On 10/10/2017 9:45 AM, John Ellis wrote:

John Ellis

405.285.2500 office


-----Original Message-----
From: Terence M. Bandoian [mailto:tere...@tmbsw.com]
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat SSL issue

On 10/9/2017 10:01 AM, John Ellis wrote:
I posted questions about this a couple of weeks ago I think it was. I
have been trying to get Tomcat running on a secure port with a valid
SSL certificate. We finally got version 9.0.0.M20 setup successfully
on port 9443 and I can go to that IP:port and get a Tomcat webpage but
when I go through all the steps using the keytool commands to submit a
certificate (we use Cacert.org) and try to plug that certificate into
the mix it doesn’t work. I still get an error message telling me that
I will have to create an exception to go to that IP address and port.
Last Friday I even deleted the certificate and all the keystore file,
etc. and got the same exact error. So it appears that Tomcat is not
seeing the certificate at all since I get the same error about having
to add an exception whether or not I have a valid certificate in place
on the server.

The lines we added to the server.xml file to get the secure port
working are-

<Connector port=443" protocol="HTTP/1.1" SSLEnabled="true"

             maxThreads=50" scheme="https" secure="true"

clientAuth=alse" sslProtocol="TLS"

        keystorePass=hangeit" />

John Ellis

Thanks for the reply Terence. Yes I get the message about needing to create
a security exception when I first try to open the Tomcat webpage on the
secure port of 9443. I have deleted the certificate and supporting files off
of the server as I was going to start over with a new certificate. I believe
the error said something about not being able to verify the certificate. I
think the main issue is that this is just an internal server here in our
office running RHEL 6. It is not setup as a web server and it just has the
name of "cowboy" (given that name by my boss) so it is hard to figure out
what to call the "First and last name" part when I am creating the CSR to
send to Cacert.org. I can't just use the name "cowboy" as I don't have any
way to validate that. Have you ever run into situations like this? As I said
before I am not a programmer or developer or anything like that. My
background was in computer hardware for over 25 years until I took this
position after being laid off from what was formerly WebMD. We installed
systems in dr's offices, etc. Any light you could shed on this would be

Hi, John-

Is it a browser that's displaying the error message and requesting that you
create an exception to continue?  If so, have you looked at the additional
information to determine what problems the browser has detected with the

-Terence Bandoian

Hi, John-

I would check the error message presented by the browser carefully and test with multiple browsers (e.g. Firefox, Chrome, IE, etc.). If you can copy the exact error messages to the list, someone might be able to offer more assistance.

If you're able to establish an encrypted connection, I would guess that Tomcat is at least finding "something" for a certificate. And, you should be able to at least change the error message by altering your configuration. If you can't, then something is amiss in the configuration process. Was Tomcat restarted after the configuration was modified? Is Java using a default location for the keystore? Is the keystore you specify in your Tomcat configuration modified when you execute the keytool commands? Can you list the contents of the keystore?

If the browser can't verify the certificate, I'd guess that either intermediate certificates aren't available or the browser doesn't trust the certificate authority or the wrong address is used to access the server from the browser. Detailed error messages would be helpful.

Instructions to generate a CSR are available on the Internet. They vary though so you may have to dig to find something that works in your case. I've found it best to use the instructions provided by the certificate provider. In some cases, the prompt for first and last name is actually a request for the domain name to be secured. Also, a domain name that is at least recognized on your intranet will likely be required if you want to use a valid certificate.

It's been a while since I've configured Tomcat for SSL so I'm going on memory and can't offer much additional help. There are others on the list though that probably can. Specific details, such as Tomcat version, Java version and OS version and exact configuration, commands utilized and error messages make receiving that help more likely and more likely to result in success.

Hope that gets you started!


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to