.
>
> Software: AIX
>
> We configured SSL at 8443 port using below command for creating keystore.
>
> $JAVA_HOME/bin/keytool -genkey -alias iscpkey -keystore
> $outputfile -keyalg RSA -dname "CN=${site}, OU=Network Solutions, O=ISCP,
> L=Piscataway, C=US" -storepass "changeit" -keypass "changeit" -validity
> 1
>
> Though 8443 port no has started, we are unable to connect from SSL client.
> We are getting SSLException in our client.
>
> We enabled java.net.debug with SSL logs.
>
> Client Hello and Server Hello is done but fails soon afterwards in SSL
> with internal_error.
>
> *** ServerHelloDone
> https-jsse-nio-8443-exec-4, WRITE: TLSv1 Handshake, length = 1736
> https-jsse-nio-8443-exec-5, READ: TLSv1 Alert, length = 2
> https-jsse-nio-8443-exec-5, RECV TLSv1 ALERT:  fatal, internal_error
> https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing
> javax.net.ssl.SSLException: Received fatal alert: internal_error
> https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing
> javax.net.ssl.SSLException: Received fatal alert: internal_error
> https-jsse-nio-8443-exec-5, called closeOutbound()
> https-jsse-nio-8443-exec-5, closeOutboundInternal()
> https-jsse-nio-8443-exec-5, SEND TLSv1 ALERT:  warning, description =
> close_notify https-jsse-nio-8443-exec-5, WRITE: TLSv1 Alert, length = 2
>
> We are unable to proceed further.
>
> Can you let me know what could be the reason?
>
> Also, if this is not the correct tomcat group, can you point me to correct
> group?
>
> Thanks and Regards,
> Sashi
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: Issue while configuring keystore/SSL for Tomcat 8.5.33

2018-10-18 Thread Sashidharan Ramamurthy 
Any updates users of tomcat on this issue!!!

-Original Message-
From: Sashidharan Ramamurthy  
Sent: Wednesday, October 17, 2018 4:22 PM
To: users@tomcat.apache.org
Subject: FW: Issue while configuring keystore/SSL for Tomcat 8.5.33

Hi Tomcat user group,

We have installed and deployed Tomcat Version: 8.5.33 in our machine.

Software: AIX

We configured SSL at 8443 port using below command for creating keystore.

$JAVA_HOME/bin/keytool -genkey -alias iscpkey -keystore $outputfile 
-keyalg RSA -dname "CN=${site}, OU=Network Solutions, O=ISCP, L=Piscataway, 
C=US" -storepass "changeit" -keypass "changeit" -validity 1

Though 8443 port no has started, we are unable to connect from SSL client. We 
are getting SSLException in our client.

We enabled java.net.debug with SSL logs.

Client Hello and Server Hello is done but fails soon afterwards in SSL with 
internal_error.

*** ServerHelloDone
https-jsse-nio-8443-exec-4, WRITE: TLSv1 Handshake, length = 1736 
https-jsse-nio-8443-exec-5, READ: TLSv1 Alert, length = 2 
https-jsse-nio-8443-exec-5, RECV TLSv1 ALERT:  fatal, internal_error 
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error 
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error 
https-jsse-nio-8443-exec-5, called closeOutbound() https-jsse-nio-8443-exec-5, 
closeOutboundInternal() https-jsse-nio-8443-exec-5, SEND TLSv1 ALERT:  warning, 
description = close_notify https-jsse-nio-8443-exec-5, WRITE: TLSv1 Alert, 
length = 2

We are unable to proceed further.

Can you let me know what could be the reason?

Also, if this is not the correct tomcat group, can you point me to correct 
group?

Thanks and Regards,
Sashi

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

FW: Issue while configuring keystore/SSL for Tomcat 8.5.33

2018-10-17 Thread Sashidharan Ramamurthy 
Hi Tomcat user group,

We have installed and deployed Tomcat Version: 8.5.33 in our machine.

Software: AIX

We configured SSL at 8443 port using below command for creating keystore.

$JAVA_HOME/bin/keytool -genkey -alias iscpkey -keystore $outputfile 
-keyalg RSA -dname "CN=${site}, OU=Network Solutions, O=ISCP, L=Piscataway, 
C=US" -storepass "changeit" -keypass "changeit" -validity 1

Though 8443 port no has started, we are unable to connect from SSL client. We 
are getting SSLException in our client.

We enabled java.net.debug with SSL logs.

Client Hello and Server Hello is done but fails soon afterwards in SSL with 
internal_error.

*** ServerHelloDone
https-jsse-nio-8443-exec-4, WRITE: TLSv1 Handshake, length = 1736
https-jsse-nio-8443-exec-5, READ: TLSv1 Alert, length = 2
https-jsse-nio-8443-exec-5, RECV TLSv1 ALERT:  fatal, internal_error
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error
https-jsse-nio-8443-exec-5, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLException: Received fatal alert: internal_error
https-jsse-nio-8443-exec-5, called closeOutbound()
https-jsse-nio-8443-exec-5, closeOutboundInternal()
https-jsse-nio-8443-exec-5, SEND TLSv1 ALERT:  warning, description = 
close_notify
https-jsse-nio-8443-exec-5, WRITE: TLSv1 Alert, length = 2

We are unable to proceed further.

Can you let me know what could be the reason?

Also, if this is not the correct tomcat group, can you point me to correct 
group?

Thanks and Regards,
Sashi

AW: [bulk] Re: SSL on Tomcat

2018-10-02 Thread Mario Schmitz 
Hey,

arbeitet ihr gerade irgendwo?

Hier hier gerade alle Anwendungen von außen  nicht erreichbar gewesen. Über 
intern ging ...

LG
Mario

-Ursprüngliche Nachricht-
Von: Loai Abdallatif [mailto:loai.abdalla...@gmail.com] 
Gesendet: Dienstag, 2. Oktober 2018 09:07
An: Tomcat Users List 
Betreff: [bulk] Re: SSL on Tomcat

Thanks Chris, Luis

On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández 
wrote:

> Hello Christopher,
>
> It makes sense, thank you very much for your advice!
>
> Cheers,
>
> Luis
>
> El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
> ch...@christopherschultz.net>) escribió:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Luis,
> >
> > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote:
> > > Agree with Christopher, you have to fix your client. Just get the 
> > > root Certificate Authority public key and import it in your client 
> > > truststore.
> >
> > I'd recommend trusting the finest-grained cert you can get away with.
> > That might not always be the root CA cert. It might be the server's 
> > cert directly.
> >
> > > If you did not change it the client (java) the default keystore is 
> > > located in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
> > >
> > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
> > > -storepass trust_store_password_here -alias Root -import -file 
> > > the_downloaded_ca.crt
> > >
> > > The default password for cacerts is changeit
> >
> > FWIW, I wouldn't recommend changing the JVM's trust store. I say so 
> > for two reasons:
> >
> > 1. You will be trusting that certificate for ALL JVMS LAUNCHED 
> > AFTERWARD. Perhaps you don't want some other service to trust your
> > 192.168.1.120 certificate when it's only supposed to be used with a 
> > single client service.
> >
> > 2. You will have to remember to update the trust store every time 
> > you change your Java installation. That means upgrades, downgrades, etc.
> >
> > The best way to do this IMO is to create a trust store specific for 
> > that service (client) and use it EXPLICITLY.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
> > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
> > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
> > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
> > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
> > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
> > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
> > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
> > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
> > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
> > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
> > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
> > =okQm
> > -END PGP SIGNATURE-
> >
> > 
> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: SSL on Tomcat

2018-10-02 Thread Loai Abdallatif 
Thanks Chris, Luis

On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández 
wrote:

> Hello Christopher,
>
> It makes sense, thank you very much for your advice!
>
> Cheers,
>
> Luis
>
> El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
> ch...@christopherschultz.net>) escribió:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Luis,
> >
> > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote:
> > > Agree with Christopher, you have to fix your client. Just get the
> > > root Certificate Authority public key and import it in your client
> > > truststore.
> >
> > I'd recommend trusting the finest-grained cert you can get away with.
> > That might not always be the root CA cert. It might be the server's
> > cert directly.
> >
> > > If you did not change it the client (java) the default keystore is
> > > located in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
> > >
> > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
> > > -storepass trust_store_password_here -alias Root -import -file
> > > the_downloaded_ca.crt
> > >
> > > The default password for cacerts is changeit
> >
> > FWIW, I wouldn't recommend changing the JVM's trust store. I say so
> > for two reasons:
> >
> > 1. You will be trusting that certificate for ALL JVMS LAUNCHED
> > AFTERWARD. Perhaps you don't want some other service to trust your
> > 192.168.1.120 certificate when it's only supposed to be used with a
> > single client service.
> >
> > 2. You will have to remember to update the trust store every time you
> > change your Java installation. That means upgrades, downgrades, etc.
> >
> > The best way to do this IMO is to create a trust store specific for
> > that service (client) and use it EXPLICITLY.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
> > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
> > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
> > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
> > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
> > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
> > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
> > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
> > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
> > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
> > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
> > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
> > =okQm
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: SSL on Tomcat

2018-10-02 Thread Luis Rodríguez Fernández 
Hello Christopher,

It makes sense, thank you very much for your advice!

Cheers,

Luis

El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
ch...@christopherschultz.net>) escribió:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Luis,
>
> On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote:
> > Agree with Christopher, you have to fix your client. Just get the
> > root Certificate Authority public key and import it in your client
> > truststore.
>
> I'd recommend trusting the finest-grained cert you can get away with.
> That might not always be the root CA cert. It might be the server's
> cert directly.
>
> > If you did not change it the client (java) the default keystore is
> > located in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
> >
> > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
> > -storepass trust_store_password_here -alias Root -import -file
> > the_downloaded_ca.crt
> >
> > The default password for cacerts is changeit
>
> FWIW, I wouldn't recommend changing the JVM's trust store. I say so
> for two reasons:
>
> 1. You will be trusting that certificate for ALL JVMS LAUNCHED
> AFTERWARD. Perhaps you don't want some other service to trust your
> 192.168.1.120 certificate when it's only supposed to be used with a
> single client service.
>
> 2. You will have to remember to update the trust store every time you
> change your Java installation. That means upgrades, downgrades, etc.
>
> The best way to do this IMO is to create a trust store specific for
> that service (client) and use it EXPLICITLY.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
> pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
> w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
> fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
> lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
> TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
> YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
> xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
> SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
> MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
> C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
> KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
> =okQm
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: SSL on Tomcat

2018-10-01 Thread Loai Abdallatif 
thanks very much , I did it and it works

On Mon, Oct 1, 2018 at 6:07 PM Luis Rodríguez Fernández 
wrote:

> Hello Loai,
>
> Agree with Christopher, you have to fix your client. Just get the root
> Certificate Authority public key and import it in your client truststore.
> If you did not change it the client (java) the default keystore is located
> in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
>
>  keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass
> trust_store_password_here -alias Root -import -file the_downloaded_ca.crt
>
> The default password for cacerts is changeit
>
> Hopeit helps,
>
> Luis
>
>
>
>
> El sáb., 29 sept. 2018 a las 12:05, Loai Abdallatif (<
> loai.abdalla...@gmail.com>) escribió:
>
> > Thanks Chris, but how to do it, should I copy the ssl certificate from
> > Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
> > in server.xml .
> > any idea please
> >
> > On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > Loai,
> > >
> > > On 9/27/18 10:50, Loai Abdallatif wrote:
> > > > Hello,
> > > >
> > > > I have Set Apache Load Balancer ( ModJK) with Server IP
> > > > 192.168.1.120 (Webserver01.epsilon.test)  which forward the traffic
> > > > to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
> > > >
> > > > each tomcat server has three workers ( 0,1,2)
> > > >
> > > > I deployed *Central Authentication Service* (CAS)  on Worker0  and
> > > > its is working with warning related to ssl Certificate, I have
> > > > another Application on this worker0 called ServiceCatalog
> > > > unfortunatly it didnt work and gave error as below
> > > >
> > > >
> > > > ERROR org.jasig.cas.client.util.CommonUtils -
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed
> > > >  : sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested
> > > >  target javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.sec
> > > >  urity.provider.certpath.SunCertPathBuilderException: unable to
> > > > find valid certification path to requested target
> > >
> > > As Guido says, your client (org.jasig.cas.client) does not trust the
> > > server it's trying to connect to.
> > >
> > > Is the server in this case the one you set up above? It's not clear
> > > exactly what you are trying to do.
> > >
> > > There is nothing you can change with Tomcat to fix this error... you
> > > must configure your client to trust the server.
> > >
> > > - -chris
> > > -BEGIN PGP SIGNATURE-
> > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> > >
> > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
> > > pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
> > > 9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
> > > 8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
> > > LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
> > > /v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
> > > 37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
> > > j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
> > > 9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
> > > BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
> > > /Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
> > > 8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
> > > =Bjfw
> > > -END PGP SIGNATURE-
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: SSL on Tomcat

2018-10-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Luis,

On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote:
> Agree with Christopher, you have to fix your client. Just get the
> root Certificate Authority public key and import it in your client
> truststore.

I'd recommend trusting the finest-grained cert you can get away with.
That might not always be the root CA cert. It might be the server's
cert directly.

> If you did not change it the client (java) the default keystore is
> located in  $JAVA_HOME/jre/lib/security/cacerts. Something like:
> 
> keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
> -storepass trust_store_password_here -alias Root -import -file
> the_downloaded_ca.crt
> 
> The default password for cacerts is changeit

FWIW, I wouldn't recommend changing the JVM's trust store. I say so
for two reasons:

1. You will be trusting that certificate for ALL JVMS LAUNCHED
AFTERWARD. Perhaps you don't want some other service to trust your
192.168.1.120 certificate when it's only supposed to be used with a
single client service.

2. You will have to remember to update the trust store every time you
change your Java installation. That means upgrades, downgrades, etc.

