Don,
ipsCA is having some issues right now. Both OCSP (Online Certificate
Status Protocol) and their CRL are DOWN. (It's not a good sign).
Earlier, you stated that "webui" is the problem child, but "webadvisor"
was working fine cross browser (Chrome, Firefox, IE, etc), correct or is
this incorrect? Are both serving up pretty much the same content?
Based on your description of the error message, it almost sounds like a
Java issue. Is it a Java dialog box that comes up? Does it look like
this at all?
https://knowledge.verisign.com/resources/sites/VERISIGN/content/staging/SOLUTION/9000/SO9007/en_US/0.1/EV%20error.bmp
ipsCA does not exist in Java5 or 6 by default. It is in Browsers (IE,
Firefox, Chrome, Safari), but not Java or Opera.
Attachments are pretty much stripped from this list. You'd either need
to use imageshack.us or host elsewhere and provide the URL.
--Sal
On 08/26/2009 05:21 PM, Don Prezioso wrote:
Sorry, my pictures got stripped from the message so...
msg1.jpg basically says "The web site's certificate cannot be verified. Do you want to continue?"
"Name: webui.ashland.edu" "Publisher: webui.ashland.edu" and has a link for more
information...
msg2.jpg says "The certificate was issued by a source that is not trusted." and
has a link for Certificate Details...
msg3a-c show the certificate chain, including webui.ashland.edu, ipsCA CLASEA1,
and IPS SERVIDORES.
--
Don Prezioso
Director of Administrative I.T.
Ashland University
Ashland, Ohio
-----Original Message-----
From: Don Prezioso
Sent: Wednesday, August 26, 2009 5:15 PM
To: Tomcat Users List
Subject: RE: SSL with multiple Tomcat instances
When I connect to webui.ashland.edu I get the message in msg1.jpg.
When I click on 'More Information...', I get the message in msg2.jpg
When I click on 'Certificate Details...' I get what you see in msg3a-c.jpg
Now this is the really strange thing. It appears to be a perfectly valid
certificate with a valid CA. When connecting to webadvisor.ashland.edu, I see
almost identical certificate details (the signature and CN are appropriately
different). These are the same messages I have been getting all along.
The only thing that I can think is different between the two instances is that
the webui instance is behind the firewall and cannot be seen from off campus. I
didn't think that was an issue with validating certificates, is it?
Thanks again
Don
--
Don Prezioso
Director of Administrative I.T.
Ashland University
Ashland, Ohio
-----Original Message-----
From: Crypto Sal [mailto:crypto....@gmail.com]
Sent: Wednesday, August 26, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SSL with multiple Tomcat instances
Don,
It's very strange that one works and the other does not especially since
they're from the same CA and presenting the same information. (Just different
common names) I can't connect to your external site [webadvisor] via Firefox
3.5 or Chrome 4.0 due to the fact that your CA's OCSP responder is down.[ Error
Code: 403 Forbidden. The server denied the specified Uniform Resource Locator
(URL). Contact the server administrator. (12202) ]. I have to disable OCSP in
Firefox 3.5 to continue, but I do get a valid connection.
Has the error message changed at all since we've been working? Or are you still getting a
response that relates to "Unknown Issuer"?
On Wed, Aug 26, 2009 at 9:01 AM, Don Prezioso<dp...@ashland.edu> wrote:
Sal,
Thanks again.
When I connect using port 8443 or 443, or using the FQDN or the IP
address, I get the same response from the s_client request.
The reason I am using port 8443 is so I don't have to have root
running the tomcat instance. My understanding was that you had to be
root to allocate ports under 1024. Just to have that extra little bit
of security we have a user 'tomcat' that runs the tomcat instances. I
didn't want to have to specify the port number in URLs, and we had
some problems with people who weren't able to connect out through
their company's firewall on port 8443, so we wanted to make it appear
that they were connecting on port 443, but really be using 8443.
So, when I connect in a browser, I use https://webui.ashland.edu
Don
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
