On 14 January 2015 at 17:11, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alexandre, > > On 1/14/15 2:15 PM, Alexandre Lima wrote: > > On 14 January 2015 at 15:59, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Alexandre, > > > > On 1/14/15 1:18 PM, Alexandre Lima wrote: > >>>> On 13 January 2015 at 18:20, Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Alexandre, > >>>> > >>>> On 1/13/15 2:41 PM, Alexandre Lima wrote: > >>>>>>> On 13 January 2015 at 16:11, Christopher Schultz < > >>>>>>> ch...@christopherschultz.net> wrote: > >>>>>>> > >>>>>>> Alexandre, > >>>>>>> > >>>>>>> On 1/13/15 1:37 PM, Alexandre Lima wrote: > >>>>>>>>>> Hello! This is the first time I'm using tomcat, > >>>>>>>>>> so I'm a little bit lost... > >>>>>>> > >>>>>>> Welcome! Configuring SSL always turns out to be a pain > >>>>>>> in the neck. > >>>>>>> > >>>>>>>>>> Using the tutorials, I could make the server and > >>>>>>>>>> the application I want to run with it work. The > >>>>>>>>>> only modification I did until now was changing > >>>>>>>>>> the http port from 8080 to 80, I did that > >>>>>>>>>> changing the http conector on servers.xml, > >>>>>>>>>> enabling authbind and executing the folowing > >>>>>>>>>> commands: > >>>>>>>>>> > >>>>>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod > >>>>>>>>>> 500 /etc/authbind/byport/80 sudo chown tomcat7 > >>>>>>>>>> /etc/authbind/byport/80 > >>>>>>>>>> > >>>>>>>>>> So, the server and the application I want to use > >>>>>>>>>> with it are actually working on port 80 > >>>>>>> > >>>>>>> You've confirmed this? I've never used authbind before, > >>>>>>> so I just wanted to make sure that you have Tomcat > >>>>>>> working properly with non-SSL before you try to add > >>>>>>> SSL. > >>>>>>> > >>>>>>>>>> , but the next and last step, which is enabling > >>>>>>>>>> an SSL connection, isn't working. > >>>>>>>>>> > >>>>>>>>>> What I did following the site's tutorial was: > >>>>>>>>>> created my self signed certificate with keytools > >>>>>>>>>> and put it on /home/myuser/key.keystore > >>>>>>> > >>>>>>> Can you outline the steps you took? Where is your > >>>>>>> keystore? > >>>>>>> > >>>>>>>>>> Additionally, I've created the folowing > >>>>>>>>>> conector: > >>>>>>>>>> > >>>>>>>>>> <Connector port="8443" > >>>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>>>>>>>> > >>>>>>>>>> > SSLEnabled="true" maxThreads="200" scheme="https" > >>>>>>>>>> secure="true" > >>>>>>>>>> keystoreFile="/home/myuser/key.keystore" > >>>>>>>>>> keystorePass="mypass" clientAuth="false" > >>>>>>>>>> sslProtocol="TLS" /> > >>>>>>> > >>>>>>> That looks good so far. > >>>>>>> > >>>>>>>>>> Saved it, restarted server and accessed > >>>>>>>>>> https://myip:8443, but it isn't working. Chrome > >>>>>>>>>> says "No data recieved" and "Unable to load the > >>>>>>>>>> webpage because the server sent no data and > >>>>>>>>>> "Error code: ERR_EMPTY_RESPONSE". > >>>>>>>>>> > >>>>>>>>>> Firefox says that the connection was reset while > >>>>>>>>>> the page was being loaded. > >>>>>>>>>> > >>>>>>>>>> That's where I am now. I don't know what to try > >>>>>>>>>> anymore. > >>>>>>> > >>>>>>> Try: > >>>>>>> > >>>>>>> $ telnet localhost 8443 > >>>>>>> > >>>>>>> (on the server with Tomcat running) > >>>>>>> > >>>>>>> That will tell you if the port is open (it should be, > >>>>>>> otherwise you'd be getting different errors from Chrome > >>>>>>> and ff) and what, if anything, gets dumped to it when > >>>>>>> you connect. > >>>>>>> > >>>>>>> If you get a connection and nothing happens, try > >>>>>>> submitting a request like this: > >>>>>>> > >>>>>>> $ telnet localhost 8443 GET / > >>>>>>> > >>>>>>> [output goes here] > >>>>>>> > >>>>>>> Post the results of the above if you get anything. > >>>>>>> > >>>>>>> Dumb question: you restarted Tomcat after updating > >>>>>>> server.xml, right? > >>>>>>> > >>>>>>> -chris > >>>>>>>> > >>>>>>>> > --------------------------------------------------------------------- > >>>>>>>> > >>>>>>>> > >>>> > >>>>>>>> > > > >>>>>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>>>>> For additional commands, e-mail: > >>>>>>>> users-h...