The best way to do this IMO is to create a trust store specific for
that service (client) and use it EXPLICITLY.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
=okQm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat

2018-10-01 Thread Luis Rodríguez Fernández 
Hello Loai,

Agree with Christopher, you have to fix your client. Just get the root
Certificate Authority public key and import it in your client truststore.
If you did not change it the client (java) the default keystore is located
in  $JAVA_HOME/jre/lib/security/cacerts. Something like:

 keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass
trust_store_password_here -alias Root -import -file the_downloaded_ca.crt

The default password for cacerts is changeit

Hopeit helps,

Luis




El sáb., 29 sept. 2018 a las 12:05, Loai Abdallatif (<
loai.abdalla...@gmail.com>) escribió:

> Thanks Chris, but how to do it, should I copy the ssl certificate from
> Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
> in server.xml .
> any idea please
>
> On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Loai,
> >
> > On 9/27/18 10:50, Loai Abdallatif wrote:
> > > Hello,
> > >
> > > I have Set Apache Load Balancer ( ModJK) with Server IP
> > > 192.168.1.120 (Webserver01.epsilon.test)  which forward the traffic
> > > to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
> > >
> > > each tomcat server has three workers ( 0,1,2)
> > >
> > > I deployed *Central Authentication Service* (CAS)  on Worker0  and
> > > its is working with warning related to ssl Certificate, I have
> > > another Application on this worker0 called ServiceCatalog
> > > unfortunatly it didnt work and gave error as below
> > >
> > >
> > > ERROR org.jasig.cas.client.util.CommonUtils -
> > > sun.security.validator.ValidatorException: PKIX path building
> > > failed
> > >  : sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid certification path to requested
> > >  target javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path building
> > > failed: sun.sec
> > >  urity.provider.certpath.SunCertPathBuilderException: unable to
> > > find valid certification path to requested target
> >
> > As Guido says, your client (org.jasig.cas.client) does not trust the
> > server it's trying to connect to.
> >
> > Is the server in this case the one you set up above? It's not clear
> > exactly what you are trying to do.
> >
> > There is nothing you can change with Tomcat to fix this error... you
> > must configure your client to trust the server.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
> > pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
> > 9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
> > 8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
> > LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
> > /v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
> > 37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
> > j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
> > 9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
> > BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
> > /Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
> > 8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
> > =Bjfw
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: SSL on Tomcat

2018-09-29 Thread Loai Abdallatif 
Thanks Chris, but how to do it, should I copy the ssl certificate from
Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
in server.xml .
any idea please

On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Loai,
>
> On 9/27/18 10:50, Loai Abdallatif wrote:
> > Hello,
> >
> > I have Set Apache Load Balancer ( ModJK) with Server IP
> > 192.168.1.120 (Webserver01.epsilon.test)  which forward the traffic
> > to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
> >
> > each tomcat server has three workers ( 0,1,2)
> >
> > I deployed *Central Authentication Service* (CAS)  on Worker0  and
> > its is working with warning related to ssl Certificate, I have
> > another Application on this worker0 called ServiceCatalog
> > unfortunatly it didnt work and gave error as below
> >
> >
> > ERROR org.jasig.cas.client.util.CommonUtils -
> > sun.security.validator.ValidatorException: PKIX path building
> > failed
> >  : sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested
> >  target javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building
> > failed: sun.sec
> >  urity.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
>
> As Guido says, your client (org.jasig.cas.client) does not trust the
> server it's trying to connect to.
>
> Is the server in this case the one you set up above? It's not clear
> exactly what you are trying to do.
>
> There is nothing you can change with Tomcat to fix this error... you
> must configure your client to trust the server.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
> pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
> 9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
> 8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
> LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
> /v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
> 37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
> j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
> 9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
> BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
> /Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
> 8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
> =Bjfw
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SSL on Tomcat

2018-09-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Loai,

On 9/27/18 10:50, Loai Abdallatif wrote:
> Hello,
> 
> I have Set Apache Load Balancer ( ModJK) with Server IP
> 192.168.1.120 (Webserver01.epsilon.test)  which forward the traffic
> to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
> 
> each tomcat server has three workers ( 0,1,2)
> 
> I deployed *Central Authentication Service* (CAS)  on Worker0  and
> its is working with warning related to ssl Certificate, I have
> another Application on this worker0 called ServiceCatalog
> unfortunatly it didnt work and gave error as below
> 
> 
> ERROR org.jasig.cas.client.util.CommonUtils - 
> sun.security.validator.ValidatorException: PKIX path building 
> failed
>  : sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested
>  target javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.sec
>  urity.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target

As Guido says, your client (org.jasig.cas.client) does not trust the
server it's trying to connect to.

Is the server in this case the one you set up above? It's not clear
exactly what you are trying to do.

There is nothing you can change with Tomcat to fix this error... you
must configure your client to trust the server.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
/v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
/Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
=Bjfw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat

2018-09-28 Thread Loai Abdallatif 
Thank you Guido

appreciate your assistance , and if possible send me any tutorial related
to my case ( apache server different than Tomcat , CAS app need SSL )

On Fri, Sep 28, 2018 at 11:40 AM Jäkel, Guido  wrote:

> Dear Loai,
>
> Your client can't very (don't trust) the certificate (chain) of the
> target. Either target's certificate is not an "official" one (e.g. self
> signed) or your clients JVM certificate trust chain is not up to date.
>
> I you like I may send you a small java commandline tool to check the
> verification chain and/or add exceptions to the local trust store in case
> of self-signed certificates.
>
> Guido
>
>
> >-Original Message-
> >From: Loai Abdallatif [mailto:loai.abdalla...@gmail.com]
> >Sent: Thursday, September 27, 2018 4:52 PM
> >To: Tomcat Users List 
> >Subject: Re: SSL on Tomcat
> >
> >hello, shall I add the certificate to server.xml on tomcat server or just
> on Webserver
> >
> >
> >On Thu, Sep 27, 2018 at 5:50 PM, Loai Abdallatif <
> loai.abdalla...@gmail.com <mailto:loai.abdalla...@gmail.com> > wrote:
> >
> >
> >   Hello,
> >
> >   I have Set Apache Load Balancer ( ModJK) with Server IP
> 192.168.1.120 (Webserver01.epsilon.test)  which forward the
> >traffic to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
> >
> >
> >   each tomcat server has three workers ( 0,1,2)
> >
> >   I deployed Central Authentication Service (CAS)  on Worker0  and
> its  is working with warning related to ssl
> >Certificate, I have another Application on this worker0 called
> ServiceCatalog unfortunatly it didnt work and gave error as below
> >
> >
> >
> >
> >
> >
> >
> >
> >   ERROR org.jasig.cas.client.util.CommonUtils -
> sun.security.validator.ValidatorException: PKIX path building failed
> >: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested
> >target
> >   javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.sec
> >urity.provider.certpath.SunCertPathBuilderException: unable to find valid
> certification path to requested target
> >   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >   at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
> >   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
> >   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
> >   at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
> >   at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> >   at
> sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
> >   at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
> >   at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
> >   at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
> >   at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
> >   at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
> >   at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> >   at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
> >n.java:185)
> >   at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
> >   at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
> >   at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
> >   at
> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
> >   at
> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
> >bstractCasProtocolUrlBasedTicketValidator.java:41)
> >   at
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
> >r.java:193)
> >   at
> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
> >tionProvider.java:157)
> >   at
> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
> >nProvider.java:142)
> >
> >
> >
>
>

RE: SSL on Tomcat

2018-09-28 Thread Jäkel , Guido 
Dear Loai,

Your client can't very (don't trust) the certificate (chain) of the target. 
Either target's certificate is not an "official" one (e.g. self signed) or your 
clients JVM certificate trust chain is not up to date.

I you like I may send you a small java commandline tool to check the 
verification chain and/or add exceptions to the local trust store in case of 
self-signed certificates.

Guido


>-Original Message-
>From: Loai Abdallatif [mailto:loai.abdalla...@gmail.com]
>Sent: Thursday, September 27, 2018 4:52 PM
>To: Tomcat Users List 
>Subject: Re: SSL on Tomcat
>
>hello, shall I add the certificate to server.xml on tomcat server or just on 
>Webserver
>
>
>On Thu, Sep 27, 2018 at 5:50 PM, Loai Abdallatif <mailto:loai.abdalla...@gmail.com> > wrote:
>
>
>   Hello,
>
>   I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120 
> (Webserver01.epsilon.test)  which forward the
>traffic to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
>
>
>   each tomcat server has three workers ( 0,1,2)
>
>   I deployed Central Authentication Service (CAS)  on Worker0  and its  
> is working with warning related to ssl
>Certificate, I have another Application on this worker0 called ServiceCatalog 
>unfortunatly it didnt work and gave error as below
>
>
>
>
>
>
>
>
>   ERROR org.jasig.cas.client.util.CommonUtils - 
> sun.security.validator.ValidatorException: PKIX path building failed
>: sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>valid certification path to requested
>target
>   javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: sun.sec
>urity.provider.certpath.SunCertPathBuilderException: unable to find valid 
>certification path to requested target
>   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
>   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
>   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
>   at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
>   at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
>   at 
> sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
>   at 
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
>   at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
>   at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
>   at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
>   at 
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
>   at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
>n.java:185)
>   at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
>   at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>   at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
>   at 
> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
>   at 
> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
>bstractCasProtocolUrlBasedTicketValidator.java:41)
>   at 
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
>r.java:193)
>   at 
> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
>tionProvider.java:157)
>   at 
> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
>nProvider.java:142)
>
>
>

Re: SSL on Tomcat

2018-09-27 Thread Loai Abdallatif 
hello, shall I add the certificate to server.xml on tomcat server or just
on Webserver

On Thu, Sep 27, 2018 at 5:50 PM, Loai Abdallatif 
wrote:

> Hello,
>
> I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120
> (Webserver01.epsilon.test)  which forward the traffic to tomcat server
> .(192.168.1.111 (appserver01.epsilon.test)
>
> each tomcat server has three workers ( 0,1,2)
>
> I deployed *Central Authentication Service* (CAS)  on Worker0  and its
> is working with warning related to ssl Certificate, I have another
> Application on this worker0 called ServiceCatalog unfortunatly it didnt
> work and gave error as below
>
>
>
>
>
>
> ERROR org.jasig.cas.client.util.CommonUtils - 
> sun.security.validator.ValidatorException:
> PKIX path building failed
>
>: 
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested
>
>target
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException:
> PKIX path building failed: sun.sec
>
> 
> urity.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
> at sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:1614)
> at sun.security.ssl.ClientHandshaker.processMessage(
> ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
> at sun.security.ssl.SSLSocketImpl.readRecord(
> SSLSocketImpl.java:1072)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1385)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1413)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1397)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(
> HttpsClient.java:559)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
> tion.connect(AbstractDelegateHttpsURLConnectio
>
> n.java:185)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1564)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1492)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.
> getInputStream(HttpsURLConnectionImpl.java:263)
> at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(
> CommonUtils.java:429)
> at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTic
> ketValidator.retrieveResponseFromServer(A
>
> bstractCasProtocolUrlBasedTicketValidator.java:41)
> at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidato
> r.validate(AbstractUrlBasedTicketValidato
>
>  r.java:193)
> at org.springframework.security.cas.authentication.
> CasAuthenticationProvider.authenticateNow(CasAuthentica
>
>
> tionProvider.java:157)
> at org.springframework.security.cas.authentication.
> CasAuthenticationProvider.authenticate(CasAuthenticatio
>
>
> nProvider.java:142)
>
>

SSL on Tomcat

2018-09-27 Thread Loai Abdallatif 
Hello,

I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120
(Webserver01.epsilon.test)  which forward the traffic to tomcat server
.(192.168.1.111 (appserver01.epsilon.test)

each tomcat server has three workers ( 0,1,2)

I deployed *Central Authentication Service* (CAS)  on Worker0  and its  is
working with warning related to ssl Certificate, I have another Application
on this worker0 called ServiceCatalog unfortunatly it didnt work and gave
error as below






ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to
requested
target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
n.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
bstractCasProtocolUrlBasedTicketValidator.java:41)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
r.java:193)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
tionProvider.java:157)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
nProvider.java:142)

re: Comments on my first 'SSL for Tomcat' write-up

2017-12-05 Thread Don Flinn 
Chis Schultz and Mark Thomas,

I started a new thread as the old one was getting too long and getting off
subject.
Chris Schultz wrote -

Re: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-23 Thread Richard Tearle 
On 23 November 2017 at 17:20, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Richard,
>
> On 11/23/17 8:28 AM, Richard Tearle wrote:
>> Yes I read through that thread, but we don't really like Java key
>> stores, and I don't think the work around would work for us.
>
> Java keystores are ... awful.
>
>> Instead, I did what perhaps I should have done a while ago (on
>> version 8.0.x), and built Tomcat Native libraries, deployed, and
>> changed the certificate references in the connector to use our .PEM
>> files (which the PKCS12 files are built from), and fingers crossed,
>> its looking OK at the moment.
>
> So are you using the APR connector, then?
>
> You do have some other options:
>
> 1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of
> keystores.
>
> 2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for
> everything, simply because they are so easy to work with.
>
> 3. JSSE+OpenSSL with PEM-encoded DER files.
>
> Option #3 will get you the performance of OpenSSL's crypto but without
> using the APR connector (which isn't quite as efficient as the
> pure-Java NIO connector). Java's crypto seems to be hobbled for some
> reason... some kind of mistake in the native-optimization that ends up
> falling-back to pure-Java crypto which ... simply isn't fast enough
> for real-world workloads).
>
> I think the APR connector is likely to disappear with the next major
> release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination
> is becoming more mature and offers better performance and scalability.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8
> pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T
> hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i
> tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6
> IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk
> DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg
> l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC
> EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS
> lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0
> 3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I
> jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP
> t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM=
> =bf9o
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Hi

I think Option #1 was what I was trying to achieve originally. I'll take a look
at option #3 tomorrow.

Thanks for the heads up

Richard.

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 41.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Richard,

On 11/23/17 8:28 AM, Richard Tearle wrote:
> Yes I read through that thread, but we don't really like Java key 
> stores, and I don't think the work around would work for us.

Java keystores are ... awful.

> Instead, I did what perhaps I should have done a while ago (on
> version 8.0.x), and built Tomcat Native libraries, deployed, and
> changed the certificate references in the connector to use our .PEM
> files (which the PKCS12 files are built from), and fingers crossed,
> its looking OK at the moment.

So are you using the APR connector, then?

You do have some other options:

1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of
keystores.

2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for
everything, simply because they are so easy to work with.

3. JSSE+OpenSSL with PEM-encoded DER files.

Option #3 will get you the performance of OpenSSL's crypto but without
using the APR connector (which isn't quite as efficient as the
pure-Java NIO connector). Java's crypto seems to be hobbled for some
reason... some kind of mistake in the native-optimization that ends up
falling-back to pure-Java crypto which ... simply isn't fast enough
for real-world workloads).

I think the APR connector is likely to disappear with the next major
release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination
is becoming more mature and offers better performance and scalability.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8
pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T
hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i
tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6
IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk
DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg
l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC
EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS
lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0
3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I
jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP
t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM=
=bf9o
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-23 Thread Richard Tearle 
On 23 November 2017 at 05:33, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Richard,
>
> On 11/22/17 8:40 AM, Richard Tearle wrote:
>> Hello
>>
>> Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java
>> 1.8.0_152 (with jce) Running in Docker Container
>>
>> I'm upgrading our applications from Apache Tomcat 8.0.47 to
>> 8.5.23, but when trying to get TLS/SSL working on a connector I get
>> the following error:
>>
>> 22-Nov-2017 11:52:46.098 SEVERE [main]
>> org.apache.coyote.AbstractProtocol.init Failed to initialize end
>> point associated with ProtocolHandler ["https-jsse-nio2-18443"]
>> java.lang.IllegalArgumentException:
>> java.security.InvalidAlgorithmParameterException: the trustAnchors
>> parameter must be non-empty at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:115)
>>
>>
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJs
> seEndpoint.java:86)
>> at
>> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
>>
>>
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:9
> 82)
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
> int.java:245)
>>
>>
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
>> at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> tocol.java:66)
>>
>>
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
> 97)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>
>>
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.ja
> va:549)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>
>>
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
> :875)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>
>>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>>
>>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>> Caused by: java.security.InvalidAlgorithmParameterException: the
>> trustAnchors parameter must be non-empty at
>> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
> 200)
>>
>>
> at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
>> at
>> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.
> java:130)
>>
>>
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:
> 368)
>> at
>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
> a:292)
>>
>>
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstrac
> tJsseEndpoint.java:113)
>> ... 20 more
>>
>> I've changed the connector configuration to use
>> SSLHostConfig/Certificate, but our certificate generation process
>> (self signed certificates) has remained the same. I did a quick
>> internet search, and saw that other people had similar, but not
>> exact issues, and going back to 8.5.4 "solved" the issue. So I did
>> this as a quick test, so at least I could see that our
>> configuration changes where correct, and yes the application ran ok
>> with Tomcat 8.5.4. The connector configuration is:
>>
>> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>> server="Apache" maxPostSize="10"> > certificateVerification="none" sslProtocol="TLSv1.2"
>> protocols="TLSv1.2"
>> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12"
>> truststoreType="PKCS12" truststorePassword="${truststore.pass}"
>> honorCipherOrder="true"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EC

