You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexandre Lima <le...@gmail.com> on 2015/01/13 19:37:07 UTC
Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Hello!
This is the first time I'm using tomcat, so I'm a little bit lost...
Using the tutorials, I could make the server and the application I want to
run with it work.
The only modification I did until now was changing the http port from 8080
to 80, I did that changing the http conector on servers.xml, enabling
authbind and executing the folowing commands:
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80
So, the server and the application I want to use with it are actually
working on port 80, but the next and last step, which is enabling an SSL
conection, isn't working.
What I did following the site's tutorial was: created my self signed
certificate with keytools and put it on /home/myuser/key.keystore
Aditionally, I've created the folowing conector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
keystoreFile="/home/myuser/key.keystore"
keystorePass="mypass"
clientAuth="false" sslProtocol="TLS" />
Saved it, restarted server and accessed https://myip:8443, but it isn't
working.
Chrome says "No data recieved" and "Unable to load the webpage because the
server sent no data and "Error code: ERR_EMPTY_RESPONSE".
Firefox says that the connection was reset while the page was being loaded.
That's where I am now. I don't know what to try anymore.
Any ideas?
Thank you!
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 13 January 2015 at 16:41, Alexandre Lima <le...@gmail.com> wrote:
>
>
> On 13 January 2015 at 16:11, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Alexandre,
>>
>> On 1/13/15 1:37 PM, Alexandre Lima wrote:
>> > Hello! This is the first time I'm using tomcat, so I'm a little bit
>> > lost...
>>
>> Welcome! Configuring SSL always turns out to be a pain in the neck.
>>
>> > Using the tutorials, I could make the server and the application I
>> > want to run with it work. The only modification I did until now was
>> > changing the http port from 8080 to 80, I did that changing the
>> > http conector on servers.xml, enabling authbind and executing the
>> > folowing commands:
>> >
>> > sudo touch /etc/authbind/byport/80 sudo chmod 500
>> > /etc/authbind/byport/80 sudo chown tomcat7 /etc/authbind/byport/80
>> >
>> > So, the server and the application I want to use with it are
>> > actually working on port 80
>>
>> You've confirmed this? I've never used authbind before, so I just
>> wanted to make sure that you have Tomcat working properly with non-SSL
>> before you try to add SSL.
>>
>> > , but the next and last step, which is enabling an SSL connection,
>> > isn't working.
>> >
>> > What I did following the site's tutorial was: created my self
>> > signed certificate with keytools and put it on
>> > /home/myuser/key.keystore
>>
>> Can you outline the steps you took? Where is your keystore?
>>
>> > Additionally, I've created the folowing conector:
>> >
>> > <Connector port="8443"
>> > protocol="org.apache.coyote.http11.Http11Protocol"
>> > SSLEnabled="true" maxThreads="200" scheme="https" secure="true"
>> > keystoreFile="/home/myuser/key.keystore" keystorePass="mypass"
>> > clientAuth="false" sslProtocol="TLS" />
>>
>> That looks good so far.
>>
>> > Saved it, restarted server and accessed https://myip:8443, but it
>> > isn't working. Chrome says "No data recieved" and "Unable to load
>> > the webpage because the server sent no data and "Error code:
>> > ERR_EMPTY_RESPONSE".
>> >
>> > Firefox says that the connection was reset while the page was being
>> > loaded.
>> >
>> > That's where I am now. I don't know what to try anymore.
>>
>> Try:
>>
>> $ telnet localhost 8443
>>
>> (on the server with Tomcat running)
>>
>> That will tell you if the port is open (it should be, otherwise you'd
>> be getting different errors from Chrome and ff) and what, if anything,
>> gets dumped to it when you connect.
>>
>> If you get a connection and nothing happens, try submitting a request
>> like this:
>>
>> $ telnet localhost 8443
>> GET /
>>
>> [output goes here]
>>
>> Post the results of the above if you get anything.
