You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Steve Johnson <st...@parisgroup.net> on 2010/08/07 23:20:47 UTC
Help troubleshooting SSL certificate problem
Greetings,
We're developing an application on top of Tomcat. Our incoming
connections are always HTTPS. We've been using the self signed cert
that came with tcServer for testing, but now I'm trying to get our setup
working with an officially signed certificate we just got from GoDaddy.
I've followed the GoDaddy instructions for adding a total of 4 certs
(root + 2 intermediates + ours) to a fresh keystore file. I used the
same keystorePass and keyAlias values as already specified for the
default keystore file. I then replaced the working keystore file (with
self signed cert) with this new keystore file and restarted Tomcat.
Once I do this, my HTTPS port stops working. Firefox says this:
The connection to alpha.filethis.com was interrupted while the page
was loading.
I'm stuck at this point. I can find no supporting information for this
failure in Tomcat's logs. The logs are unchanged after attempting to
access our app via HTTPS. I tried upping the log levels in
logging.properties, but even after getting huge log files to be spit
out, nothing is added to the logs in response to these erring HTTPS
requests.
My guess is that this problem has to do with my setup not matching the
domain name in the certificate, even though I'm coming in via that
domain on the URL. All the docs I've seen so far online, however, don't
mention having to do anything special in this regard.
I'm running tcServer, which it appears is Tomcat 6.0.26. My server.xml
file is included at the bottom of this post.
Can anyone tell me what might be going wrong, or how to enable some sort
of diagnostics that might tell me something about why this isn't working?
Any help would be greatly appreciated.
Take care
Steve
server.xml
==========
<?xml version='1.0' encoding='utf-8'?>
<Server port="${shutdown.port}" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="com.springsource.tcserver.serviceability.rmi.JmxSocketListener"
port="${jmx.port}"
bind="127.0.0.1"
useSSL="false"
passwordFile="${catalina.base}/conf/jmxremote.password"
accessFile="${catalina.base}/conf/jmxremote.access"
authenticate="true"/>
<Listener
className="com.springsource.tcserver.serviceability.deploy.TcContainerDeployer"
/>
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Executor name="tomcatThreadPool" namePrefix="tomcat-http--"
maxThreads="300" minSpareThreads="50"/>
<Connector executor="tomcatThreadPool"
port="${http.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="${https.port}"
acceptCount="100"
maxKeepAliveRequests="15"/>
<Connector executor="tomcatThreadPool"
port="${https.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="${https.port}"
acceptCount="100"
maxKeepAliveRequests="15"
keystoreFile="${catalina.base}/conf/tcserver.keystore"
keystorePass="changeme"
keyAlias="tcserver"
SSLEnabled="true"
scheme="https"
sslProtocol="TLS"
clientAuth="false"
secure="true"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true" deployOnStartup="true"
deployXML="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help troubleshooting SSL certificate problem
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sat, Aug 7, 2010 at 3:32 PM, Steve Johnson <st...@parisgroup.net> wrote:
> I went through those instructions when I first got SSL working. I had SSL
> working fine. All I did this time around was replace one keystore file
> (tcserver.keystore) with another. I used the same password and alias this
> time around so that I could just drop in the new keystore without any
> modifications. When I do so, my system stops working. If I revert back to
> the original keystore containing the self-signed certificate, the system
> works fine again.
Sounds like your keystore file is bad then; what does keytool -list say?
In any case, I've only personally used Thawte and NetSol certificates,
and I don't recall ever having to add any root/intermediate certs, so
that seems kind of sketchy. Or maybe I've been lucky :-)
And, you might post a link to the GD instructions, so folks here could
look for any obvious discrepancies...
FWIW,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help troubleshooting SSL certificate problem
Posted by Steve Johnson <st...@parisgroup.net>.
The GoDaddy instructions mostly talk about building the keystore file,
and are very similar to that section of the document you mention. I
assume what you're getting at is that the instructions you mention might
be helpful to me. I have, unfortunately, been over those instructions
backwards and forwards. They don't lend any clues.
I went through those instructions when I first got SSL working. I had
SSL working fine. All I did this time around was replace one keystore
file (tcserver.keystore) with another. I used the same password and
alias this time around so that I could just drop in the new keystore
without any modifications. When I do so, my system stops working. If I
revert back to the original keystore containing the self-signed
certificate, the system works fine again.
S
On 8/7/2010 3:14 PM, Hassan Schroeder wrote:
> On Sat, Aug 7, 2010 at 2:20 PM, Steve Johnson<st...@parisgroup.net> wrote:
>
>> I've followed the GoDaddy instructions for adding a total of 4 certs (root +
>> 2 intermediates + ours) to a fresh keystore file.
> Do the "GoDaddy instructions" look anything like the Tomcat ones? :-)
> <http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help troubleshooting SSL certificate problem
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sat, Aug 7, 2010 at 2:20 PM, Steve Johnson <st...@parisgroup.net> wrote:
> I've followed the GoDaddy instructions for adding a total of 4 certs (root +
> 2 intermediates + ours) to a fresh keystore file.
Do the "GoDaddy instructions" look anything like the Tomcat ones? :-)
<http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html>
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org