Re: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Richard,

On 11/22/17 8:40 AM, Richard Tearle wrote:
> Hello
> 
> Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java
> 1.8.0_152 (with jce) Running in Docker Container
> 
> I'm upgrading our applications from Apache Tomcat 8.0.47 to
> 8.5.23, but when trying to get TLS/SSL working on a connector I get
> the following error:
> 
> 22-Nov-2017 11:52:46.098 SEVERE [main] 
> org.apache.coyote.AbstractProtocol.init Failed to initialize end
> point associated with ProtocolHandler ["https-jsse-nio2-18443"] 
> java.lang.IllegalArgumentException: 
> java.security.InvalidAlgorithmParameterException: the trustAnchors 
> parameter must be non-empty at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:115)
>
> 
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJs
seEndpoint.java:86)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
>
> 
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:9
82)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
int.java:245)
>
> 
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:66)
>
> 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
97)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
org.apache.catalina.core.StandardService.initInternal(StandardService.ja
va:549)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
:875)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:62)
>
> 
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498) at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 
> Caused by: java.security.InvalidAlgorithmParameterException: the 
> trustAnchors parameter must be non-empty at
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
200)
>
> 
at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
> at
> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.
java:130)
>
> 
at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:
368)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
a:292)
>
> 
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstrac
tJsseEndpoint.java:113)
> ... 20 more
> 
> I've changed the connector configuration to use 
> SSLHostConfig/Certificate, but our certificate generation process 
> (self signed certificates) has remained the same. I did a quick 
> internet search, and saw that other people had similar, but not
> exact issues, and going back to 8.5.4 "solved" the issue. So I did
> this as a quick test, so at least I could see that our
> configuration changes where correct, and yes the application ran ok
> with Tomcat 8.5.4. The connector configuration is:
> 
>  protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> server="Apache" maxPostSize="10">  certificateVerification="none" sslProtocol="TLSv1.2"
> protocols="TLSv1.2" 
> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" 
> truststoreType="PKCS12" truststorePassword="${truststore.pass}"
> honorCipherOrder="true" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE
S_256_GCM_SHA384,
>
>  
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_S
HA384,
>
>  
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM
_SHA256,
>
>  
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_S
HA256,
>
>  
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC
_SHA384,
>
>  
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SH
A,
>
>  
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_25

Re: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-22 Thread Richard Tearle 
Peter

On 22 November 2017 at 15:08, Peter Kreuser <l...@kreuser.name> wrote:
>
>
>
>
> Richard,
>
>
>
>
>
>> Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr
>> Von: "Richard Tearle" 
>> <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]>
>> An: users@tomcat.apache.org[mailto:users@tomcat.apache.org]
>> Betreff: Trouble with TLS/SSL and Tomcat 8.5.23
>> Hello
>>
>> Apache Tomcat 8.5.23
>> Centos 7.4 (3.10.0-514.16.1.el7.x86_64)
>> Java 1.8.0_152 (with jce)
>> Running in Docker Container
>>
>> I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23,
>> but when trying to get TLS/SSL working on a connector I get the
>> following error:
>>
>> 22-Nov-2017 11:52:46.098 SEVERE [main]
>> org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>> associated with ProtocolHandler ["https-jsse-nio2-18443"]
>> java.lang.IllegalArgumentException:
>> java.security.InvalidAlgorithmParameterException: the trustAnchors
>> parameter must be non-empty
>> at 
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
>> at 
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
>> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
>> at 
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
>> at 
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245)
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
>> at 
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at 
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at 
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>> Caused by: java.security.InvalidAlgorithmParameterException: the
>> trustAnchors parameter must be non-empty
>> at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
>> at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
>> at 
>> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130)
>> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368)
>> at 
>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292)
>> at 
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
>> ... 20 more
>>
>> I've changed the connector configuration to use
>> SSLHostConfig/Certificate, but our certificate generation process
>> (self signed certificates) has remained the same. I did a quick
>> internet search, and saw that other people had similar, but not exact
>> issues, and going back to 8.5.4 "solved" the issue. So I did this as a
>> quick test, so at least I could see that our configuration changes
>> where correct, and yes the application ran ok with Tomcat 8.5.4. The
>> connector configuration is:
>>
>> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>> maxThreads="150" SSLEnabled="true" scheme="https"
>> secure="true" server="Apache" maxPostSize="10">
>> > sslProtocol="TLSv1.2" protocols="TLSv1.2"
>> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12"
>> truststoreType="PKCS12"
>> truststorePassword="${truststore.pass}" honorCipherOrder="true"
>
> The error message says that either the file simply is not there or the cert

Aw: Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-22 Thread Peter Kreuser 




Richard,





> Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr
> Von: "Richard Tearle" 
> <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]>
> An: users@tomcat.apache.org[mailto:users@tomcat.apache.org]
> Betreff: Trouble with TLS/SSL and Tomcat 8.5.23
> Hello
> 
> Apache Tomcat 8.5.23
> Centos 7.4 (3.10.0-514.16.1.el7.x86_64)
> Java 1.8.0_152 (with jce)
> Running in Docker Container
> 
> I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23,
> but when trying to get TLS/SSL working on a connector I get the
> following error:
> 
> 22-Nov-2017 11:52:46.098 SEVERE [main]
> org.apache.coyote.AbstractProtocol.init Failed to initialize end point
> associated with ProtocolHandler ["https-jsse-nio2-18443"]
> java.lang.IllegalArgumentException:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
> at 
> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130)
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368)
> at 
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
> ... 20 more
> 
> I've changed the connector configuration to use
> SSLHostConfig/Certificate, but our certificate generation process
> (self signed certificates) has remained the same. I did a quick
> internet search, and saw that other people had similar, but not exact
> issues, and going back to 8.5.4 "solved" the issue. So I did this as a
> quick test, so at least I could see that our configuration changes
> where correct, and yes the application ran ok with Tomcat 8.5.4. The
> connector configuration is:
> 
>  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" server="Apache" maxPostSize="10">
>  sslProtocol="TLSv1.2" protocols="TLSv1.2"
> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12"
> truststoreType="PKCS12"
> truststorePassword="${truststore.pass}" honorCipherOrder="true"

The error message says that either the file simply is not there or the cert 
that you expect is not in the keystore, maybe even empty...

Peter

> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> 
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> 
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> 
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
> 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Trouble with TLS/SSL and Tomcat 8.5.23

2017-11-22 Thread Richard Tearle 
Hello

Apache Tomcat 8.5.23
Centos 7.4 (3.10.0-514.16.1.el7.x86_64)
Java 1.8.0_152 (with jce)
Running in Docker Container

I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23,
but when trying to get TLS/SSL working on a connector I get the
following error:

22-Nov-2017 11:52:46.098 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed to initialize end point
associated with ProtocolHandler ["https-jsse-nio2-18443"]
 java.lang.IllegalArgumentException:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
at 
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
at 
java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130)
at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368)
at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
... 20 more

I've changed the connector configuration to use
SSLHostConfig/Certificate, but our certificate generation process
(self signed certificates) has remained the same. I did a quick
internet search, and saw that other people had similar, but not exact
issues, and going back to 8.5.4 "solved" the issue. So I did this as a
quick test, so at least I could see that our configuration changes
where correct, and yes the application ran ok with Tomcat 8.5.4. The
connector configuration is:


   
  

 


Setting javax.net.debug=all in CATALINA_OPTS and viewing the resultant
logging, seems to indicate that the certificate is being loaded, but
not the trust store, with the only truststore loaded coming from:
/opt/jre1.8.0_152/lib/security/cacerts

Best Regards


Richard

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered

Re: Trouble using SSL with Tomcat 9

2017-09-27 Thread Don Flinn 
Thanks Chuck,

As is obvious, I'm not an experienced admin, but a developer.  I picked
another unused port, 447, and tried again.  I'm not running Tomcat as
root.  I want to get the self signed cert working before purchasing an SSL
certificate.

This WORKED.  Thanks for all the help.  Note that I just picked an unused
port at random, not knowing any better.  I'm sure that there is a more
sophisticated way to pick a port to use.  I'm guessing that if I have
Tomcat grab that port it will keep it while it is running.  But for now I'm
over-joyed,

Don

On Wed, Sep 27, 2017 at 1:24 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Don Flinn [mailto:fl...@alum.mit.edu]
> > Subject: Re: Trouble using SSL with Tomcat 9
>
> > I installed a new download of tomcat 9, established one application with
> > php/java bridge (need php and java access). Set the SSL port to an unused
> > port, 443, and ran my app who's only out put is an H1 message.  This time
> I
> > get the expected error from Chrome with the red warning about bad
> > certificate.  However, the redirect went to https://localhost/Financial/
> > index.php - i.e. NO port number and of course drilling down couldn't find
> > my app which is at port 443, I believe.
>
> Port 443 is the standard HTTPS port, so it won't show up in the https: URL
> since it's the default.
>
> Unless you're running Tomcat as root (a very, very bad idea), you'll need
> to
> use iptables or equivalent to let Tomcat listen on port 443.
> https://wiki.apache.org/tomcat/HowTo#How_to_run_
> Tomcat_without_root_privileg
> es.3F
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>

RE: Trouble using SSL with Tomcat 9

2017-09-27 Thread Caldarale, Charles R 
> From: Don Flinn [mailto:fl...@alum.mit.edu] 
> Subject: Re: Trouble using SSL with Tomcat 9

> I installed a new download of tomcat 9, established one application with
> php/java bridge (need php and java access). Set the SSL port to an unused
> port, 443, and ran my app who's only out put is an H1 message.  This time
I
> get the expected error from Chrome with the red warning about bad
> certificate.  However, the redirect went to https://localhost/Financial/
> index.php - i.e. NO port number and of course drilling down couldn't find
> my app which is at port 443, I believe.

Port 443 is the standard HTTPS port, so it won't show up in the https: URL
since it's the default.

Unless you're running Tomcat as root (a very, very bad idea), you'll need to
use iptables or equivalent to let Tomcat listen on port 443.
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: Trouble using SSL with Tomcat 9

2017-09-27 Thread Don Flinn 
t; to connect.
>> There is no red lined out protocol in any of the
>> browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access
>> applications that are not
>> protected and tomcat itself.
>>
>>
>> I would suggest that you first re-read what you wrote above,
>> line by line,
>> and reflect quietly on what each line is telling you.
>>
>> 1) you say "localhost". That means that you are using a
>> browser as client,
>> on the same machine as the one which is running the server.
>> 2) you also say that one of the browsers is IE.
>> 3) (1) and (2) together imply that the host in a Windows
>> server (and the
>> client also of course).
>> 4) you are not saying which version of Tomcat you are using,
>> neither which
>> version of Java, neither which version of Windows.  That
>> makes helping you
>> more complicated and time-consuming, and delays any help,
>> because now we
>> have to ask you, and you have to respond.
>> 5) "refused to connect" : before any kind of SSL dialog can
>> even take
>> place, the browser must be able to establish a TCP connection
>> to the
>> host:port in question.
>> "refused to connect" seens to indicate that this is not the
>> case.
>> 6) the logs do not show anything : that would seem to
>> corroborate (5) :
>> tomcat does not even see this connection. iow, there is no
>> connection.
>>
>> There are several possible reasons for this.
>> a) Tomcat never opens the port 8443 for listening on it.
>> That can be checked, with tomcat running, with the "netstat"
>> utility
>> program, included in Windows. With the proper arguments
>> (which I will leave
>> to you as an exercise)(but "netstat -h" will help), netstat
>> will show you
>> on which ports tomcat is listening locally.  If this does not
>> include a
>> ":8443" port, then it is not listening on that port, and
>> certainly the logs
>> of tomcat will tell you why.
>> b) tomcat does listen on port 8443, but something else is
>> blocking access
>> to that port.
>> Then you probably have to check your local firewall settings
>> (or whatever
>> else in whatever version of Windows may be blocking
>> connections to a port).
>>
>> Another quick way to check if tomcat (or anything) is
>> listening on port
>>     8443 (and/or something is blocking it) would be, in a command
>> window, to
>> run the following command :
>> telnet localhost 8443
>> (also with tomcat running)
>> If it also tells you "no connection", then (a) or (b) above
>> would be
>> confirmed.
>> If it connects, then you may get another message, due to the
>> fact that it
>> expects an SSL connection. (If it did not expect an SSL
>> connection, you'd
>> just get a blank page until you type something else).
>> Obviously, access to tomcat's port 8080 is fine, so you can
>> compare the
>> responses above with what happens when you substitute 8080
>> for 8443.
>>
>> Once the above is really cleared up, then it may be worth
>> looking at the
>> rest of the information which you sent below.
>>
>>If I set 
>>
>> CONFIDENTIAL to NONE everything
>> works with
>> localhost:8080.
>>
>> My SSL files in tomcat -
>>
>> *server.xml -*
>>
>> Connector
>> protocol="org.apache.coyote.ht
>> <http://org.apache.coyote.ht>tp11.Http11NioProtocol"
>> scheme="https"
>> sslImplementationName="org.apa
>> che.tomcat.util.net.jsse.JSSEI
>> mplementation"
>> SSLEnabled="true" acceptCount="100" clientAuth="false"
>> disableUploadTimeout="true" enableLookups="false"
>> maxThreads="25"
>>

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread Don Flinn 
   If it isn't open, the tomcat logs should tell you why.
>>
>>
>>
>>
>>
>> Don
>>
>>
>>
>> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <
>> a...@ice-sa.com
>> <mailto:a...@ice-sa.com>>
>> wrote:
>>
>> On 24.09.2017 02 <tel:24.09.2017%2002>:36, Don Flinn wrote:
>>
>> I'm trying to use a self signed certificate generated in
>> keytool.  When I
>> run the application Chrome, Firefox and internet Explorer
>> using
>> localhost:8080/ all the browsers do a redirect to
>> localhost:8443
>> and
>> then return This site can’t be reachedL*ocalhost* refused
>> to connect.
>> There is no red lined out protocol in any of the
>> browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access
>> applications that are not
>> protected and tomcat itself.
>>
>>
>> I would suggest that you first re-read what you wrote above,
>> line by line,
>> and reflect quietly on what each line is telling you.
>>
>> 1) you say "localhost". That means that you are using a
>> browser as client,
>> on the same machine as the one which is running the server.
>> 2) you also say that one of the browsers is IE.
>> 3) (1) and (2) together imply that the host in a Windows
>> server (and the
>> client also of course).
>> 4) you are not saying which version of Tomcat you are using,
>> neither which
>> version of Java, neither which version of Windows.  That
>> makes helping you
>> more complicated and time-consuming, and delays any help,
>> because now we
>> have to ask you, and you have to respond.
>> 5) "refused to connect" : before any kind of SSL dialog can
>> even take
>> place, the browser must be able to establish a TCP connection
>> to the
>> host:port in question.
>> "refused to connect" seens to indicate that this is not the
>> case.
>> 6) the logs do not show anything : that would seem to
>> corroborate (5) :
>> tomcat does not even see this connection. iow, there is no
>> connection.
>>
>> There are several possible reasons for this.
>> a) Tomcat never opens the port 8443 for listening on it.
>> That can be checked, with tomcat running, with the "netstat"
>> utility
>> program, included in Windows. With the proper arguments
>> (which I will leave
>> to you as an exercise)(but "netstat -h" will help), netstat
>> will show you
>> on which ports tomcat is listening locally.  If this does not
>> include a
>> ":8443" port, then it is not listening on that port, and
>> certainly the logs
>> of tomcat will tell you why.
>> b) tomcat does listen on port 8443, but something else is
>> blocking access
>> to that port.
>> Then you probably have to check your local firewall settings
>> (or whatever
>> else in whatever version of Windows may be blocking
>> connections to a port).
>>
>> Another quick way to check if tomcat (or anything) is
>> listening on port
>> 8443 (and/or something is blocking it) would be, in a command
>> window, to
>> run the following command :
>> telnet localhost 8443
>> (also with tomcat running)
>> If it also tells you "no connection", then (a) or (b) above
>> would be
>> confirmed.
>> If it connects, then you may get another message, due to the
>> fact that it
>> expects an SSL connection. (If it did not expect an SSL
>> connection, you'd
>> just get a blank page until you type something else).
>> Obviously, access to tomcat's port 8080 is fine, so you can
>> compare the
>> responses above with what happens when you substitute 8080
>> for 8443.
>>
>> Once the above is really cleared up, then it may be worth
>> looking at the
>> rest of the information which you sent below.
>>
>>

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread tomcat 
e proper arguments (which I 
will leave
to you as an exercise)(but "netstat -h" will help), netstat will 
show you
on which ports tomcat is listening locally.  If this does not 
include a
":8443" port, then it is not listening on that port, and certainly 
the logs
of tomcat will tell you why.
b) tomcat does listen on port 8443, but something else is blocking 
access
to that port.
Then you probably have to check your local firewall settings (or 
whatever
else in whatever version of Windows may be blocking connections to 
a port).