>>
>> Dumb question: you restarted Tomcat after updating server.xml, right?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJUtW3WAAoJEBzwKT+lPKRYzVMP/Rl9RP6tpuU+leyUcyNjLy+2
>> hMSmXJ1GfttVxuC6KmD+leV19uyd6dKu16dA4v/LZMX+Un7uQIfY97vUleqg1LkA
>> HnwQYv6Sond5TOJR4PeY644qULBOOh4Bi+kJuS4HFjrAUCcG6KHSJfkhLluX/w6c
>> +I4/G5MYQQ0r68TOnLAn9ijTZl957ekj3ainc4XmL1U5BA7q0/fOttgVmytuUq3k
>> q3Kh/IU1S2ovu4milc0IWGcQttlZ9cn1nZf/nGZyuyWun0gQNLL5oX6ZY5ys5x1D
>> 1LQ1TZWb6XL3TK1qBHvbs+u4qnfl3ZSWEKMWntYq0JHLDC2lvL8QcLvVkPguYN/W
>> 6HHEp4fNfmqeWLvS7aj6ugNT6UQ4iWxhPJ882YeVQ06D9sLHGL5gIqJE+OPYp8pU
>> hyA7MnGDwKpbrTRq6u+QOUUF4Z+g/j++xTsdBk/+rrzaZs4HuLsBtikRbOoNr6ZJ
>> 4c1WnuUiFkXbWYkMOEA9p3/Iy/nIay1aAmnqBEuWSBr83+WJvkB+/Nyf4HDZX6Ti
>> AElDG4K6yBVtN1bThmwFfWOPqO+zieP/RhdHUgVw7VOU7hi4xBMpcF+UZKImrkGs
>> kfN0tqSMriAQ7CL49UbrFxY4bsC0u4uVRJyoB4EOtaPy9cQH01rIrlotwOuPOwD4
>> lK/2rtEZo3uAazzi7oTP
>> =sNDG
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> Thank you for the reply Christopher!
> I've used the command: keytool -genkey -alias tomcat -keyalg RSA -keystore
> /home/myuser/key.keystore
> to generate the keystore. I should put the keystore in some special
> directory or this one is fine?
> So, after, requesting: telnet localhost 8443
>
> I got some strange stuff:
>
> ~$ telnet localhost 8443
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> GET /
> ^U^C^A^@^B^B
>
>
>
> And yes, I've restarted it :)
>
> --
> --
> Alexandre Lima
>
Oh, I forgot. Right after that I got: "Connection closed by foreign host."
And yes, it's working fine on port 80, it's even using DNS already.
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 14 January 2015 at 15:56, Sanaullah <sa...@gmail.com> wrote:
> > >>>> <Connector port="8443"
> > >>>> protocol="org.apache.coyote.
> http11.Http11Protocol"
> > >>>> SSLEnabled="true" maxThreads="200" scheme="https"
> > >>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> > >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
> > >>>> />
>
>
> May be its due to the truststore file ? I haven't seen any truststore file
> in your connector configuration
>
>
> On Wed, Jan 14, 2015 at 11:18 PM, Alexandre Lima <le...@gmail.com>
> wrote:
>
> > On 13 January 2015 at 18:20, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > Alexandre,
> > >
> > > On 1/13/15 2:41 PM, Alexandre Lima wrote:
> > > > On 13 January 2015 at 16:11, Christopher Schultz <
> > > > chris@christopherschultz.net> wrote:
> > > >
> > > > Alexandre,
> > > >
> > > > On 1/13/15 1:37 PM, Alexandre Lima wrote:
> > > >>>> Hello! This is the first time I'm using tomcat, so I'm a
> > > >>>> little bit lost...
> > > >
> > > > Welcome! Configuring SSL always turns out to be a pain in the
> > > > neck.
> > > >
> > > >>>> Using the tutorials, I could make the server and the
> > > >>>> application I want to run with it work. The only modification
> > > >>>> I did until now was changing the http port from 8080 to 80, I
> > > >>>> did that changing the http conector on servers.xml, enabling
> > > >>>> authbind and executing the folowing commands:
> > > >>>>
> > > >>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
> > > >>>> /etc/authbind/byport/80 sudo chown tomcat7
> > > >>>> /etc/authbind/byport/80
> > > >>>>
> > > >>>> So, the server and the application I want to use with it are
> > > >>>> actually working on port 80
> > > >
> > > > You've confirmed this? I've never used authbind before, so I just
> > > > wanted to make sure that you have Tomcat working properly with
> > > > non-SSL before you try to add SSL.
> > > >
> > > >>>> , but the next and last step, which is enabling an SSL
> > > >>>> connection, isn't working.
> > > >>>>
> > > >>>> What I did following the site's tutorial was: created my
> > > >>>> self signed certificate with keytools and put it on
> > > >>>> /home/myuser/key.keystore
> > > >
> > > > Can you outline the steps you took? Where is your keystore?
