-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dan,
On 6/12/15 8:37 AM, Dan Hyatt wrote: > I am trying to update my SSL certificate in tomcat. The webserver > keeps sending the old expired certificate I am taking over from > long gone admins with no config notes, but this should be > straightforward. The certificate authority support suggests there > might be another configuration..but this is the only server.xml for > the app > > The best answer from the cert authority is that there is another > keystore but the xml file points to where my keystore is. > > It passes all the tests except for the cert authorities final > test. > > I installed and verified the keystore I restarted tomcat6 I believe > the XML file says the keystore is > keystoreFile="/opt/atlassian/confluence/conf/.keystore"/> (see > below) Even though I changed the password, it is still reading the > old key. > > I am wondering if there is a stale certificate in memory. I cannot > think of anything else. If that be the case can I clear that > without a reboot? Assuming that you have restarted Tomcat successfully, a reboot should not be necessary. You did restart Tomcat, right? > root@dvm7:/opt/atlassian/confluence/conf#server.xml Is that # symbol in the path a typo? > <Connector address="127.0.0.1" port="8443" > maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" > maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure="true" clientAuth="false" sslProtocol="TLS" > SSLEnabled="true" URIEncoding="UTF-8" keystorePass="dsgroot" > keystoreFile="/opt/atlassian/confluence/conf/.keystore"/> Does your keystore not have a password? Not that it really matters, but keystores typically have passwords. What does this command show: $ keytool -list -keystore /opt/atlassian/confluence/conf/.keystore You might want to consider running your server against ssllabs's SSL test and then modifying your cipher suites configuration. There are a number of cipher suites that have been deemed problematic lately that you'll want to disable. Unfortunately, since you are using a JSSE-based TLS implementation (that Java one), you have to white-list your ciphers and list them all, rather than black-listing the known bad ones. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVev+ZAAoJEBzwKT+lPKRYjB8QALJEM2gm6TpCObMo+3HaxvoQ p1v5wPjeciXNS9cWF3c4cXOwZiR9NDwI643qQ9dYT0ElfNztRDPXoCp/AeVJg1T/ WZe/6TGuGJiLBphHX6VKRyM1V9RMyJDLWJZm7Qljq/VDHWOMmi0la9oY+moXBwmG tasBwsbdBfJ5Fy58DphPKHrEwAPP0C3yxbXDkz0H6PU36Pyx7I3ehwsty0KDrlRB A+nscl8/AGiVuN7Kx2aCc3mgJzamQs8L/dEM82SdRUTI+N9DqBZ4+L4WAjREmz74 NmV8rj/GAfrXwU5BDcY7bXnBBWY8+2PQ4LBCm8ZO5PPavbkSwR1yOIIREJRoPkuw xo0e17/wqUSa4DvGQTs5mFZoSKj8JQeNsatc8yHhkovFzlw60Xg497Aayl2CXaXG HAozhJTStUDjaOw0kpGmT/jH5afAt0C/KcIyjaZa5Zsm8K5K6ngLgvNsXB9YtsDX XsVPim2gpM+PMG1lfAOL9ag8odt1U8iNlaLrELGqvkE5fsIDYImjvHenKvsaiIoo eMSr4SvGWEZEHueGv0XmncPBq0t8TEFGORLoqfSzhxyRMniM+r/p12aA5qkhuPyr cnNcnJfTry4yuBDCjARfoUHR0X3UX5xyGEdae2p6sRtumRolEIdAAxdsZs+gez0X 9eedkrRlGbdx4kErxfQI =bEj5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org