Another quick way to check if tomcat (or anything) is listening on 
port
8443 (and/or something is blocking it) would be, in a command 
window, to
run the following command :
telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be
confirmed.
If it connects, then you may get another message, due to the fact 
that it
expects an SSL connection. (If it did not expect an SSL connection, 
you'd
just get a blank page until you type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare 
the
responses above with what happens when you substitute 8080 for 8443.

Once the above is really cleared up, then it may be worth looking 
at the
rest of the information which you sent below.

   If I set 

CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.ht
<http://org.apache.coyote.ht>tp11.Http11NioProtocol" 
scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
mplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" 
maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" 
keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*


   
   Financials
   /*
   
   
   
CONFIDENTIAL
   


*the output from my keystore  list -*

C:\Users\don\Documents\Mansurus\Security> 
"%java_home%/bin/keytool.exe"
-list  -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, 
ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, 
ST=Unknown,
C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 
12:57:19 EDT
2018
Certificate fingerprints:
MD5:  
11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
SHA1: 63:EF:21:21:3C:22:82:46:21:84:
9C:81:C6:B0:C1:EC:0F:1C:87:31
SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:
0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14  
F.H.T*T.$."...n..
0010: BE 6F 4A 49.oJI
]
]

What am I doing wrong?  I want to get a self-signed keystore 
working
before
I purchase a commercial certificate.

Don




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr.

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread Don Flinn 
ever version of Windows may be blocking connections to a
>>> port).
>>>
>>> Another quick way to check if tomcat (or anything) is listening on port
>>> 8443 (and/or something is blocking it) would be, in a command window, to
>>> run the following command :
>>> telnet localhost 8443
>>> (also with tomcat running)
>>> If it also tells you "no connection", then (a) or (b) above would be
>>> confirmed.
>>> If it connects, then you may get another message, due to the fact that it
>>> expects an SSL connection. (If it did not expect an SSL connection, you'd
>>> just get a blank page until you type something else).
>>> Obviously, access to tomcat's port 8080 is fine, so you can compare the
>>> responses above with what happens when you substitute 8080 for 8443.
>>>
>>> Once the above is really cleared up, then it may be worth looking at the
>>> rest of the information which you sent below.
>>>
>>>   If I set 
>>>
>>> CONFIDENTIAL to NONE everything works with
>>>> localhost:8080.
>>>>
>>>> My SSL files in tomcat -
>>>>
>>>> *server.xml -*
>>>>
>>>> Connector
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
>>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
>>>> mplementation"
>>>> SSLEnabled="true" acceptCount="100" clientAuth="false"
>>>> disableUploadTimeout="true" enableLookups="false" maxThreads="25"
>>>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
>>>> secure="true" sslProtocol="TLS" clientAuth="false" />
>>>>
>>>> *web.xml -*
>>>>
>>>> 
>>>>   
>>>>   Financials
>>>>   /*
>>>>   
>>>>   
>>>>   CONFIDENTIAL
>>>>   
>>>> 
>>>>
>>>> *the output from my keystore  list -*
>>>>
>>>> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
>>>> -list  -v -keystore c:/temp/mkeystore2.jks
>>>> Enter keystore password:
>>>>
>>>> Keystore type: JKS
>>>> Keystore provider: SUN
>>>>
>>>> Your keystore contains 1 entry
>>>>
>>>> Alias name: tomcat
>>>> Creation date: Sep 23, 2017
>>>> Entry type: PrivateKeyEntry
>>>> Certificate chain length: 1
>>>> Certificate[1]:
>>>> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
>>>> C=Unknown
>>>> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
>>>> C=Unknown
>>>> Serial number: 6b5fe428
>>>> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT
>>>> 2018
>>>> Certificate fingerprints:
>>>>MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
>>>>SHA1: 63:EF:21:21:3C:22:82:46:21:84:
>>>> 9C:81:C6:B0:C1:EC:0F:1C:87:31
>>>>SHA256:
>>>> 4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:
>>>> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
>>>>Signature algorithm name: SHA256withRSA
>>>>Version: 3
>>>>
>>>> Extensions:
>>>>
>>>> #1: ObjectId: 2.5.29.14 Criticality=false
>>>> SubjectKeyIdentifier [
>>>> KeyIdentifier [
>>>> : 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14
>>>> F.H.T*T.$."...n..
>>>> 0010: BE 6F 4A 49.oJI
>>>> ]
>>>> ]
>>>>
>>>> What am I doing wrong?  I want to get a self-signed keystore working
>>>> before
>>>> I purchase a commercial certificate.
>>>>
>>>> Don
>>>>
>>>>
>>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> F

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread tomcat 

On 24.09.2017 16:08, Don Flinn wrote:

Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security.  I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help.  As is obvious, I'm a newbee in low level admin
work.  I'm hoping that when I get port 8443 open things will work.  I'll
let you know.


Maybe wait just a second more, before you go digging in the firewall.
You say that you found out that "the port is not open".
That is not the same thing as
- the port /is/ open
- but it cannot be connected to
If netstat shows the port open and listening, but you cannot connect to it with telnet, it 
is probably a firewall issue.

But if the port is not open, then it is a tomcat issue.
Provided that you configured tomcat properly, the port should be open, firewall or no 
firewall. (A firewall can only block access by a client, to a server port that is open. It 
cannot prevent a server process to open that port for listening.)

If it isn't open, the tomcat logs should tell you why.






Don



On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:


On 24.09.2017 02:36, Don Flinn wrote:


I'm trying to use a self signed certificate generated in keytool.  When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443
and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers.  All the Tomcat
logs show no errors or warnings.  I can access applications that are not
protected and tomcat itself.



I would suggest that you first re-read what you wrote above, line by line,
and reflect quietly on what each line is telling you.

1) you say "localhost". That means that you are using a browser as client,
on the same machine as the one which is running the server.
2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the
client also of course).
4) you are not saying which version of Tomcat you are using, neither which
version of Java, neither which version of Windows.  That makes helping you
more complicated and time-consuming, and delays any help, because now we
have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take
place, the browser must be able to establish a TCP connection to the
host:port in question.
"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) :
tomcat does not even see this connection. iow, there is no connection.

There are several possible reasons for this.
a) Tomcat never opens the port 8443 for listening on it.
That can be checked, with tomcat running, with the "netstat" utility
program, included in Windows. With the proper arguments (which I will leave
to you as an exercise)(but "netstat -h" will help), netstat will show you
on which ports tomcat is listening locally.  If this does not include a
":8443" port, then it is not listening on that port, and certainly the logs
of tomcat will tell you why.
b) tomcat does listen on port 8443, but something else is blocking access
to that port.
Then you probably have to check your local firewall settings (or whatever
else in whatever version of Windows may be blocking connections to a port).

Another quick way to check if tomcat (or anything) is listening on port
8443 (and/or something is blocking it) would be, in a command window, to
run the following command :
telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be
confirmed.
If it connects, then you may get another message, due to the fact that it
expects an SSL connection. (If it did not expect an SSL connection, you'd
just get a blank page until you type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the
responses above with what happens when you substitute 8080 for 8443.

Once the above is really cleared up, then it may be worth looking at the
rest of the information which you sent below.

  If I set 


CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
mplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="2

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread Don Flinn 
Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security.  I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help.  As is obvious, I'm a newbee in low level admin
work.  I'm hoping that when I get port 8443 open things will work.  I'll
let you know.

Don



On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

> On 24.09.2017 02:36, Don Flinn wrote:
>
>> I'm trying to use a self signed certificate generated in keytool.  When I
>> run the application Chrome, Firefox and internet Explorer using
>> localhost:8080/ all the browsers do a redirect to localhost:8443
>> and
>> then return This site can’t be reachedL*ocalhost* refused to connect.
>> There is no red lined out protocol in any of the browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access applications that are not
>> protected and tomcat itself.
>>
>
> I would suggest that you first re-read what you wrote above, line by line,
> and reflect quietly on what each line is telling you.
>
> 1) you say "localhost". That means that you are using a browser as client,
> on the same machine as the one which is running the server.
> 2) you also say that one of the browsers is IE.
> 3) (1) and (2) together imply that the host in a Windows server (and the
> client also of course).
> 4) you are not saying which version of Tomcat you are using, neither which
> version of Java, neither which version of Windows.  That makes helping you
> more complicated and time-consuming, and delays any help, because now we
> have to ask you, and you have to respond.
> 5) "refused to connect" : before any kind of SSL dialog can even take
> place, the browser must be able to establish a TCP connection to the
> host:port in question.
> "refused to connect" seens to indicate that this is not the case.
> 6) the logs do not show anything : that would seem to corroborate (5) :
> tomcat does not even see this connection. iow, there is no connection.
>
> There are several possible reasons for this.
> a) Tomcat never opens the port 8443 for listening on it.
> That can be checked, with tomcat running, with the "netstat" utility
> program, included in Windows. With the proper arguments (which I will leave
> to you as an exercise)(but "netstat -h" will help), netstat will show you
> on which ports tomcat is listening locally.  If this does not include a
> ":8443" port, then it is not listening on that port, and certainly the logs
> of tomcat will tell you why.
> b) tomcat does listen on port 8443, but something else is blocking access
> to that port.
> Then you probably have to check your local firewall settings (or whatever
> else in whatever version of Windows may be blocking connections to a port).
>
> Another quick way to check if tomcat (or anything) is listening on port
> 8443 (and/or something is blocking it) would be, in a command window, to
> run the following command :
> telnet localhost 8443
> (also with tomcat running)
> If it also tells you "no connection", then (a) or (b) above would be
> confirmed.
> If it connects, then you may get another message, due to the fact that it
> expects an SSL connection. (If it did not expect an SSL connection, you'd
> just get a blank page until you type something else).
> Obviously, access to tomcat's port 8080 is fine, so you can compare the
> responses above with what happens when you substitute 8080 for 8443.
>
> Once the above is really cleared up, then it may be worth looking at the
> rest of the information which you sent below.
>
>  If I set 
>
>> CONFIDENTIAL to NONE everything works with
>> localhost:8080.
>>
>> My SSL files in tomcat -
>>
>> *server.xml -*
>>
>> Connector
>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
>> mplementation"
>> SSLEnabled="true" acceptCount="100" clientAuth="false"
>> disableUploadTimeout="true" enableLookups="false" maxThreads="25"
>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
>> secure="true" sslProtocol="TLS" clientAuth="false" />
>>
>> *web.xml -*
>>
>> 
>>  
>>  Financials
>>

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread tomcat 

On 24.09.2017 02:36, Don Flinn wrote:

I'm trying to use a self signed certificate generated in keytool.  When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443 and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers.  All the Tomcat
logs show no errors or warnings.  I can access applications that are not
protected and tomcat itself.


I would suggest that you first re-read what you wrote above, line by line, and reflect 
quietly on what each line is telling you.


1) you say "localhost". That means that you are using a browser as client, on the same 
machine as the one which is running the server.

2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the client also of 
course).
4) you are not saying which version of Tomcat you are using, neither which version of 
Java, neither which version of Windows.  That makes helping you more complicated and 
time-consuming, and delays any help, because now we have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take place, the browser 
must be able to establish a TCP connection to the host:port in question.

"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) : tomcat does not 
even see this connection. iow, there is no connection.


There are several possible reasons for this.
a) Tomcat never opens the port 8443 for listening on it.
That can be checked, with tomcat running, with the "netstat" utility program, included in 
Windows. With the proper arguments (which I will leave to you as an exercise)(but "netstat 
-h" will help), netstat will show you on which ports tomcat is listening locally.  If this 
does not include a ":8443" port, then it is not listening on that port, and certainly the 
logs of tomcat will tell you why.

b) tomcat does listen on port 8443, but something else is blocking access to 
that port.
Then you probably have to check your local firewall settings (or whatever else in whatever 
version of Windows may be blocking connections to a port).


Another quick way to check if tomcat (or anything) is listening on port 8443 (and/or 
something is blocking it) would be, in a command window, to run the following command :

telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be confirmed.
If it connects, then you may get another message, due to the fact that it expects an SSL 
connection. (If it did not expect an SSL connection, you'd just get a blank page until you 
type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the responses above 
with what happens when you substitute 8080 for 8443.


Once the above is really cleared up, then it may be worth looking at the rest of the 
information which you sent below.


 If I set 

CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*


 
 Financials
 /*
 
 
 CONFIDENTIAL
 


*the output from my keystore  list -*

C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list  -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT 2018
Certificate fingerprints:
  MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
  SHA1: 63:EF:21:21:3C:22:82:46:21:84:9C:81:C6:B0:C1:EC:0F:1C:87:31
  SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [

Trouble using SSL with Tomcat 9

2017-09-23 Thread Don Flinn 
I'm trying to use a self signed certificate generated in keytool.  When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443 and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers.  All the Tomcat
logs show no errors or warnings.  I can access applications that are not
protected and tomcat itself. If I set 
CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*



Financials
/*


CONFIDENTIAL



*the output from my keystore  list -*

C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list  -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT 2018
Certificate fingerprints:
 MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
 SHA1: 63:EF:21:21:3C:22:82:46:21:84:9C:81:C6:B0:C1:EC:0F:1C:87:31
 SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
 Signature algorithm name: SHA256withRSA
 Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14  F.H.T*T.$."...n.
0010: BE 6F 4A 49.oJI
]
]

What am I doing wrong?  I want to get a self-signed keystore working before
I purchase a commercial certificate.

Don

Re: New to SSL - debugging tomcat

2016-12-22 Thread Peter Wallis 
Thanks Chris,
 that seems to connect but sends no data back? The error is
 3074385544:error:1409E0E5:SSL ... :ssl handshake failure:s3_pkt.c:637
Returns:

CONNECTED(0003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482460650
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---
 I was trying to do something I thought was very standard.

 So, is this "an evolving standard" issue?  Is it something I have done
with keytool when producing a csr?  It is obviously not just openssl that
takes issue with TLS handshakes.  Is it just java in general? Or should I
be getting back to my certificate provider with a specific request? Change
provider?