> > > >
> > > >>>> Additionally, I've created the folowing conector:
> > > >>>>
> > > >>>> <Connector port="8443"
> > > >>>> protocol="org.apache.coyote.http11.Http11Protocol"
> > > >>>> SSLEnabled="true" maxThreads="200" scheme="https"
> > > >>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> > > >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
> > > >>>> />
> > > >
> > > > That looks good so far.
> > > >
> > > >>>> Saved it, restarted server and accessed https://myip:8443,
> > > >>>> but it isn't working. Chrome says "No data recieved" and
> > > >>>> "Unable to load the webpage because the server sent no data
> > > >>>> and "Error code: ERR_EMPTY_RESPONSE".
> > > >>>>
> > > >>>> Firefox says that the connection was reset while the page was
> > > >>>> being loaded.
> > > >>>>
> > > >>>> That's where I am now. I don't know what to try anymore.
> > > >
> > > > Try:
> > > >
> > > > $ telnet localhost 8443
> > > >
> > > > (on the server with Tomcat running)
> > > >
> > > > That will tell you if the port is open (it should be, otherwise
> > > > you'd be getting different errors from Chrome and ff) and what, if
> > > > anything, gets dumped to it when you connect.
> > > >
> > > > If you get a connection and nothing happens, try submitting a
> > > > request like this:
> > > >
> > > > $ telnet localhost 8443 GET /
> > > >
> > > > [output goes here]
> > > >
> > > > Post the results of the above if you get anything.
> > > >
> > > > Dumb question: you restarted Tomcat after updating server.xml,
> > > > right?
> > > >
> > > > -chris
> > > >>
> > > >>
> ---------------------------------------------------------------------
> > > >>
> > > >>
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > > >>
> > > >>
> > > > Thank you for the reply Christopher! I've used the command: keytool
> > > > -genkey -alias tomcat -keyalg RSA -keystore
> > > > /home/myuser/key.keystore to generate the keystore. I should put
> > > > the keystore in some special directory or this one is fine? So,
> > > > after, requesting: telnet localhost 8443
> > > >
> > > > I got some strange stuff:
> > > >
> > > > ~$ telnet localhost 8443 Trying ::1... Connected to localhost.
> > > > Escape character is '^]'. GET / ^U^C^A^@^B^B
> > > >
> > > >
> > > >
> > > > And yes, I've restarted it :)
> > >
> > > Good. Now, try this:
> > >
> > > $ openssl s_client -debug -connect localhost:8443
> > >
> > > Assuming that the server is running and listening for SSL connections,
> > > s_client should be able to connect, and it should give you tons of
> > > good information about what's happening, there.
> > >
> > > - -chris
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > >
> > > iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr
> > > AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke
> > > +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
> > > Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl
> > > A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV
> > > ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o
> > > ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M
> > > qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG
> > > omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw
> > > eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5
> > > OZ7Mh5wEal8zNnBC7sQeuoekkiQKDRQlQdATSAthlszFMByn+k5A5IJNWUB1asUp
> > > VPf4zB2XaBIxgnKm3qPV
> > > =Bl3E
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> > Hello Chris!
> > I've tried the command you suggested and the most important thing I found
> > was this:
> >
> > subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> > issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1073 bytes and written 555 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> > Server public key is 1024 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : ECDHE-RSA-AES256-SHA384
> > Session-ID:
> > 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
> > Session-ID-ctx:
> > Master-Key:
> >
> >
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
> > Key-Arg : None
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > Start Time: 1421259101
> > Timeout : 300 (sec)
> > Verify return code: 10 (certificate has expired)
> >
> > SysAid is the application I'm running under tomcat.
> > Does it mean that SysAid is a server behind tomcat? And so I would have
> to
> > configure the connection in it?
> > That's strange. I would like to hear your opinion.
> >
> > --
> > --
> > Alexandre Lima
> >
>
Is it necessary? I haven't created one. In the tutorial I found on tomcat
website they didn't mention anything about truststores...
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Sanaullah <sa...@gmail.com>.
