• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

apache tomcat 7.0.59 ssl with CA connection is untrasted

 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello, I have a webapp in apache tomcat.

I have configurated the ssl and i have imported the CA in keystore.jks.

I have done the followed:


1) keytool -genkey -alias 'mykeyalias' -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore keystore.jks -dname "CN=www.mywebsite.it , OU=it, O=mywebsite, L=mycity, ST=Italia, C=IT"
pass: keypass

2) keytool -certreq -alias 'mykeyalias' -keystore keystore.jks -file www.mywebsite.csr -sigalg SHA1WithRSA
pass: keypass

3)By CA I download e unzip www_mywebsite_it.zip ASSOCIATE at file www.mysite.csr (whith SHA1)
I have obtained:
a) AddTrustExternalCARoot.crt
b) COMODORSAAddTrustCA.crt
c) COMODORSADomainValidationSecureServerCA.crt
d) www_mywebsite_it.crt

Then i have imported the followed certified:

keytool -import -alias 'rootcert' -keystore keystore.jks -trustcacerts -file AddTrustExternalCARoot.crt
pass: keypass

keytool -import -alias 'rsaTrust' -keystore keystore.jks -trustcacerts -file COMODORSAAddTrustCA.crt
pass: keypass

keytool -import -alias 'domainValidation' -keystore keystore.jks -trustcacerts -file COMODORSADomainValidationSecureServerCA.crt
pass: keypass


At the end I used in mi server.xml the follow configuration:

<Connector
port="443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="keystore.jks"
keystorePass="keypass"
clientAuth="false"
keyAlias="mykeyalias"
sslProtocol="TLS"
/>

In my site the https is corretly, but there is the worning:
This connection is untrasted; and I must to add exception for show my site.

I don't know where is the mistake.

Somebady can help me?

Thanks a lot, Regard
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You didn't list the final and most important item: your actual site key.

Your domain's cert needs to be stored in the keystore under an alias name of "tomcat". Also, it should be of type "PrivateKeyEntry", not "trustedCertEntry".
 
Luca Carletti
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Tim,

Tanks a lot for you replay.

I have used another way and then i have verified whit the CA that my file.jks is correct

The CA said me that the problem is in the server.xml configuration.

I have add in the server.xml the followed configuration:

<Connector
className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443"
minProcessors="5"
maxProcessors="75"
enableLookups="false"
acceptCount="10"
connectionTimeout="60000"
debug="0"
SSLEnabled="true"
scheme="https"
secure="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false"
protocol="TLS"
keystoreFile="PATH_KEYSTORE/miokeystore.jks"
keystorePass="myPass"/>
</Connector>


But in the my catalina.out I have the followed error:

gen 24, 2016 1:18:04 PM org.apache.coyote.AbstractProtocol init
Informazioni: Initializing ProtocolHandler ["http-bio-443"]
gen 24, 2016 1:18:05 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
Grave: Failed to load keystore type JKS with path /root/.keystore due to /root/.keystore (No such file or directory)
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:146)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:413)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:319)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:577)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:517)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:462)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:209)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:646)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)


But I'm sure that the PATH_KEYSTORE/miokeystore.jks is correct.


Can you help me?

Tanks. regards,
Luca Carletti
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is this "Factory" sub-element? The keystore should be defined on the Connector.

Also, in order to use port 443, Tomcat would have to be running as a privileged user. That's a security risk, and it's why the default port is 8443.
 
Luca Carletti
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I have used this guide
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO16068
I used rapidssl for CA.

But i following your suggestion and I have change my connector:

<Connector
className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443"
minProcessors="5"
maxProcessors="75"
enableLookups="false"
acceptCount="10"
connectionTimeout="60000"
debug="0"
SSLEnabled="true"
scheme="https"
secure="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false"
protocol="TLS"
keystoreFile="PATH_KEYSTORE/miokeystore.jks"
keystorePass="myPass"/>
</Connector>

with:

<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="PATH_KEYSTORE/miokeystore.jks"
keystorePass="myPass"
clientAuth="false"
sslProtocol="TLS"
/>

Now in my catalina.out, I have not error, and in my site the https is corretly, but there is the worning:
This connection is untrasted; and I must to add exception for show my site.

Exist a way to debug this problem?

Tanks, Regard

 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you use the editor's "Code" button to wrap code tags around your XML, it will make it easier to read.

Your reference URL is for Tomcat 4, which passed End Of Life a long, long, time ago. Furthermore, SSL cert vendors have a bad habit of not only not keeping their Tomcat docs up to date but not even bothering to check to see if they work.

Actually, it's usually better to not run Tomcat with SSL. For one thing, as I said before, port 443 is a protected port and therefore requires Tomcat to run as a privileged user, which is a major security risk. More commonly, Tomcat is fronted by a reverse proxy such as Apache, Nginx or IIS, and they handle the SSL.

The message "This connection is untrusted" is usually displayed by the client when SSL is working, but the SSL cert of the server is not independently vouched for. Typically this is because the cert was self-signed, but you could also get it if you didn't have the complete chain of trust in your keystore.

The best way to diagnose this problem for the Firefox browser is to click on the navigation bar's padlock icon (displayed when an SSL page is received). That should cause a dialog to pop up with details including what domain the cert is for, when the cert expires, who created the cert and the trust chain associated with the cert.
reply
    Bookmark Topic Watch Topic
  • New Topic