P

On 22 December 2016 at 18:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/22/16 12:52 PM, Peter Wallis wrote:
> > Ahh! changed the server.xml entries to 8443 tried: openssl s_client
> > -connect 192.168.1.149:8443 and got: CONNECTED(0003)
> > 3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake
> > failure:s23_lib.c:177: --- no peer certificate available --- No
> > client certificate CA names sent --- SSL handshake has read 0 bytes
> > and written 295 bytes --- New, (NONE), Cipher is (ONE) Secure
> > Renegotiation IS NOT supported Compression: NONE Expansion: NONE
> > ---
> >
> > That might mean something (note I retyped it from a ssh connection
> > after a stiff drink so there may be typos)
>
>
> Perfect. The problem is that openssl s_clinent defaults to an SSLv2
> "hello" handshake and not a TLS handshake, which is more appropriate
> in this day and age.
>
> Try this:
>
> $ openssl s_client -tls1 -connect 192.168.1.149:8443
>
> - -chris
>
> > On 22 December 2016 at 16:27, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Peter,
> >
> > On 12/22/16 11:03 AM, Peter Wallis wrote:
>  Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in
>  /etc/defaults/tomcat8
> >
> > Okay. Are you sure you've got that configured properly? Try
> > changing port 443 to 8443 in server.xml and bouncing Tomcat. Let's
> > try to solve one problem at a time.
> >
>  re openssl s_client -connect on a different machine; it times
>  out
> 
>  Did have a thought -- one that might not be obvious to you
>  experts -- I am serving that page via No-IP dynamic dns.
>  Their support people are "cagey" about whether this works or
>  not (they don't answer the question and suggest I buy an
>  upgraded service)  I believe people who know what they are
>  doing just run their own dns using unbound?  If that makes no
>  sense, please ignore; I don't know what I'm talking about but
>  it seems we are looking for something I've done that is
>  weird.
> >
> > Let's try this: what's the actual IP address of your pi?
> > 192.168.0.10 or somesuch?
> >
> > Change your port from 443 -> 8443 and then try this:
> >
> > $ openssl s_client -connect 192.168.0.10:8443
> >
> > If that connects and shows the cert, then your TLS configuration
> > is correct. It will complain about the hostname (IP address) not
> > matching the cert's CN, but that's okay).
> >
> > Since you have lots of moving parts, let's find out what's working
> > first and then fix whatever problems remain.
> >
> > -chris
> >
>  On 22 December 2016 at 15:38, Christopher Schultz <
>  ch...@christopherschultz.net> wrote:
> 
>  Peter,
> 
>  On 12/22/16 2:43 AM, Peter Wallis wrote:
> >>> Hi Christopher, so it seems I have done something
> >>> exceptional :-) Thanks for taking a look...
> >>>
> >>>  >>> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >>> maxThreads="150" SSLEnabled="true" scheme="https"
> >>> secure="true" keystoreFile="/home/peter/.keystore"
> >>> alias="tomcat" keystorePass="changeit"
> >>> clientAuth="false" sslProtocol="TLS" />
> 
>  This looks fine except for one thing: you are using port 443
>  on a *NIX system which requires you to either run as root
>  (bad) or make other arrangements. Have you made such
>  arrangements?
> 
> >>> Keystore type: JKS Keystore provider: SUN
> >>>
> >>> Your keystore contains 2 entries
> >>>
> >>> Alias name: gandi Creation date: 21-Dec-2016 Entry
> >>> type: trustedCertEntry
> 
>  Okay, that's your CA.
> 
> >>> Alias name: tomcat Creation date: 21-Dec-2016 Entry
> >>> type: trustedCertEntry
> 
>  Okay, that's presumably your server's cert.
> 
> >>> Owner:

Re: New to SSL - debugging tomcat

2016-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/22/16 12:52 PM, Peter Wallis wrote:
> Ahh! changed the server.xml entries to 8443 tried: openssl s_client
> -connect 192.168.1.149:8443 and got: CONNECTED(0003) 
> 3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:177: --- no peer certificate available --- No
> client certificate CA names sent --- SSL handshake has read 0 bytes
> and written 295 bytes --- New, (NONE), Cipher is (ONE) Secure
> Renegotiation IS NOT supported Compression: NONE Expansion: NONE 
> ---
> 
> That might mean something (note I retyped it from a ssh connection
> after a stiff drink so there may be typos)


Perfect. The problem is that openssl s_clinent defaults to an SSLv2
"hello" handshake and not a TLS handshake, which is more appropriate
in this day and age.

Try this:

$ openssl s_client -tls1 -connect 192.168.1.149:8443

- -chris

> On 22 December 2016 at 16:27, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/22/16 11:03 AM, Peter Wallis wrote:
 Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in 
 /etc/defaults/tomcat8
> 
> Okay. Are you sure you've got that configured properly? Try
> changing port 443 to 8443 in server.xml and bouncing Tomcat. Let's
> try to solve one problem at a time.
> 
 re openssl s_client -connect on a different machine; it times
 out
 
 Did have a thought -- one that might not be obvious to you
 experts -- I am serving that page via No-IP dynamic dns.
 Their support people are "cagey" about whether this works or
 not (they don't answer the question and suggest I buy an
 upgraded service)  I believe people who know what they are
 doing just run their own dns using unbound?  If that makes no
 sense, please ignore; I don't know what I'm talking about but
 it seems we are looking for something I've done that is
 weird.
> 
> Let's try this: what's the actual IP address of your pi?
> 192.168.0.10 or somesuch?
> 
> Change your port from 443 -> 8443 and then try this:
> 
> $ openssl s_client -connect 192.168.0.10:8443
> 
> If that connects and shows the cert, then your TLS configuration
> is correct. It will complain about the hostname (IP address) not
> matching the cert's CN, but that's okay).
> 
> Since you have lots of moving parts, let's find out what's working 
> first and then fix whatever problems remain.
> 
> -chris
> 
 On 22 December 2016 at 15:38, Christopher Schultz < 
 ch...@christopherschultz.net> wrote:
 
 Peter,
 
 On 12/22/16 2:43 AM, Peter Wallis wrote:
>>> Hi Christopher, so it seems I have done something
>>> exceptional :-) Thanks for taking a look...
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>> secure="true" keystoreFile="/home/peter/.keystore" 
>>> alias="tomcat" keystorePass="changeit"
>>> clientAuth="false" sslProtocol="TLS" />
 
 This looks fine except for one thing: you are using port 443
 on a *NIX system which requires you to either run as root
 (bad) or make other arrangements. Have you made such
 arrangements?
 
>>> Keystore type: JKS Keystore provider: SUN
>>> 
>>> Your keystore contains 2 entries
>>> 
>>> Alias name: gandi Creation date: 21-Dec-2016 Entry
>>> type: trustedCertEntry
 
 Okay, that's your CA.
 
>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry
>>> type: trustedCertEntry
 
 Okay, that's presumably your server's cert.
 
>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, 
>>> OU=Domain Control Validated
 
 If that's your site name (alexa.proseco.co.uk) this looks
 good.
 
 What happens if you do this from the outside (e.g. not on the
 pi itself) :
 
 $ openssl s_client -connect alexa.proseco.co.uk:443
 
 -chris
> 
> --
- ---
>
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
> 
> 
 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYXB5uAAoJEBzwKT+lPKRY+ZYP/1faZ00ji63QXmcx4aKC/6IM
F++ivxg+QaDivCcPmQn4oYKYXyy/Yhq0eEvj7EyyQ0OVEEqJv5f/WwpW1uOEmz5E
Lx8KI+ZNwQiDRy2VqSUkhUV09sodDVanX2BCpY0VGfy8fbtRHJfZbcTf3xUH+j/D
ofeG7NbuWIrD8NRLvL4wPRv2jDhkLMPQ5tw6JcghLFkMS6/CzOELS4UpaMlI1Iel
nYBFlFpL8e+c0r6OU+jiwBMnn1sOuqe96mxN8gj9O7QJ0wlXZocoTOf/AptPWI08

Re: New to SSL - debugging tomcat

2016-12-22 Thread Peter Wallis 
Ahh!
changed the server.xml entries to 8443
tried:
  openssl s_client -connect 192.168.1.149:8443
and got:
  CONNECTED(0003)
3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (ONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

That might mean something (note I retyped it from a ssh connection after a
stiff drink so there may be typos)

P

On 22 December 2016 at 16:27, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/22/16 11:03 AM, Peter Wallis wrote:
> > Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in
> > /etc/defaults/tomcat8
>
> Okay. Are you sure you've got that configured properly? Try changing
> port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve
> one problem at a time.
>
> > re openssl s_client -connect on a different machine; it times out
> >
> > Did have a thought -- one that might not be obvious to you experts
> > -- I am serving that page via No-IP dynamic dns.  Their support
> > people are "cagey" about whether this works or not (they don't
> > answer the question and suggest I buy an upgraded service)  I
> > believe people who know what they are doing just run their own dns
> > using unbound?  If that makes no sense, please ignore; I don't know
> > what I'm talking about but it seems we are looking for something
> > I've done that is weird.
>
> Let's try this: what's the actual IP address of your pi? 192.168.0.10
> or somesuch?
>
> Change your port from 443 -> 8443 and then try this:
>
> $ openssl s_client -connect 192.168.0.10:8443
>
> If that connects and shows the cert, then your TLS configuration is
> correct. It will complain about the hostname (IP address) not matching
> the cert's CN, but that's okay).
>
> Since you have lots of moving parts, let's find out what's working
> first and then fix whatever problems remain.
>
> - -chris
>
> > On 22 December 2016 at 15:38, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Peter,
> >
> > On 12/22/16 2:43 AM, Peter Wallis wrote:
>  Hi Christopher, so it seems I have done something exceptional
>  :-) Thanks for taking a look...
> 
>    protocol="org.apache.coyote.http11.Http11NioProtocol"
>  maxThreads="150" SSLEnabled="true" scheme="https"
>  secure="true" keystoreFile="/home/peter/.keystore"
>  alias="tomcat" keystorePass="changeit" clientAuth="false"
>  sslProtocol="TLS" />
> >
> > This looks fine except for one thing: you are using port 443 on a
> > *NIX system which requires you to either run as root (bad) or make
> > other arrangements. Have you made such arrangements?
> >
>  Keystore type: JKS Keystore provider: SUN
> 
>  Your keystore contains 2 entries
> 
>  Alias name: gandi Creation date: 21-Dec-2016 Entry type:
>  trustedCertEntry
> >
> > Okay, that's your CA.
> >
>  Alias name: tomcat Creation date: 21-Dec-2016 Entry type:
>  trustedCertEntry
> >
> > Okay, that's presumably your server's cert.
> >
>  Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL,
>  OU=Domain Control Validated
> >
> > If that's your site name (alexa.proseco.co.uk) this looks good.
> >
> > What happens if you do this from the outside (e.g. not on the pi
> > itself) :
> >
> > $ openssl s_client -connect alexa.proseco.co.uk:443
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA
> 1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS
> GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP
> hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp
> 1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn
> dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV
> 2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c
> xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw
> EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z
> AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y
> NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG
> /kMLCZzFz938B9ZwBlER
> =GA0t
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: New to SSL - debugging tomcat

2016-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/22/16 11:03 AM, Peter Wallis wrote:
> Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in
> /etc/defaults/tomcat8

Okay. Are you sure you've got that configured properly? Try changing
port 443 to 8443 in server.xml and bouncing Tomcat. Let's try to solve
one problem at a time.

> re openssl s_client -connect on a different machine; it times out
> 
> Did have a thought -- one that might not be obvious to you experts
> -- I am serving that page via No-IP dynamic dns.  Their support
> people are "cagey" about whether this works or not (they don't
> answer the question and suggest I buy an upgraded service)  I
> believe people who know what they are doing just run their own dns
> using unbound?  If that makes no sense, please ignore; I don't know
> what I'm talking about but it seems we are looking for something
> I've done that is weird.

Let's try this: what's the actual IP address of your pi? 192.168.0.10
or somesuch?

Change your port from 443 -> 8443 and then try this:

$ openssl s_client -connect 192.168.0.10:8443

If that connects and shows the cert, then your TLS configuration is
correct. It will complain about the hostname (IP address) not matching
the cert's CN, but that's okay).

Since you have lots of moving parts, let's find out what's working
first and then fix whatever problems remain.

- -chris

> On 22 December 2016 at 15:38, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/22/16 2:43 AM, Peter Wallis wrote:
 Hi Christopher, so it seems I have done something exceptional
 :-) Thanks for taking a look...
 
 >>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
 maxThreads="150" SSLEnabled="true" scheme="https"
 secure="true" keystoreFile="/home/peter/.keystore"
 alias="tomcat" keystorePass="changeit" clientAuth="false"
 sslProtocol="TLS" />
> 
> This looks fine except for one thing: you are using port 443 on a
> *NIX system which requires you to either run as root (bad) or make
> other arrangements. Have you made such arrangements?
> 
 Keystore type: JKS Keystore provider: SUN
 
 Your keystore contains 2 entries
 
 Alias name: gandi Creation date: 21-Dec-2016 Entry type: 
 trustedCertEntry
> 
> Okay, that's your CA.
> 
 Alias name: tomcat Creation date: 21-Dec-2016 Entry type: 
 trustedCertEntry
> 
> Okay, that's presumably your server's cert.
> 
 Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL,
 OU=Domain Control Validated
> 
> If that's your site name (alexa.proseco.co.uk) this looks good.
> 
> What happens if you do this from the outside (e.g. not on the pi
> itself) :
> 
> $ openssl s_client -connect alexa.proseco.co.uk:443
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYW/7iAAoJEBzwKT+lPKRYrG8P/RvLPGw1Xs9nckpTnrDWO8DA
1Df5CIEign1cbPTiO1MsMqUG0ZttsntWBCDO9dXUZ4COgjjQlj0svMQkhMqYFAeS
GplutOm2ogcSlmh0asmmQlhcca3KYf4JCxe6I2MAO7jvgzaqP5YQBkP8yXK+RRtP
hkhvqRfBJxChNtZ9L40HoFqUputXe+8aGTSoIUXVmi66xzj3sdn7SHJ3ktVE2ewp
1q9paiMZeR21l+NsgAdqm+aZO02DMvhgDXHCcmD/CHdcNETO0VplZk2x97QKJcSn
dXny45c+uuGQxMIEcfokMWDVl0WqYQjBUaWdh7TvX45Ovbp5QZVlVDh2dinWEFVV
2wsGrODf22BFccvEvrZhVdT4G1efkpiHn2F4z0TO0DCjnYnvmMLJ7RRAjxKlDU9c
xdi124ByqoBgF42iS5BN1tlM9pzfefsHlqf0kR/zNxcqtEwLejm3/B/2CKTm2Lvw
EM0CBzYrz5WOybcYdlpCwHM9KEZBnO3Vh3NX0sdWc7OMFmmaofySuQEpnpQWP71z
AMGCRdvPDNV1r4WP0gu8R4piOMWf2I234mi89g4Z2ebJ8Ymi+jk7dKTrl6BO/l+Y
NkKPjURv7pk1pXm2qGkB7sQDaTTKQLvBu86c9QCzrXP1zN727JTTrVFUfu0BIHfG
/kMLCZzFz938B9ZwBlER
=GA0t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: New to SSL - debugging tomcat

2016-12-22 Thread Peter Wallis 
Hi Christopher,
 re 443 on *nix; yes, set AUTHBIND='yes' in /etc/defaults/tomcat8
 re openssl s_client -connect on a different machine; it times out

Did have a thought -- one that might not be obvious to you experts -- I am
serving that page via No-IP dynamic dns.  Their support people are "cagey"
about whether this works or not (they don't answer the question and suggest
I buy an upgraded service)  I believe people who know what they are doing
just run their own dns using unbound?  If that makes no sense, please
ignore; I don't know what I'm talking about but it seems we are looking for
something I've done that is weird.