> >>>> <Connector port="8443"
> >>>> protocol="org.apache.coyote.
http11.Http11Protocol"
> >>>> SSLEnabled="true" maxThreads="200" scheme="https"
> >>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
> >>>> />
May be its due to the truststore file ? I haven't seen any truststore file
in your connector configuration
On Wed, Jan 14, 2015 at 11:18 PM, Alexandre Lima <le...@gmail.com>
wrote:
> On 13 January 2015 at 18:20, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Alexandre,
> >
> > On 1/13/15 2:41 PM, Alexandre Lima wrote:
> > > On 13 January 2015 at 16:11, Christopher Schultz <
> > > chris@christopherschultz.net> wrote:
> > >
> > > Alexandre,
> > >
> > > On 1/13/15 1:37 PM, Alexandre Lima wrote:
> > >>>> Hello! This is the first time I'm using tomcat, so I'm a
> > >>>> little bit lost...
> > >
> > > Welcome! Configuring SSL always turns out to be a pain in the
> > > neck.
> > >
> > >>>> Using the tutorials, I could make the server and the
> > >>>> application I want to run with it work. The only modification
> > >>>> I did until now was changing the http port from 8080 to 80, I
> > >>>> did that changing the http conector on servers.xml, enabling
> > >>>> authbind and executing the folowing commands:
> > >>>>
> > >>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
> > >>>> /etc/authbind/byport/80 sudo chown tomcat7
> > >>>> /etc/authbind/byport/80
> > >>>>
> > >>>> So, the server and the application I want to use with it are
> > >>>> actually working on port 80
> > >
> > > You've confirmed this? I've never used authbind before, so I just
> > > wanted to make sure that you have Tomcat working properly with
> > > non-SSL before you try to add SSL.
> > >
> > >>>> , but the next and last step, which is enabling an SSL
> > >>>> connection, isn't working.
> > >>>>
> > >>>> What I did following the site's tutorial was: created my
> > >>>> self signed certificate with keytools and put it on
> > >>>> /home/myuser/key.keystore
> > >
> > > Can you outline the steps you took? Where is your keystore?
> > >
> > >>>> Additionally, I've created the folowing conector:
> > >>>>
> > >>>> <Connector port="8443"
> > >>>> protocol="org.apache.coyote.http11.Http11Protocol"
> > >>>> SSLEnabled="true" maxThreads="200" scheme="https"
> > >>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> > >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
> > >>>> />
> > >
> > > That looks good so far.
> > >
> > >>>> Saved it, restarted server and accessed https://myip:8443,
> > >>>> but it isn't working. Chrome says "No data recieved" and
> > >>>> "Unable to load the webpage because the server sent no data
> > >>>> and "Error code: ERR_EMPTY_RESPONSE".
> > >>>>
> > >>>> Firefox says that the connection was reset while the page was
> > >>>> being loaded.
> > >>>>
> > >>>> That's where I am now. I don't know what to try anymore.
> > >
> > > Try:
> > >
> > > $ telnet localhost 8443
> > >
> > > (on the server with Tomcat running)
> > >
> > > That will tell you if the port is open (it should be, otherwise
> > > you'd be getting different errors from Chrome and ff) and what, if
> > > anything, gets dumped to it when you connect.
> > >
> > > If you get a connection and nothing happens, try submitting a
> > > request like this:
> > >
> > > $ telnet localhost 8443 GET /
> > >
> > > [output goes here]
> > >
> > > Post the results of the above if you get anything.
> > >
> > > Dumb question: you restarted Tomcat after updating server.xml,
> > > right?
> > >
> > > -chris
> > >>
> > >> ---------------------------------------------------------------------
> > >>
> > >>
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > > Thank you for the reply Christopher! I've used the command: keytool
> > > -genkey -alias tomcat -keyalg RSA -keystore
> > > /home/myuser/key.keystore to generate the keystore. I should put
> > > the keystore in some special directory or this one is fine? So,
> > > after, requesting: telnet localhost 8443
> > >
> > > I got some strange stuff:
> > >
> > > ~$ telnet localhost 8443 Trying ::1... Connected to localhost.
> > > Escape character is '^]'. GET / ^U^C^A^@^B^B
> > >
> > >
> > >
> > > And yes, I've restarted it :)
> >
> > Good. Now, try this:
> >
> > $ openssl s_client -debug -connect localhost:8443
> >
> > Assuming that the server is running and listening for SSL connections,
> > s_client should be able to connect, and it should give you tons of
> > good information about what's happening, there.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr
> > AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke
> > +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
> > Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl
> > A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV
> > ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o
> > ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M
> > qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG
> > omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw
> > eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5
> > OZ7Mh5wEal8zNnBC7sQeuoekkiQKDRQlQdATSAthlszFMByn+k5A5IJNWUB1asUp
> > VPf4zB2XaBIxgnKm3qPV
> > =Bl3E
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> Hello Chris!
