• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HTTPS error Root Certificate not Trusted

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey all

I've been trying to get a tomcat server set up running under RHEL.

So far everything is fine until I try to enable SSL.

I got my certs, followed a guide (https://www.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239) and every time I try to access the site, I get an error saying its not secured (see picture)

I went to google and found how to add the certificates to the trusted store under /etc/pki/ca-trust/source/anchors, updated the ca-trust but still get the same problem.
checked file permissions, no issue there. Tried from scratch changing the order in which they were added to the keystore, still nothing.

Interestingly enough the certificate is coming back as issued by us, not sure if that has anything to do with it,

From my server.xml file


kind of at a rea big loss here so any help is appreciated



Capture.PNG
[Thumbnail for Capture.PNG]
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My guess is that you have both a self-signed cert (probably left over from testing) and the real cert and you're referencing the wrong one. The cert used by Tomcat is defined by the "alias=" attribute and by default, its name is "tomcat".

You can use the keytool -list command to enumerate the certs and private keys in the keystore database. And do pay attention to the difference between a cert and a private key!

Something that might help is the portacle GUI tool for manipulating keystores and certs.

Finally, the keystore is a simple file containing the keystore database. You can copy it and pound on it to you heart's content (as long as you have the password!). So you don't need to actually launch Tomcat while you're setting things up and you don't need to have it stored on the live server while you work on it (although basic security would dictate that you don't just leave it lying in the open, even though it is heavily encrypted.

SSL certs are based on trust. There are a set of core certs pre-installed in JVMs, web browsers, and other SSL participants and installed certs. I did a quick check on GoDaddy, and for my Firefox browser, it appears that one of those certs is for GoDaddy itself. I've been using LetsEncrypt, so the built-in cert at the root of the chain of trust for me is DST Root CA X3 from Digital Signature Trust Co. and that cert is valid until September 30 2021. LetsEncrypt provides the second cert in the chain as Let's Encrypt Authority X3, the end of the chain is my own cert (www.mousetech.com).

Each cert in the chain is vouched for by its parent, so you have to add them starting at the root and working outwards to the end. Otherwise adding a cert will fail because no prior cert is vouching for it.

The chain can be several elements long. I had one cert with a root cert, 2 intermediate certs and the client cert. The second intermediate cert had to be vouched for by the first intermediate cert, which was vouched for by the root cert. And each cert had to have a distinct alias in the keystore. The actual alias name wasn't important, only that it was unique.
 
S mully
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Never used  self-signed for testing but here's what's in my keystore now(fingerprints taken out)



Also, where ca I access the GUI you're talking about? I didn't see anything to managhe SSL certs in the default tomcat manager
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://portecle.sourceforge.net/

Also, try the "-v" (verbose) option on keytool -list. It might help.
 
S mully
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was told by someone over at stackoverflow that when making the keystore, the '-alias' must be set to the FQDN that this cert will be registered to. I'm going to try again from square 1 and if i get anywhere I will post it here
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your informant is confused. The cert itself must define a FQDN, but the alias is a simple keyword (and by default, that keyword is "tomcat"). The alias is simply the database key that points to the cert in the keystore database.

Actually the original requirement was that a cert be for a FQDN but there are systems that will work with just the domain name as a wildcard (different hostnames). I think it's still not universal, though, since I have discrete certs for each of my servers and I overhauled that system relatively recently.
 
S mully
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No I think it was me who was confused with the terminology.

Basically, I remade the keystore and CSR and kept the aliases the same (*.mysite.com) for setting up the keystore and the CSR. Followed the instructions step for step in the original godaddy article and everything worked fine.

reply
    Bookmark Topic Watch Topic
  • New Topic