On 10/10/2017 9:45 AM, John Ellis wrote:
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: Terence M. Bandoian [mailto:tere...@tmbsw.com]
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat SSL issue
On 10/9/2017 10:01 AM, John Ellis wrote:
I posted questions about this a couple of weeks ago I think it was. I
have been trying to get Tomcat running on a secure port with a valid
SSL certificate. We finally got version 9.0.0.M20 setup successfully
on port 9443 and I can go to that IP:port and get a Tomcat webpage but
when I go through all the steps using the keytool commands to submit a
certificate (we use Cacert.org) and try to plug that certificate into
the mix it doesn’t work. I still get an error message telling me that
I will have to create an exception to go to that IP address and port.
Last Friday I even deleted the certificate and all the keystore file,
etc. and got the same exact error. So it appears that Tomcat is not
seeing the certificate at all since I get the same error about having
to add an exception whether or not I have a valid certificate in place
on the server.
The lines we added to the server.xml file to get the secure port
working are-
<Connector port=443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads=50" scheme="https" secure="true"
clientAuth=alse" sslProtocol="TLS"
keystoreFile=home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"
keystorePass=hangeit" />
John Ellis
Thanks for the reply Terence. Yes I get the message about needing to create
a security exception when I first try to open the Tomcat webpage on the
secure port of 9443. I have deleted the certificate and supporting files off
of the server as I was going to start over with a new certificate. I believe
the error said something about not being able to verify the certificate. I
think the main issue is that this is just an internal server here in our
office running RHEL 6. It is not setup as a web server and it just has the
name of "cowboy" (given that name by my boss) so it is hard to figure out
what to call the "First and last name" part when I am creating the CSR to
send to Cacert.org. I can't just use the name "cowboy" as I don't have any
way to validate that. Have you ever run into situations like this? As I said
before I am not a programmer or developer or anything like that. My
background was in computer hardware for over 25 years until I took this
position after being laid off from what was formerly WebMD. We installed
systems in dr's offices, etc. Any light you could shed on this would be
great!
Thanks
Hi, John-
Is it a browser that's displaying the error message and requesting that you
create an exception to continue? If so, have you looked at the additional
information to determine what problems the browser has detected with the
certificate?
-Terence Bandoian
http://www.tmbsw.com/
Hi, John-
I would check the error message presented by the browser carefully and
test with multiple browsers (e.g. Firefox, Chrome, IE, etc.). If you can
copy the exact error messages to the list, someone might be able to
offer more assistance.
If you're able to establish an encrypted connection, I would guess that
Tomcat is at least finding "something" for a certificate. And, you
should be able to at least change the error message by altering your
configuration. If you can't, then something is amiss in the
configuration process. Was Tomcat restarted after the configuration was
modified? Is Java using a default location for the keystore? Is the
keystore you specify in your Tomcat configuration modified when you
execute the keytool commands? Can you list the contents of the keystore?
If the browser can't verify the certificate, I'd guess that either
intermediate certificates aren't available or the browser doesn't trust
the certificate authority or the wrong address is used to access the
server from the browser. Detailed error messages would be helpful.
Instructions to generate a CSR are available on the Internet. They vary
though so you may have to dig to find something that works in your
case. I've found it best to use the instructions provided by the
certificate provider. In some cases, the prompt for first and last name
is actually a request for the domain name to be secured. Also, a domain
name that is at least recognized on your intranet will likely be
required if you want to use a valid certificate.
It's been a while since I've configured Tomcat for SSL so I'm going on
memory and can't offer much additional help. There are others on the
list though that probably can. Specific details, such as Tomcat
version, Java version and OS version and exact configuration, commands
utilized and error messages make receiving that help more likely and
more likely to result in success.
Hope that gets you started!
-Terence
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