> I've tried the command you suggested and the most important thing I found
> was this:
>
> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1073 bytes and written 555 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-SHA384
> Session-ID:
> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
> Session-ID-ctx:
> Master-Key:
>
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1421259101
> Timeout : 300 (sec)
> Verify return code: 10 (certificate has expired)
>
> SysAid is the application I'm running under tomcat.
> Does it mean that SysAid is a server behind tomcat? And so I would have to
> configure the connection in it?
> That's strange. I would like to hear your opinion.
>
> --
> --
> Alexandre Lima
>
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 14 January 2015 at 17:11, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alexandre,
>
> On 1/14/15 2:15 PM, Alexandre Lima wrote:
> > On 14 January 2015 at 15:59, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Alexandre,
> >
> > On 1/14/15 1:18 PM, Alexandre Lima wrote:
> >>>> On 13 January 2015 at 18:20, Christopher Schultz <
> >>>> chris@christopherschultz.net> wrote:
> >>>>
> >>>> Alexandre,
> >>>>
> >>>> On 1/13/15 2:41 PM, Alexandre Lima wrote:
> >>>>>>> On 13 January 2015 at 16:11, Christopher Schultz <
> >>>>>>> chris@christopherschultz.net> wrote:
> >>>>>>>
> >>>>>>> Alexandre,
> >>>>>>>
> >>>>>>> On 1/13/15 1:37 PM, Alexandre Lima wrote:
> >>>>>>>>>> Hello! This is the first time I'm using tomcat,
> >>>>>>>>>> so I'm a little bit lost...
> >>>>>>>
> >>>>>>> Welcome! Configuring SSL always turns out to be a pain
> >>>>>>> in the neck.
> >>>>>>>
> >>>>>>>>>> Using the tutorials, I could make the server and
> >>>>>>>>>> the application I want to run with it work. The
> >>>>>>>>>> only modification I did until now was changing
> >>>>>>>>>> the http port from 8080 to 80, I did that
> >>>>>>>>>> changing the http conector on servers.xml,
> >>>>>>>>>> enabling authbind and executing the folowing
> >>>>>>>>>> commands:
> >>>>>>>>>>
> >>>>>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod
> >>>>>>>>>> 500 /etc/authbind/byport/80 sudo chown tomcat7
> >>>>>>>>>> /etc/authbind/byport/80
> >>>>>>>>>>
> >>>>>>>>>> So, the server and the application I want to use
> >>>>>>>>>> with it are actually working on port 80
> >>>>>>>
> >>>>>>> You've confirmed this? I've never used authbind before,
> >>>>>>> so I just wanted to make sure that you have Tomcat
> >>>>>>> working properly with non-SSL before you try to add
> >>>>>>> SSL.
> >>>>>>>
> >>>>>>>>>> , but the next and last step, which is enabling
> >>>>>>>>>> an SSL connection, isn't working.
> >>>>>>>>>>
> >>>>>>>>>> What I did following the site's tutorial was:
> >>>>>>>>>> created my self signed certificate with keytools
> >>>>>>>>>> and put it on /home/myuser/key.keystore
> >>>>>>>
> >>>>>>> Can you outline the steps you took? Where is your
> >>>>>>> keystore?
> >>>>>>>
> >>>>>>>>>> Additionally, I've created the folowing
> >>>>>>>>>> conector:
> >>>>>>>>>>
> >>>>>>>>>> <Connector port="8443"
> >>>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol"
> >>>>>>>>>>
> >>>>>>>>>>
> SSLEnabled="true" maxThreads="200" scheme="https"
> >>>>>>>>>> secure="true"
> >>>>>>>>>> keystoreFile="/home/myuser/key.keystore"
> >>>>>>>>>> keystorePass="mypass" clientAuth="false"
> >>>>>>>>>> sslProtocol="TLS" />
> >>>>>>>
> >>>>>>> That looks good so far.
> >>>>>>>
> >>>>>>>>>> Saved it, restarted server and accessed
> >>>>>>>>>> https://myip:8443, but it isn't working. Chrome
> >>>>>>>>>> says "No data recieved" and "Unable to load the
> >>>>>>>>>> webpage because the server sent no data and
> >>>>>>>>>> "Error code: ERR_EMPTY_RESPONSE".