P

On 22 December 2016 at 15:38, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/22/16 2:43 AM, Peter Wallis wrote:
> > Hi Christopher, so it seems I have done something exceptional :-)
> > Thanks for taking a look...
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > keystoreFile="/home/peter/.keystore" alias="tomcat"
> > keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />
>
> This looks fine except for one thing: you are using port 443 on a *NIX
> system which requires you to either run as root (bad) or make other
> arrangements. Have you made such arrangements?
>
> > Keystore type: JKS Keystore provider: SUN
> >
> > Your keystore contains 2 entries
> >
> > Alias name: gandi Creation date: 21-Dec-2016 Entry type:
> > trustedCertEntry
>
> Okay, that's your CA.
>
> > Alias name: tomcat Creation date: 21-Dec-2016 Entry type:
> > trustedCertEntry
>
> Okay, that's presumably your server's cert.
>
> > Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain
> > Control Validated
>
> If that's your site name (alexa.proseco.co.uk) this looks good.
>
> What happens if you do this from the outside (e.g. not on the pi itself)
> :
>
> $ openssl s_client -connect alexa.proseco.co.uk:443
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYW/NwAAoJEBzwKT+lPKRYbf0P/3LawCFJivA7997fbYvFCw5h
> A9p1aWXNYMzRiaGcltoYk+fZVtTQ0Ve5mBtSDV8nN+mulEt2mPD6nxbvhjw1H24z
> pononiduIpv30QduqlXQeczUtdptjNMzsDP+zg1HdnEF45xSmQl/egn3/QCBqMIH
> hYNmxgxJpipDlruv5sNhM/0BRF2jvmG3mqByX/ayguCP7eC16nXMzYriVMauUj+L
> QVZHlitdeLu8ZcHMxKz0B60gho64Hivlf/HlEiEINtyq5jYgN16dLNRzuMlZ34cd
> UAdOtT28eA4hIfK4KQZrpO/iSNn4gaKV7wBH8FswvgqJdLBT/ucKuzWOmfMY0cBx
> vLtBK6y1XFasfkGOkWoS8I2ViomygUgWDTIsFSmikaMgqJg2joxatLx50rT6oXyo
> KM4y074J8CSwxP+/UiwugRGCfiDfRHDZErEWXTpQmcsHrrSwJWlqCk6l/gUscB/X
> XM3XLKFK+8JUXnsYHYe9lylrrfHKUm8SgNVkQsBF7b7RHtKh1kWJjD2/xMFb3C0P
> FuZnNdFc22MEaDnisp5ofqDAYNTDvJLkVn+2ererNmeWdrRq8Cf7/X4QrLeTlMh/
> 7GcRGq0C9/2ZRc+1pyFhjfef6MwZ1wceqiquBZYokdyoPHdQ82VAyPg1ffVRfskl
> 1TsRsxA+hHeIkgCE161B
> =yhHl
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: New to SSL - debugging tomcat

2016-12-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/22/16 2:43 AM, Peter Wallis wrote:
> Hi Christopher, so it seems I have done something exceptional :-)
> Thanks for taking a look...
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
> keystoreFile="/home/peter/.keystore" alias="tomcat" 
> keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />

This looks fine except for one thing: you are using port 443 on a *NIX
system which requires you to either run as root (bad) or make other
arrangements. Have you made such arrangements?

> Keystore type: JKS Keystore provider: SUN
> 
> Your keystore contains 2 entries
> 
> Alias name: gandi Creation date: 21-Dec-2016 Entry type:
> trustedCertEntry

Okay, that's your CA.

> Alias name: tomcat Creation date: 21-Dec-2016 Entry type:
> trustedCertEntry

Okay, that's presumably your server's cert.

> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain
> Control Validated

If that's your site name (alexa.proseco.co.uk) this looks good.

What happens if you do this from the outside (e.g. not on the pi itself)
:

$ openssl s_client -connect alexa.proseco.co.uk:443

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYW/NwAAoJEBzwKT+lPKRYbf0P/3LawCFJivA7997fbYvFCw5h
A9p1aWXNYMzRiaGcltoYk+fZVtTQ0Ve5mBtSDV8nN+mulEt2mPD6nxbvhjw1H24z
pononiduIpv30QduqlXQeczUtdptjNMzsDP+zg1HdnEF45xSmQl/egn3/QCBqMIH
hYNmxgxJpipDlruv5sNhM/0BRF2jvmG3mqByX/ayguCP7eC16nXMzYriVMauUj+L
QVZHlitdeLu8ZcHMxKz0B60gho64Hivlf/HlEiEINtyq5jYgN16dLNRzuMlZ34cd
UAdOtT28eA4hIfK4KQZrpO/iSNn4gaKV7wBH8FswvgqJdLBT/ucKuzWOmfMY0cBx
vLtBK6y1XFasfkGOkWoS8I2ViomygUgWDTIsFSmikaMgqJg2joxatLx50rT6oXyo
KM4y074J8CSwxP+/UiwugRGCfiDfRHDZErEWXTpQmcsHrrSwJWlqCk6l/gUscB/X
XM3XLKFK+8JUXnsYHYe9lylrrfHKUm8SgNVkQsBF7b7RHtKh1kWJjD2/xMFb3C0P
FuZnNdFc22MEaDnisp5ofqDAYNTDvJLkVn+2ererNmeWdrRq8Cf7/X4QrLeTlMh/
7GcRGq0C9/2ZRc+1pyFhjfef6MwZ1wceqiquBZYokdyoPHdQ82VAyPg1ffVRfskl
1TsRsxA+hHeIkgCE161B
=yhHl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: New to SSL - debugging tomcat

2016-12-21 Thread Peter Wallis 
ote:
> > Hi all, I have tomcat 8.0.39 running on a raspberry pi (easy) and
> > thought I'd try setting it up to provide "skills" for the Amazon
> > Echo Alexa service.  This requires a url which "presents" either a
> > signed certificate, or a self-signed certificate.
> >
> > Using fiirefox to check, I believe I got it presenting a
> > self-signed certificate but, as I have bought a domain name with a
> > free certificate, I thought I get that running before moving on to
> > delivering skills.
>
> Sounds good.
>
> > A month later (this is not my day job) I'm still stuck.  sslchecker
> > is the most informative and says no certificates were found.  It
> > does say "Server Type: Apache-Coyote 1.1"
>
> Okay, so you can make a connection: that's good :)
>
> > No messages on catalina.out; occasionally a message on
> > xxx_access_log saying "HEAD / HTTP/1.1" 200 -"  openssl verify just
> > hangs; and Firefox says secure connection failed.
>
> Okay, so we have a place to start. First of all, "openssl verify"
> isn't what you want to use to connect. Instead, you want "openssl
> s_client".
>
> Can you post your  configuration?
>
> > The problem might be an issue with the CA; it might be my keystore;
> > it might be my tomcat settings.  I don't think it is the latter
> > because the self signed certificate seemed to work.  I don't think
> > it is the CA or keystore because I can a) verify the certificate
> > chain with openssl and the keystore tells me I have the
> > certificates I think I have.
>
> What matters is what the server (Tomcat) is presenting to the client,
> not what's actually in the keystore (though usually they are very
> closely related).
>
> > I have googled for getting tomcat to give some debug information
> > but what I've found so far has no effect.  Can someone point me to
> > the official how-to debug ssl issues on tomcat?
>
> There isn't really an official "Tomcat" TLS debugging how-to, because
> they are all pretty much the same. Most of the confusion occurs in one
> specific place: key/cert management (key, csr, cert, chain, etc.)
> because if you don't understand it, it's easy to get lost.
>
> Along with posting your  configuration, can you post the
> output of this command:
>
> $ keytool -list -verbose -keystore [keystorename]
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYWvFWAAoJEBzwKT+lPKRYqdsQAKZxQQz1PF5VH88y1IDRLq2+
> qegBtNOF+oTTzueeWveFnUS13stvYBpxNC0jU8GHt1jsbSs13hlxUby7trstAhev
> nmQCvd31g+8i7VQOKpUSAyCBHJBrZn9FAhcJDrVdZZP7SInCp4KzmyNnUUEAIgQs
> hsqm3LaquabergPUwidXMlBD7P6mZ+74GorGoX06J6/ivaP6RRrxG1OVDeYzH/mZ
> ai8x9Q/UOtaFJOrb7tK6JJRNQaiSb7Pryozrdu/81Gi9pDALToden1LWlqa1nvHF
> xBpbM1lTEs0W24gACZtaGv2IJsNoFgJ76/S9nLH5NOMDZBNPnpfhoAQrOUH9YHIt
> hme4kltU69saE10hkvqrsvVQ5XplXwD4F3q8XnE2JHYv0bTl8cg7fL3yvtPPXUCC
> pIe1QioEAu+nKVrpV7KvPfYGhAsxJ2kVcho/bv+sANEWyMEqqfRR/zCnOU5Ge7OE
> e7OrQylXVcXQazfV0Hxd62CYCKW0lhx8Vm60q9sr4QcsYr21QRKr6NUWvC8PQTci
> XEpyKYEJ4E8CMxpaOqGl9khpQzkCnSxhRPg1nrlsWc/dDML8BnEuwF3xAR4pObP3
> BRrMEhldoN/px/TPqTTnNxh9qr2A2Y+K3x/Ptg1VxGXiwFbEcTYVSh5rKaoASsLz
> o3RRxtRPiC1NrAlTK2Bc
> =AKTz
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: New to SSL - debugging tomcat

2016-12-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/16 4:22 AM, Peter Wallis wrote:
> Hi all, I have tomcat 8.0.39 running on a raspberry pi (easy) and
> thought I'd try setting it up to provide "skills" for the Amazon
> Echo Alexa service.  This requires a url which "presents" either a
> signed certificate, or a self-signed certificate.
> 
> Using fiirefox to check, I believe I got it presenting a
> self-signed certificate but, as I have bought a domain name with a
> free certificate, I thought I get that running before moving on to
> delivering skills.

Sounds good.

> A month later (this is not my day job) I'm still stuck.  sslchecker
> is the most informative and says no certificates were found.  It
> does say "Server Type: Apache-Coyote 1.1"

Okay, so you can make a connection: that's good :)

> No messages on catalina.out; occasionally a message on
> xxx_access_log saying "HEAD / HTTP/1.1" 200 -"  openssl verify just
> hangs; and Firefox says secure connection failed.

Okay, so we have a place to start. First of all, "openssl verify"
isn't what you want to use to connect. Instead, you want "openssl
s_client".

Can you post your  configuration?

> The problem might be an issue with the CA; it might be my keystore;
> it might be my tomcat settings.  I don't think it is the latter
> because the self signed certificate seemed to work.  I don't think
> it is the CA or keystore because I can a) verify the certificate
> chain with openssl and the keystore tells me I have the
> certificates I think I have.

What matters is what the server (Tomcat) is presenting to the client,
not what's actually in the keystore (though usually they are very
closely related).

> I have googled for getting tomcat to give some debug information
> but what I've found so far has no effect.  Can someone point me to
> the official how-to debug ssl issues on tomcat?

There isn't really an official "Tomcat" TLS debugging how-to, because
they are all pretty much the same. Most of the confusion occurs in one
specific place: key/cert management (key, csr, cert, chain, etc.)
because if you don't understand it, it's easy to get lost.

Along with posting your  configuration, can you post the
output of this command:

$ keytool -list -verbose -keystore [keystorename]

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYWvFWAAoJEBzwKT+lPKRYqdsQAKZxQQz1PF5VH88y1IDRLq2+
qegBtNOF+oTTzueeWveFnUS13stvYBpxNC0jU8GHt1jsbSs13hlxUby7trstAhev
nmQCvd31g+8i7VQOKpUSAyCBHJBrZn9FAhcJDrVdZZP7SInCp4KzmyNnUUEAIgQs
hsqm3LaquabergPUwidXMlBD7P6mZ+74GorGoX06J6/ivaP6RRrxG1OVDeYzH/mZ
ai8x9Q/UOtaFJOrb7tK6JJRNQaiSb7Pryozrdu/81Gi9pDALToden1LWlqa1nvHF
xBpbM1lTEs0W24gACZtaGv2IJsNoFgJ76/S9nLH5NOMDZBNPnpfhoAQrOUH9YHIt
hme4kltU69saE10hkvqrsvVQ5XplXwD4F3q8XnE2JHYv0bTl8cg7fL3yvtPPXUCC
pIe1QioEAu+nKVrpV7KvPfYGhAsxJ2kVcho/bv+sANEWyMEqqfRR/zCnOU5Ge7OE
e7OrQylXVcXQazfV0Hxd62CYCKW0lhx8Vm60q9sr4QcsYr21QRKr6NUWvC8PQTci
XEpyKYEJ4E8CMxpaOqGl9khpQzkCnSxhRPg1nrlsWc/dDML8BnEuwF3xAR4pObP3
BRrMEhldoN/px/TPqTTnNxh9qr2A2Y+K3x/Ptg1VxGXiwFbEcTYVSh5rKaoASsLz
o3RRxtRPiC1NrAlTK2Bc
=AKTz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: New to SSL - debugging tomcat

2016-12-21 Thread Peter Wallis 
using -Djavax.net.debug=all ...
what am I expecting to happen?

The only action I get is the line (which happens normally)

 - -  "HEAD / HTTP/1.1" 200 -

in my connector's access log.

On 21 December 2016 at 14:53, Peter Wallis <pwal...@acm.org> wrote:

> Hi Hassan,
>  yes, but ... that says nothing about the key format (pem vs der?
> SHA1/SHA2) and there is an awful lot of actually conflicting instructions
> out there.  It took a while to realise that the private key is "in" the
> keystore, and that recreating the keystore means you have to start again
> with a new csr.  I have also seen that keytool will import pem files quite
> happily, so I guess these instructions are correct and not out of date as I
> originally thought.
>
> Given I seem to have a working keystore, and I have checked and rechecked
> my ssl tomcat configuration, and my setup works with http connections, I'd
> much prefer to debug what I have rather than start again.  Particularly as
> reconstructing the keystore will cost me, if not money, at least respect
> from my certificate provider support people.
>
> Debugging is apparently done using
>
> -Djavax.net.debug=all
> -Djavax.net.debug=ssl:handshake:data
>
> on the startup script (thanks Martin)
>
> - trying now...
>
> P
>
>
> On 21 December 2016 at 14:31, Hassan Schroeder <hassan.schroe...@gmail.com
> > wrote:
>
>> On Wed, Dec 21, 2016 at 1:22 AM, Peter Wallis <pwal...@acm.org> wrote:
>>
>> > Can someone point me to the official how-to debug ssl issues on tomcat?
>>
>> Did you follow the steps in this documentation?
>>
>>   http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
>>
>> --
>> Hassan Schroeder  hassan.schroe...@gmail.com
>> twitter: @hassan
>> Consulting Availability : Silicon Valley or remote
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: New to SSL - debugging tomcat

2016-12-21 Thread Peter Wallis 
Hi Hassan,
 yes, but ... that says nothing about the key format (pem vs der?
SHA1/SHA2) and there is an awful lot of actually conflicting instructions
out there.  It took a while to realise that the private key is "in" the
keystore, and that recreating the keystore means you have to start again
with a new csr.  I have also seen that keytool will import pem files quite
happily, so I guess these instructions are correct and not out of date as I
originally thought.

Given I seem to have a working keystore, and I have checked and rechecked
my ssl tomcat configuration, and my setup works with http connections, I'd
much prefer to debug what I have rather than start again.  Particularly as
reconstructing the keystore will cost me, if not money, at least respect
from my certificate provider support people.

Debugging is apparently done using

-Djavax.net.debug=all
-Djavax.net.debug=ssl:handshake:data

on the startup script (thanks Martin)

- trying now...

P


On 21 December 2016 at 14:31, Hassan Schroeder <hassan.schroe...@gmail.com>
wrote:

> On Wed, Dec 21, 2016 at 1:22 AM, Peter Wallis <pwal...@acm.org> wrote:
>
> > Can someone point me to the official how-to debug ssl issues on tomcat?
>
> Did you follow the steps in this documentation?
>
>   http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
>
> --
> Hassan Schroeder  hassan.schroe...@gmail.com
> twitter: @hassan
> Consulting Availability : Silicon Valley or remote
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: New to SSL - debugging tomcat

2016-12-21 Thread Hassan Schroeder 
On Wed, Dec 21, 2016 at 1:22 AM, Peter Wallis <pwal...@acm.org> wrote:

> Can someone point me to the official how-to debug ssl issues on tomcat?