@tomcat.apache.org > >>>>>>>> > >>>>>>>> > >>>>>>> Thank you for the reply Christopher! I've used the > >>>>>>> command: keytool -genkey -alias tomcat -keyalg RSA > >>>>>>> -keystore /home/myuser/key.keystore to generate the > >>>>>>> keystore. I should put the keystore in some special > >>>>>>> directory or this one is fine? So, after, requesting: > >>>>>>> telnet localhost 8443 > >>>>>>> > >>>>>>> I got some strange stuff: > >>>>>>> > >>>>>>> ~$ telnet localhost 8443 Trying ::1... Connected to > >>>>>>> localhost. Escape character is '^]'. GET / > >>>>>>> ^U^C^A^@^B^B > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> And yes, I've restarted it :) > >>>> > >>>> Good. Now, try this: > >>>> > >>>> $ openssl s_client -debug -connect localhost:8443 > >>>> > >>>> Assuming that the server is running and listening for SSL > >>>> connections, s_client should be able to connect, and it > >>>> should give you tons of good information about what's > >>>> happening, there. > >>>> > >>>> -chris > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> > >>>>> > > > >>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: > >>>>> users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> Hello Chris! I've tried the command you suggested and the > >>>> most important thing I found was this: > >>>> > >>>> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > >>>> > >>>> > > > >>>> > issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > >>>> --- No client certificate CA names sent --- SSL handshake has > >>>> read 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, > >>>> Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 1024 > >>>> bit Secure Renegotiation IS supported Compression: NONE > >>>> Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : > >>>> ECDHE-RSA-AES256-SHA384 Session-ID: > >>>> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6 > >>>> > >>>> > Session-ID-ctx: Master-Key: > >>>> > > > F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1 > >>>> > >>>> > > > > > Key-Arg : None > >>>> PSK identity: None PSK identity hint: None SRP username: None > >>>> Start Time: 1421259101 Timeout : 300 (sec) Verify return > >>>> code: 10 (certificate has expired) > >>>> > >>>> SysAid is the application I'm running under tomcat. Does it > >>>> mean that SysAid is a server behind tomcat? And so I would > >>>> have to configure the connection in it? That's strange. I > >>>> would like to hear your opinion. > > > > Well, the subject and issuer look a little strange, but that may > > be just because you configured them that way (when keytool asked > > you all those questions). > > > > Generally speaking, when keytool asks you for your "first and last > > name", it really means your "common name" which for nearly > > everybody is actually the DNS name of the server (e.g. > > www.mysite.com). > > > > If you list the contents of your keystore, what's in there? > > > > $ keytool -list -keystore path/to/keystore > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > I actually didn't configure it that way! I didn't put "sysaid" > > anywhere when I was making the keystore. That's why I think that my > > application (Sysaid) created that keystore shown, otherwise there > > wouldn't be "O=SysAid"... That's really strange... I think I'm > > gonna ask this on SysAid forums. It's realling giving my a > > headache. > > Well, if you have Tomcat listening on port 8443 and you have > configured your own keystore, then you should have your own > certificate in there and not something coming from SysAid. > > But it looks like you have found a critical symptom of the problem: > your keystore is not being used. I'm curious to see what else is in > your keystore, since Tomcat will use the "first" certificate in the > keystore unless you supply an "alias" in your configuration, which you > did not do. > > If You have multiple certificates in your keystore, I highly recommend > that you use the "alias" attribute in your <Connector> to point to > your own certificate. I'll bet that Chrome/ff aren't willing to > connect to a web server with an SSL certificate with such an odd CN > value. I'm not sure if the CN value is actually "Unknown" (which > should be valid... "Unknown" is a perfectly valid hostname) or that > the value is somehow NULL (or "unset" or whatever) in the certificate. > If that's the case, the cert is essentially invalid and these clients > might be refusing to connect and giving you a really weird error > message in the process. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUts18AAoJEBzwKT+lPKRY9OwP/2AcG61t5Agrok1lJ2ZwDMQr > Mz122PV0ureMRf0rwmWhp8VEv/svTIK/RfKRG7TAc/CHH+BalqPAhD7JDRIKQP4V > VwcVsNOLr1LogBldIAVbiyv2mWbfWxxawZVIoV7dRN6h6MPBenPNOJoCve3gRlgp > DXcXHHp4fOybifOO1Cith5Tp6OPx+7FZzuGplwFJD337xkuQ4TtkKp9yzOmYbBKn > kluXeekQgdygQHtfOxWS4iA0p6+OVnjDXbyeI/u5ffITtr6DP/ystoDI3ZS5EcdS > rrJixy4O+mnaov0880r/Is2xIYspBxSEeQHZ3SdBvjGRPeAiO+aShc5xZtFdikvx > rzhFinxYzegma4NICeHjkuowW4nLWRk3Vo9kaiY+WB+6GHywkdeYIQYBP5s6u0D3 > MWMlEpSWRMwc5e71cfq0m9NzA92bGtqwdfvKIyG8EGz9Oote3Iu5ATZ0tR5zkW3v > st1CC7HeR06RaFmPJUyHinQGvBMNyptNw2JEHBxwS6LcQci10VZHe3ghA6keASHQ > hODuq/L52XMH2hJ8l1E3C3SAfY7WIGkPe1wLL4GWBerFNqS2wn13R0rklnJr2hM0 > B/YlJ3/MhSRbxVfTL4ys9V2PNl+deHhVfx6HSimYJ8ipa3YS+UjCYGk545fM8pc8 > mak2EoGgEFcN9fK81xRp > =fKI9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > I could make it work! The keystore seemed to be the problem. I've created another keystore with another alias and it worked :) Thank you very much for the help guys! Att, -- -- Alexandre Lima