> >>>>>>>>>>
> >>>>>>>>>> Firefox says that the connection was reset while
> >>>>>>>>>> the page was being loaded.
> >>>>>>>>>>
> >>>>>>>>>> That's where I am now. I don't know what to try
> >>>>>>>>>> anymore.
> >>>>>>>
> >>>>>>> Try:
> >>>>>>>
> >>>>>>> $ telnet localhost 8443
> >>>>>>>
> >>>>>>> (on the server with Tomcat running)
> >>>>>>>
> >>>>>>> That will tell you if the port is open (it should be,
> >>>>>>> otherwise you'd be getting different errors from Chrome
> >>>>>>> and ff) and what, if anything, gets dumped to it when
> >>>>>>> you connect.
> >>>>>>>
> >>>>>>> If you get a connection and nothing happens, try
> >>>>>>> submitting a request like this:
> >>>>>>>
> >>>>>>> $ telnet localhost 8443 GET /
> >>>>>>>
> >>>>>>> [output goes here]
> >>>>>>>
> >>>>>>> Post the results of the above if you get anything.
> >>>>>>>
> >>>>>>> Dumb question: you restarted Tomcat after updating
> >>>>>>> server.xml, right?
> >>>>>>>
> >>>>>>> -chris
> >>>>>>>>
> >>>>>>>>
> ---------------------------------------------------------------------
> >>>>>>>>
> >>>>>>>>
> >>>>
> >>>>>>>>
> >
> >>>>>>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail:
> >>>>>>>> users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Thank you for the reply Christopher! I've used the
> >>>>>>> command: keytool -genkey -alias tomcat -keyalg RSA
> >>>>>>> -keystore /home/myuser/key.keystore to generate the
> >>>>>>> keystore. I should put the keystore in some special
> >>>>>>> directory or this one is fine? So, after, requesting:
> >>>>>>> telnet localhost 8443
> >>>>>>>
> >>>>>>> I got some strange stuff:
> >>>>>>>
> >>>>>>> ~$ telnet localhost 8443 Trying ::1... Connected to
> >>>>>>> localhost. Escape character is '^]'. GET /
> >>>>>>> ^U^C^A^@^B^B
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> And yes, I've restarted it :)
> >>>>
> >>>> Good. Now, try this:
> >>>>
> >>>> $ openssl s_client -debug -connect localhost:8443
> >>>>
> >>>> Assuming that the server is running and listening for SSL
> >>>> connections, s_client should be able to connect, and it
> >>>> should give you tons of good information about what's
> >>>> happening, there.
> >>>>
> >>>> -chris
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>
> >>>>>
> >
> >>>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail:
> >>>>> users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>> Hello Chris! I've tried the command you suggested and the
> >>>> most important thing I found was this:
> >>>>
> >>>> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> >>>>
> >>>>
> >
> >>>>
> issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> >>>> --- No client certificate CA names sent --- SSL handshake has
> >>>> read 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3,
> >>>> Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 1024
> >>>> bit Secure Renegotiation IS supported Compression: NONE
> >>>> Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher :
> >>>> ECDHE-RSA-AES256-SHA384 Session-ID:
> >>>> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
> >>>>
> >>>>
> Session-ID-ctx: Master-Key:
> >>>>
> >
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
> >>>>
> >>>>
> >
> >
> Key-Arg : None
> >>>> PSK identity: None PSK identity hint: None SRP username: None
> >>>> Start Time: 1421259101 Timeout : 300 (sec) Verify return
> >>>> code: 10 (certificate has expired)
> >>>>
> >>>> SysAid is the application I'm running under tomcat. Does it
> >>>> mean that SysAid is a server behind tomcat? And so I would
> >>>> have to configure the connection in it? That's strange. I
> >>>> would like to hear your opinion.
> >
> > Well, the subject and issuer look a little strange, but that may
> > be just because you configured them that way (when keytool asked
> > you all those questions).
> >
> > Generally speaking, when keytool asks you for your "first and last
> > name", it really means your "common name" which for nearly
> > everybody is actually the DNS name of the server (e.g.
> > www.mysite.com).
> >
> > If you list the contents of your keystore, what's in there?