Did you follow the steps in this documentation?

  http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

-- 
Hassan Schroeder  hassan.schroe...@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

New to SSL - debugging tomcat

2016-12-21 Thread Peter Wallis 
Hi all,
  I have tomcat 8.0.39 running on a raspberry pi (easy) and thought I'd try
setting it up to provide "skills" for the Amazon Echo Alexa service.  This
requires a url which "presents" either a signed certificate, or a
self-signed certificate.

Using fiirefox to check, I believe I got it presenting a self-signed
certificate but, as I have bought a domain name with a free certificate, I
thought I get that running before moving on to delivering skills.

A month later (this is not my day job) I'm still stuck.  sslchecker is the
most informative and says no certificates were found.  It does say "Server
Type: Apache-Coyote 1.1"

No messages on catalina.out; occasionally a message on xxx_access_log
saying "HEAD / HTTP/1.1" 200 -"  openssl verify just hangs; and Firefox
says secure connection failed.

The problem might be an issue with the CA; it might be my keystore; it
might be my tomcat settings.  I don't think it is the latter because the
self signed certificate seemed to work.  I don't think it is the CA or
keystore because I can a) verify the certificate chain with openssl and the
keystore tells me I have the certificates I think I have.

I have googled for getting tomcat to give some debug information but what
I've found so far has no effect.  Can someone point me to the official
how-to debug ssl issues on tomcat?

Thanks in advance,

Peter

Re: Need help setting up SSL on Tomcat 8

2016-07-18 Thread Sean Son 
On Mon, Jul 18, 2016 at 10:47 AM, André Warnier (tomcat) 
wrote:

> On 18.07.2016 16:33, Sean Son wrote:
>
>> On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
>> ognjen.d.blagoje...@gmail.com> wrote:
>>
>> Sean,
>>>
>>> On 13.7.2016 21:56, Sean Son wrote:
>>>
>>> Thank you for your answer guys. Is there anywhere in the Tomcat config
 files that I would need to specify the DNS name?  Like in Apache we
 would specify the DNS name in a Virtualhost.


>>> Take a look at context xml, attribute "name" in Host element [1], and
>>> attribute "defaultHost" in Engine element [2].
>>>
>>> -Ognjen
>>>
>>> ps. Please, write your answers below the quotes, that is standard on
>>> Tomcat mailing lists.
>>>
>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
>>> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>> Unfortunately I was not able to make any sense of those two links. In
>> which
>> file, would the Host element or Engine element appear in? I do not see
>> anything of the sort in context.xml ?
>>
>> Why is tomcat so confusing?
>>
>>
> Maybe less confusing if you start here :
> http://tomcat.apache.org/tomcat-8.0-doc/config/index.html
> and then work you way down to the 2 links above.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thank you Andre! I will do that.

Re: Need help setting up SSL on Tomcat 8

2016-07-18 Thread tomcat 

On 18.07.2016 16:33, Sean Son wrote:

On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:


Sean,

On 13.7.2016 21:56, Sean Son wrote:


Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we
would specify the DNS name in a Virtualhost.



Take a look at context xml, attribute "name" in Host element [1], and
attribute "defaultHost" in Engine element [2].

-Ognjen

ps. Please, write your answers below the quotes, that is standard on
Tomcat mailing lists.

[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Unfortunately I was not able to make any sense of those two links. In which
file, would the Host element or Engine element appear in? I do not see
anything of the sort in context.xml ?

Why is tomcat so confusing?



Maybe less confusing if you start here :
http://tomcat.apache.org/tomcat-8.0-doc/config/index.html
and then work you way down to the 2 links above.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-18 Thread Sean Son 
On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 13.7.2016 21:56, Sean Son wrote:
>
>> Thank you for your answer guys. Is there anywhere in the Tomcat config
>> files that I would need to specify the DNS name?  Like in Apache we
>> would specify the DNS name in a Virtualhost.
>>
>
> Take a look at context xml, attribute "name" in Host element [1], and
> attribute "defaultHost" in Engine element [2].
>
> -Ognjen
>
> ps. Please, write your answers below the quotes, that is standard on
> Tomcat mailing lists.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Unfortunately I was not able to make any sense of those two links. In which
file, would the Host element or Engine element appear in? I do not see
anything of the sort in context.xml ?

Why is tomcat so confusing?

Re: Need help setting up SSL on Tomcat 8

2016-07-14 Thread Sean Son 
On Thu, Jul 14, 2016 at 8:15 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 13.7.2016 21:56, Sean Son wrote:
>
>> Thank you for your answer guys. Is there anywhere in the Tomcat config
>> files that I would need to specify the DNS name?  Like in Apache we
>> would specify the DNS name in a Virtualhost.
>>
>
> Take a look at context xml, attribute "name" in Host element [1], and
> attribute "defaultHost" in Engine element [2].
>
> -Ognjen
>
> ps. Please, write your answers below the quotes, that is standard on
> Tomcat mailing lists.
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thanks for the links and sorry bad habit of mine Lol   Today i will set up
a DNS record for the server and test out the SSL. I will let you all know
what I see.

Thanks!

Re: Need help setting up SSL on Tomcat 8

2016-07-14 Thread Ognjen Blagojevic 

Sean,

On 13.7.2016 21:56, Sean Son wrote:

Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we
would specify the DNS name in a Virtualhost.


Take a look at context xml, attribute "name" in Host element [1], and 
attribute "defaultHost" in Engine element [2].


-Ognjen

ps. Please, write your answers below the quotes, that is standard on 
Tomcat mailing lists.


[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/engine.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-13 Thread Daniel Savard 
2016-07-13 15:56 GMT-04:00 Sean Son :

> Thank you for your answer guys. Is there anywhere in the Tomcat config
> files that I would need to specify the DNS name?  Like in Apache we would
> specify the DNS name in a Virtualhost.
>
>
No.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-13 Thread Sean Son 
Thank you for your answer guys. Is there anywhere in the Tomcat config
files that I would need to specify the DNS name?  Like in Apache we would
specify the DNS name in a Virtualhost.

On Wed, Jul 13, 2016 at 7:56 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 12.7.2016 14:49, Sean Son wrote:
>
>> Hello thank you for your response. I am currently only accessing the
>> server using IP address only. We do not have a DNS record set up for the
>> server as of yet. It will be something like webapp.example.com
>>
>
> Once there is a DNS record in place, and you access your server using
> FQDN, your error will be gone.
>
> If you are the only one who access the server, and you find that warning
> particularly annoying, you may enter FQDN and IP address in hosts file, and
> access server using FQDN, before your DNS admins do their job.
>
> -Ognjen
>
>

Re: Need help setting up SSL on Tomcat 8

2016-07-13 Thread Ognjen Blagojevic 

Sean,

On 12.7.2016 14:49, Sean Son wrote:

Hello thank you for your response. I am currently only accessing the
server using IP address only. We do not have a DNS record set up for the
server as of yet. It will be something like webapp.example.com


Once there is a DNS record in place, and you access your server using 
FQDN, your error will be gone.


If you are the only one who access the server, and you find that warning 
particularly annoying, you may enter FQDN and IP address in hosts file, 
and access server using FQDN, before your DNS admins do their job.


-Ognjen


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-12 Thread Daniel Savard 
2016-07-12 14:34 GMT-04:00 Sean Son :

> Are there any logs on the tomcat server that I should check in order to fix
> this SSL issue? or is this strictly a certificate related issue?
>

At my opinion, it is a DNS issue. Your certificate specify the
SubjectAlternativeName field with two DNS entries. If none of these can be
resolved for your server, the certificate is considered invalid.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-12 Thread Sean Son 
On Tue, Jul 12, 2016 at 8:49 AM, Sean Son 
wrote:

>
>
> On Mon, Jul 11, 2016 at 6:25 PM, Ognjen Blagojevic <
> ognjen.d.blagoje...@gmail.com> wrote:
>
>> On 11.7.2016 16:29, Sean Son wrote:
>>
>>> Here is the certificate path:
>>>
>>> - Go Daddy Root Certificate Authority - G2
>>>- Go Daddy Secure Certificate Authority - G2
>>>   - *.example.com 
>>>
>>>
>> That looks Ok.
>>
>> Did you, perhaps, tried to access server on subdomain of example.com?
>> Wildcard certificate "*.example.com" is valid for "www.example.com", but
>> not for "www.department.example.com".
>>
>> -Ognjen
>>
>>
>>
> Hello thank you for your response. I am currently only accessing the
> server using IP address only. We do not have a DNS record set up for the
> server as of yet. It will be something like webapp.example.com
>
>
> Thanks
>
>
>

Are there any logs on the tomcat server that I should check in order to fix
this SSL issue? or is this strictly a certificate related issue?

Re: Need help setting up SSL on Tomcat 8

2016-07-12 Thread Sean Son 
On Mon, Jul 11, 2016 at 6:25 PM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> On 11.7.2016 16:29, Sean Son wrote:
>
>> Here is the certificate path:
>>
>> - Go Daddy Root Certificate Authority - G2
>>- Go Daddy Secure Certificate Authority - G2
>>   - *.example.com 
>>
>>
> That looks Ok.
>
> Did you, perhaps, tried to access server on subdomain of example.com?
> Wildcard certificate "*.example.com" is valid for "www.example.com", but
> not for "www.department.example.com".
>
> -Ognjen
>
>
>
Hello thank you for your response. I am currently only accessing the server
using IP address only. We do not have a DNS record set up for the server as
of yet. It will be something like webapp.example.com


Thanks

Re: Need help setting up SSL on Tomcat 8

2016-07-11 Thread Ognjen Blagojevic 

On 11.7.2016 16:29, Sean Son wrote:

Here is the certificate path:

- Go Daddy Root Certificate Authority - G2
   - Go Daddy Secure Certificate Authority - G2
  - *.example.com 



That looks Ok.

Did you, perhaps, tried to access server on subdomain of example.com? 
Wildcard certificate "*.example.com" is valid for "www.example.com", but 
not for "www.department.example.com".


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-11 Thread Sean Son 
Here is the certificate path:

- Go Daddy Root Certificate Authority - G2
   - Go Daddy Secure Certificate Authority - G2
  - *.example.com


Thanks

On Fri, Jul 8, 2016 at 6:23 PM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> On 7.7.2016 23:17, Daniel Savard wrote:
>
>> Certificate Error
> There are issues with the site's certificate chain
> (net::ERR_CERT_COMMON_NAME_INVALID).
>
> Looks like adding the keyAlias to the connector did not fix anything
> unfortunately.
>
>

>>> Did you examined the received certificate in the browser. Usually this
>> help
>> to identify why it failed. In this case, the chain of certification seems
>> to be the problem.
>>
>
> +1
>
> What is your certification path / certificate hierarchy?
>
> In Firefox: click on padlock icon, click on arrow, More information, View
> Certificate, Details, Certificate Hierarchy
>
> In Chrome: click on padlock icon, Details, View Certificate, Certification
> path.
>
>
> -Ognjen
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-07-08 Thread Ognjen Blagojevic 

On 7.7.2016 23:17, Daniel Savard wrote:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.






Did you examined the received certificate in the browser. Usually this help
to identify why it failed. In this case, the chain of certification seems
to be the problem.


+1

What is your certification path / certificate hierarchy?

In Firefox: click on padlock icon, click on arrow, More information, 
View Certificate, Details, Certificate Hierarchy


In Chrome: click on padlock icon, Details, View Certificate, 
Certification path.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Daniel Savard 
2016-07-07 14:53 GMT-04:00 Sean Son :

>
>
> On Thu, Jul 7, 2016 at 12:24 PM, Sean Son <
> linuxmailinglistsem...@gmail.com> wrote:
>
>> Copying Daniel and Ognjen on this
>>
>> On Thu, Jul 7, 2016 at 12:02 PM, Sean Son <
>> linuxmailinglistsem...@gmail.com> wrote:
>>
>>> Hello
>>>
>>>  I tried adding the keyAlias to the connector and when i restarted
>>> Tomcat, and i browsed to the sever page, I got this error:
>>>
>>> Certificate Error
>>> There are issues with the site's certificate chain
>>> (net::ERR_CERT_COMMON_NAME_INVALID).
>>>
>>> Looks like adding the keyAlias to the connector did not fix anything
>>> unfortunately.
>>>
>>
>
Did you examined the received certificate in the browser. Usually this help
to identify why it failed. In this case, the chain of certification seems
to be the problem.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Sean Son 
On Thu, Jul 7, 2016 at 12:24 PM, Sean Son 
wrote:

> Copying Daniel and Ognjen on this
>
> On Thu, Jul 7, 2016 at 12:02 PM, Sean Son <
> linuxmailinglistsem...@gmail.com> wrote:
>
>> Hello
>>
>>  I tried adding the keyAlias to the connector and when i restarted
>> Tomcat, and i browsed to the sever page, I got this error:
>>
>> Certificate Error
>> There are issues with the site's certificate chain
>> (net::ERR_CERT_COMMON_NAME_INVALID).
>>
>> Looks like adding the keyAlias to the connector did not fix anything
>> unfortunately.
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
>> wrote:
>>
>>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>>
>>> > So I should modify my  connector to look like this?
>>> >
>>> > >> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>>> > keystorePass="password"
>>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>>> > SSLEnabled="true" scheme="https" secure="true"
>>> >clientAuth="false" sslProtocol="TLS" />
>>> >
>>> >
>>> Yes.
>>>
>>> -
>>> Daniel Savard
>>>
>>
>>
>
Sorry I noticed that this is the connector configuration in my server.xml
file:



I updated it with the keyAlias information.  This connector was provided to
me by someone.  Unfortunately I am still getting the same error message.

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Sean Son 
Copying Daniel and Ognjen on this

On Thu, Jul 7, 2016 at 12:02 PM, Sean Son 
wrote:

> Hello
>
>  I tried adding the keyAlias to the connector and when i restarted Tomcat,
> and i browsed to the sever page, I got this error:
>
> Certificate Error
> There are issues with the site's certificate chain
> (net::ERR_CERT_COMMON_NAME_INVALID).
>
> Looks like adding the keyAlias to the connector did not fix anything
> unfortunately.
>
>
>
>
>
>
>
> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
> wrote:
>
>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>
>> > So I should modify my  connector to look like this?
>> >
>> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>> > keystorePass="password"
>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>> > SSLEnabled="true" scheme="https" secure="true"
>> >clientAuth="false" sslProtocol="TLS" />
>> >
>> >
>> Yes.
>>
>> -
>> Daniel Savard
>>
>
>

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Sean Son 
Hello

 I tried adding the keyAlias to the connector and when i restarted Tomcat,
and i browsed to the sever page, I got this error:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.







On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
wrote:

> 2016-07-07 10:52 GMT-04:00 Sean Son :
>
> > So I should modify my  connector to look like this?
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >maxThreads="150" keystoreFile="conf/tomcat.jks"
> > keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> > SSLEnabled="true" scheme="https" secure="true"
> >clientAuth="false" sslProtocol="TLS" />
> >
> >
> Yes.
>
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Daniel Savard 
2016-07-07 10:52 GMT-04:00 Sean Son :

> So I should modify my  connector to look like this?
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="150" keystoreFile="conf/tomcat.jks"
> keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" />
>
>
Yes.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Sean Son 
So I should modify my  connector to look like this?



