"Rizwan Merchant" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Thanks for the response. > The client can be any one who wants to post an XML message to this URL. > So you could create an xml message and post the request using https. > Not sure why the client would need to 'add' this certificate. We have > written code to connect to many such web services and we never need to > add certificates from the server we are connecting to? For example, if > we need to use Fedex's API service, we need to send the request using > https, but we have never added any certificates from them on our server. > >
Without looking, Fedex almost certainly uses one of the big commercial CAs (e.g. Verisign, Thwate). Their CA certs ship with almost all SSL enabled clients, and so the client will be able to verify the certificate chain up to a trusted CA. This is pretty much the only way to go if "anyone" can post to the URL. If you're using your own CA (or, worse, a self-signed cert), then the server's certificate won't be trusted without adding the CA cert (and in the case of self-signed, may not be trusted in any case). SSL certificates work sort of like the mafia: If someone I trust will sign for you, then I'll trust you ;). > > Bill Barker wrote: >> "Rizwan Merchant" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> >>> Hi, >>> >>> We have a web based application running on Tomcat 6. The server.xml file >>> is configured so that the application can handle incoming https requests >>> on port 443 (default). When a user hits the URL http://www.mydomain.com, >>> it automatically redirects to https://www.mydomain.com (due to security >>> constraint set up in web.xml). >>> >>> We also have a web service running which is invoked by posting the >>> request message to http://www.mydomain.com/rpc2 >>> I am trying to enforce ssl on this service as well, but when a message >>> is posted to https://www.mydomain.com/rpc2 (secure using https >>> protocol), the client is seeing the following error: >>> (Posting the message to http://www.mydomain.com/rpc2 works fine) >>> >>> *Error 60:SSL certificate problem, verify that the CA cert is OK. >>> Details: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed* >>> >>> >> >> You didn't say what the client is so I can't offer much on how to fix it. >> But the error is saying that the client couldn't find the CA certificate >> that signed your Tomcat server certificate in it's list of trusted CAs. >> As >> a result, the client correctly desides not to trust your Tomcat server. >> >> You need to add the CA certificate to the client's trusted certificate >> list, >> as explained in the documentation for the client (but probably >> cacerts.pem). >> >> >>> Basically, the https is working fine on the website, but not for the web >>> service (which, from what I understand, is being handled by a separate >>> servlet, rpc2). >>> >>> Any ideas please? >>> >>> Thanks, >>> -Rizwan Merchant. >>> >>> >>> >>> >>> >> >> >> -------------------------------------------------------------------------------- >> >> >> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >> >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -------------------------------------------------------------------------------- > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