On Wed, Jul 6, 2016 at 6:50 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 5.7.2016 17:14, Sean Son wrote:
>
>> Hello Daniel and all
>>
>> Here is the output.. the full output
>>
>> http://pastebin.com/AQckw6ig
>>
>
> Keytool output indicates that there are two entries in keystore:
>
> 1. Entry with alias "root", created Jun 16, 2016, which is intermediate
> certificate for Go Daddy:
>
> Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
> Issuer: CN=Go Daddy Root Certificate Authority - G2 ...
>
> This is "trustedCertEntry", which means that it does not contain a private
> key, and therefore may not be used for encryption necessary for TLS / HTTPS
> communication.
>
>
> 2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created Jun
> 16, 2016. This is certificate for domain example.com, signed by Go Daddy:
>
> Owner: CN=*.example.com, OU=Domain Control Validated
> Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...
>
> This is PrivateKeyEntry which means that it contains private and public
> key pair, and since owner is different from issuer it means it also
> contains associated certificate. This entry may be used to encrypt data for
> TLS / HTTPS communication.
>
>
> Therefore, you must point Tomcat to use second entry from your keystore.
> Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your
> connector configuration.
>
> -Ognjen
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-07-06 Thread Ognjen Blagojevic 

Sean,

On 5.7.2016 17:14, Sean Son wrote:

Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig


Keytool output indicates that there are two entries in keystore:

1. Entry with alias "root", created Jun 16, 2016, which is intermediate 
certificate for Go Daddy:


Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
Issuer: CN=Go Daddy Root Certificate Authority - G2 ...

This is "trustedCertEntry", which means that it does not contain a 
private key, and therefore may not be used for encryption necessary for 
TLS / HTTPS communication.



2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created 
Jun 16, 2016. This is certificate for domain example.com, signed by Go 
Daddy:


Owner: CN=*.example.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...

This is PrivateKeyEntry which means that it contains private and public 
key pair, and since owner is different from issuer it means it also 
contains associated certificate. This entry may be used to encrypt data 
for TLS / HTTPS communication.



Therefore, you must point Tomcat to use second entry from your keystore. 
Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your 
connector configuration.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-05 Thread Sean Son 
On Fri, Jul 1, 2016 at 6:14 PM, Daniel Savard 
wrote:

> 2016-07-01 16:08 GMT-04:00 Christopher Schultz <
> ch...@christopherschultz.net
> >:
>
> >
> > >
> > > Thank you for the reply.  How would I go about specifying the alias
> > > of the certificate?
> >
> > You may have to re-import it, but I've had bad experiences with Java
> > keystores so ALWAYS keep a backup in case you host something.
> >
> > The first item in your keystore certainly looks like a certificate to
> > me. It's the *second* item that is a private key.
> >
> > What if you add these attributes to your connector:
> >
> > keyAlias="root"
> >
> > ?
> >
> > If that doesn't work, try using a tool like Portecle to try to adjust
> > some things (like the "aliases"). It's much better and safer than
> > using keytool IMO. Remember ALWAYS KEEP A BACKUP!
> >
> >
> Chris,
>
> in a keystore, the entry with the certificate created using the private key
> from that keystore is a single entry identified as PrivateKey. If you have
> a single certificate created from a private key in that keystore you will
> have only one entry, not two and it will be labeled as private key.
>
> In fact, it can be checked using the -v option to print details about each
> entry. This should be enough to identify without ambiguity which entry is
> what. This is what I recommend to do in order to understand what really is
> in the keystore. I doubt the alias root with the first entry in the
> keystore is actually the certificate needed here.
>
> Sean,
>
> print the details and you will have the alias and Common Name clearly
> identified on the output in a verbose format. Use the -v option to the
> keytool command for this. No need to post everything here if you are
> unsure.
>
> -
> Daniel Savard
>



Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Daniel Savard 
2016-07-01 16:08 GMT-04:00 Christopher Schultz :

>
> >
> > Thank you for the reply.  How would I go about specifying the alias
> > of the certificate?
>
> You may have to re-import it, but I've had bad experiences with Java
> keystores so ALWAYS keep a backup in case you host something.
>
> The first item in your keystore certainly looks like a certificate to
> me. It's the *second* item that is a private key.
>
> What if you add these attributes to your connector:
>
> keyAlias="root"
>
> ?
>
> If that doesn't work, try using a tool like Portecle to try to adjust
> some things (like the "aliases"). It's much better and safer than
> using keytool IMO. Remember ALWAYS KEEP A BACKUP!
>
>
Chris,

in a keystore, the entry with the certificate created using the private key
from that keystore is a single entry identified as PrivateKey. If you have
a single certificate created from a private key in that keystore you will
have only one entry, not two and it will be labeled as private key.

In fact, it can be checked using the -v option to print details about each
entry. This should be enough to identify without ambiguity which entry is
what. This is what I recommend to do in order to understand what really is
in the keystore. I doubt the alias root with the first entry in the
keystore is actually the certificate needed here.

Sean,

print the details and you will have the alias and Common Name clearly
identified on the output in a verbose format. Use the -v option to the
keytool command for this. No need to post everything here if you are unsure.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 7/1/16 11:11 AM, Sean Son wrote:
> On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard
>  wrote:
> 
>> 2016-06-29 9:08 GMT-04:00 Sean Son
>> :
>> 
>>> Hello Daniel
>>> 
>>> Thank you for the information. Here is the output of the
>>> keytool command:
>>> 
>>> Keystore type: JKS Keystore provider: SUN
>>> 
>>> Your keystore contains 2 entries
>>> 
>>> root, Jun 16, 2016, trustedCertEntry, Certificate fingerprint
>>> (SHA1): 
>>> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 
>>> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016,
>>> PrivateKeyEntry, Certificate fingerprint (SHA1): 
>>> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>>> 
>>> 
>>> Is it possible that the error that I am seeing, is related to
>>> the fact that I am using a wildcard certificate?
>>> 
>> 
>> So, the first entry in the keystore isn't your certificate. As I
>> told you before, if you do not specify explicitely the alias of
>> the certificate so send, the first entry in the keystore is sent.
>> In this case, root.
>> 
>> The attribute to tell the connector which certificate to send, is
>> keyAlias, however it seems your certificate has no alias in the
>> keystore.
>> 
>> - Daniel Savard
>> 
> 
> 
> Thank you for the reply.  How would I go about specifying the alias
> of the certificate?

You may have to re-import it, but I've had bad experiences with Java
keystores so ALWAYS keep a backup in case you host something.

The first item in your keystore certainly looks like a certificate to
me. It's the *second* item that is a private key.

What if you add these attributes to your connector:

keyAlias="root"

?

If that doesn't work, try using a tool like Portecle to try to adjust
some things (like the "aliases"). It's much better and safer than
using keytool IMO. Remember ALWAYS KEEP A BACKUP!

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXds3aAAoJEBzwKT+lPKRYioQQAIJXjzniDRnW2U9+W0d/x7M5
/6nBHRw42COjvmHMUC5fY0lQR0rESHYC3yDhkmuutpeYNJyLO/TWLYZUGnEHf7US
7S+2IcYM19AEbDnp8qvE4pMOshJwf7eRic7lBr1OfJ50CKjdzvv2EiSFwO8tdY+6
eYODI+ZBvC7/lUFZ/H9cGlxx2kQHcuzWoE2+9I5DRxzIPP04nN8sfKXHoEiPH97j
d4dQMBpbNC87P6HlcGxpoxcoCfYPpHLMae5PXdSLHnyvU6YKGCUkm5bRE4ieC9F1
ZjFIH+rJZW61wJw64PXOvMm9k6zFL2R5CIsEg3OdZa6Injh951nH3H5GEF7xvJHy
Z1heq6NmuwzHkYT0/vI4S141tscEziNqsTw2kMyV9+QFEHp1u3zin62gIoDXFaHf
jG33c1cWfl4zkWhzWeZcmEN/n6Z+N0x/RZpRugoRy0heero8VF5lgKnjn/7kHuLm
BCZgA5KrsNSYcnQCeDPqTVeKoUXmF0e92xsCAKRjYjBsSUo8Uc0rlu2GaJhYYQma
rIMKli4f5KVAd3vzj4DE8EdmLxNDfgHvftGVMbTViCMlhwwZqI8NA6wGhA+JCVeH
H29sXNh5D5txBfwz10UvEC9iGFRBWZ1jZfrSdEbb4Ra8acrrC+Er6bwgjB8MMAnX
QpMck2thv/QiUCIr7gIb
=LOtb
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Sean Son 
On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard 
wrote:

> 2016-06-29 9:08 GMT-04:00 Sean Son :
>
> > Hello Daniel
> >
> > Thank you for the information. Here is the output of the keytool command:
> >
> > Keystore type: JKS
> > Keystore provider: SUN
> >
> > Your keystore contains 2 entries
> >
> > root, Jun 16, 2016, trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> > {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> > Certificate fingerprint (SHA1):
> > 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
> >
> >
> > Is it possible that the error that I am seeing, is related to the fact
> > that I am using a wildcard certificate?
> >
>
> So, the first entry in the keystore isn't your certificate. As I told you
> before, if you do not specify explicitely the alias of the certificate so
> send, the first entry in the keystore is sent. In this case, root.
>
> The attribute to tell the connector which certificate to send, is keyAlias,
> however it seems your certificate has no alias in the keystore.
>
> -
> Daniel Savard
>


Thank you for the reply.  How would I go about specifying the alias of the
certificate?

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Daniel Savard 
2016-06-29 9:08 GMT-04:00 Sean Son :

> Hello Daniel
>
> Thank you for the information. Here is the output of the keytool command:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> root, Jun 16, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> Certificate fingerprint (SHA1):
> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>
>
> Is it possible that the error that I am seeing, is related to the fact
> that I am using a wildcard certificate?
>

So, the first entry in the keystore isn't your certificate. As I told you
before, if you do not specify explicitely the alias of the certificate so
send, the first entry in the keystore is sent. In this case, root.

The attribute to tell the connector which certificate to send, is keyAlias,
however it seems your certificate has no alias in the keystore.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-06-30 Thread Philip Hachey 



On 16-06-29 09:08 AM, Sean Son wrote:

Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks

I'm not familiar with this configuration.  My keystore -list generates this:
***
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, 11-Apr-2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...
***

That's what you should have too if you're simply following the quick 
start rules here 
[https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html].  Point your 
browser to "https://localhost:8443/;


I also get a browser warning when using this keystore, but it's 
net::ERR_CERT_AUTHORITY_INVALID which I would expect because I haven't 
registered with a root authority (i.e. it's a self-signed certificate).  
I would start with that.  If you then need to use an authority-signed 
certificate, I personally don't have any immediate knowledge when it 
comes to Tomcat, but I imagine it should be only slightly more complex.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-06-29 Thread Sean Son 
Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks



On Tue, Jun 28, 2016 at 5:09 PM, Daniel Savard 
wrote:

> 2016-06-28 16:24 GMT-04:00 Sean Son :
> 
>
> >
> > as for the output to the keytool command:
> >
> > Isnt the output to that command, confidential information?
> >
> >
> No, there isn't anything confidential from the output of a simple -list. It
> doesn't display the private key or anything like that. It will  just show
> the list of certificates in your keystore.
>
> The first entry in the keystore will be the one sent back by the Tomcat
> server since you didn't specify any alias. So, I assume this is the
> intended behavior.
>
> Since you do not specify any trust store, the default trust store shipped
> with your version of Java will be used. If the clients trying to connect
> are not having certificats signed by one of these, it will fails. It may
> not be a problem in your case since you do not provide any details on the
> clients' certificates.
>
> Regards,
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Daniel Savard 
2016-06-28 16:24 GMT-04:00 Sean Son :


>
> as for the output to the keytool command:
>
> Isnt the output to that command, confidential information?
>
>
No, there isn't anything confidential from the output of a simple -list. It
doesn't display the private key or anything like that. It will  just show
the list of certificates in your keystore.

The first entry in the keystore will be the one sent back by the Tomcat
server since you didn't specify any alias. So, I assume this is the
intended behavior.

Since you do not specify any trust store, the default trust store shipped
with your version of Java will be used. If the clients trying to connect
are not having certificats signed by one of these, it will fails. It may
not be a problem in your case since you do not provide any details on the
clients' certificates.

Regards,
-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Sean Son 
Here is the complete  configuration

 








as for the output to the keytool command:

Isnt the output to that command, confidential information?

Thanks

On Tue, Jun 28, 2016 at 4:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sean,
>
> On 6/28/16 2:31 PM, Sean Son wrote:
> > Hey Philip
> >
> > So i was able to get the page to connect with SSL but I noticed
> > that when I clicked on the little icon that looks like a lock next
> > to https:// in the address bar, I saw this certificate error:
> > Certificate Error There are issues with the site's certificate
> > chain (net::ERR_CERT_COMMON_NAME_INVALID).
>
> This usually means that the URL you are using contains a hostname that
> doesn't match the TLS certificate's "common name".
>
> > Does that mean that SSL has been implemented incorrectly?
> >
> > Also I am trying to get an incoming connection through port 80 to
> > tomcat, to automatically redirect to port 8443 (or 443 which ever
> > you think is easiest to implement)  without having to use a reverse
> > proxy in front of it.  In my server.xml I have the following:
> >
> >  > connectionTimeout="2" redirectPort="8443" />   Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXcti2AAoJEBzwKT+lPKRYYNAP/jimgUxO8gp1W0rOEhqeTszc
> yKjAhGQ6yjBE14mvDK+x2zO7+zw01fzqm3IbsyUeEHdSjo0YPQQl0/h15tnhatgA
> WuMYz78HyXVtB02FPc/gg82LXwI5GowpKRgd3phQ6f1UKOxpcIPZdOG2MvsbLgFG
> m8UX1qxhq34xkQBCkLv+sWd6sgAdGX3P6x/+qxCav3gr+8os5KHFofms6BUReIro
> hTRQ6XXIbB3VvOGC6uK/IXLcKtvf1v7Bv5NUsL4mWd9AFkwLl+VlSjdK055ubftp
> 6CKj5RUmJkJ06Y0Hy1dK4v9mjcMvM0VwsPcwU9E/GOKMMj0Q56EFVKQkroeLjdXj
> bYMPc8FNAG6eYUdlrSx5lfcDqhO/EmiUZXLJykBbPFmcke8jED1b31WdboMaJAce
> YuuYVUgia4+sP2w/u0bXdQB5ie6gYHecYwdhiIB/mYY74jVz6BeQ26x7EjS7w/WT
> 4eI5XbPX6JPtJe0e3WpRIe2Fk/pLQOdcHMbG+g0X69cbRtRcf7PT/feGbJzoC/qJ
> rUiE7okK98P9KawCV4lueV1b7whFAhJs6apGvIOs/1w296eZ60sM373ugF6ygc1b
> gQybFF/NgnwLrKk0A63retwLeSj2ImB0pl3NvJ9yxJZOy+OP4GalV6BJ5+yF5yz2
> UESskxe5+W3VYH8s1Ekt
> =6brz
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 6/28/16 2:31 PM, Sean Son wrote:
> Hey Philip
> 
> So i was able to get the page to connect with SSL but I noticed
> that when I clicked on the little icon that looks like a lock next
> to https:// in the address bar, I saw this certificate error: 
> Certificate Error There are issues with the site's certificate
> chain (net::ERR_CERT_COMMON_NAME_INVALID).

This usually means that the URL you are using contains a hostname that
doesn't match the TLS certificate's "common name".

> Does that mean that SSL has been implemented incorrectly?
> 
> Also I am trying to get an incoming connection through port 80 to
> tomcat, to automatically redirect to port 8443 (or 443 which ever
> you think is easiest to implement)  without having to use a reverse
> proxy in front of it.  In my server.xml I have the following:
> 
>  connectionTimeout="2" redirectPort="8443" />

  1   2   3   4   >