> >
> > $ keytool -list -keystore path/to/keystore
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> > I actually didn't configure it that way! I didn't put "sysaid"
> > anywhere when I was making the keystore. That's why I think that my
> > application (Sysaid) created that keystore shown, otherwise there
> > wouldn't be "O=SysAid"... That's really strange... I think I'm
> > gonna ask this on SysAid forums. It's realling giving my a
> > headache.
>
> Well, if you have Tomcat listening on port 8443 and you have
> configured your own keystore, then you should have your own
> certificate in there and not something coming from SysAid.
>
> But it looks like you have found a critical symptom of the problem:
> your keystore is not being used. I'm curious to see what else is in
> your keystore, since Tomcat will use the "first" certificate in the
> keystore unless you supply an "alias" in your configuration, which you
> did not do.
>
> If You have multiple certificates in your keystore, I highly recommend
> that you use the "alias" attribute in your <Connector> to point to
> your own certificate. I'll bet that Chrome/ff aren't willing to
> connect to a web server with an SSL certificate with such an odd CN
> value. I'm not sure if the CN value is actually "Unknown" (which
> should be valid... "Unknown" is a perfectly valid hostname) or that
> the value is somehow NULL (or "unset" or whatever) in the certificate.
> If that's the case, the cert is essentially invalid and these clients
> might be refusing to connect and giving you a really weird error
> message in the process.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUts18AAoJEBzwKT+lPKRY9OwP/2AcG61t5Agrok1lJ2ZwDMQr
> Mz122PV0ureMRf0rwmWhp8VEv/svTIK/RfKRG7TAc/CHH+BalqPAhD7JDRIKQP4V
> VwcVsNOLr1LogBldIAVbiyv2mWbfWxxawZVIoV7dRN6h6MPBenPNOJoCve3gRlgp
> DXcXHHp4fOybifOO1Cith5Tp6OPx+7FZzuGplwFJD337xkuQ4TtkKp9yzOmYbBKn
> kluXeekQgdygQHtfOxWS4iA0p6+OVnjDXbyeI/u5ffITtr6DP/ystoDI3ZS5EcdS
> rrJixy4O+mnaov0880r/Is2xIYspBxSEeQHZ3SdBvjGRPeAiO+aShc5xZtFdikvx
> rzhFinxYzegma4NICeHjkuowW4nLWRk3Vo9kaiY+WB+6GHywkdeYIQYBP5s6u0D3
> MWMlEpSWRMwc5e71cfq0m9NzA92bGtqwdfvKIyG8EGz9Oote3Iu5ATZ0tR5zkW3v
> st1CC7HeR06RaFmPJUyHinQGvBMNyptNw2JEHBxwS6LcQci10VZHe3ghA6keASHQ
> hODuq/L52XMH2hJ8l1E3C3SAfY7WIGkPe1wLL4GWBerFNqS2wn13R0rklnJr2hM0
> B/YlJ3/MhSRbxVfTL4ys9V2PNl+deHhVfx6HSimYJ8ipa3YS+UjCYGk545fM8pc8
> mak2EoGgEFcN9fK81xRp
> =fKI9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
I could make it work!
The keystore seemed to be the problem. I've created another keystore with
another alias and it worked :)
Thank you very much for the help guys!
Att,
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexandre,
On 1/14/15 2:15 PM, Alexandre Lima wrote:
> On 14 January 2015 at 15:59, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Alexandre,
>
> On 1/14/15 1:18 PM, Alexandre Lima wrote:
>>>> On 13 January 2015 at 18:20, Christopher Schultz <
>>>> chris@christopherschultz.net> wrote:
>>>>
>>>> Alexandre,
>>>>
>>>> On 1/13/15 2:41 PM, Alexandre Lima wrote:
>>>>>>> On 13 January 2015 at 16:11, Christopher Schultz <
>>>>>>> chris@christopherschultz.net> wrote:
>>>>>>>
>>>>>>> Alexandre,
>>>>>>>
>>>>>>> On 1/13/15 1:37 PM, Alexandre Lima wrote:
>>>>>>>>>> Hello! This is the first time I'm using tomcat,
>>>>>>>>>> so I'm a little bit lost...
>>>>>>>
>>>>>>> Welcome! Configuring SSL always turns out to be a pain
>>>>>>> in the neck.
>>>>>>>
>>>>>>>>>> Using the tutorials, I could make the server and
>>>>>>>>>> the application I want to run with it work. The
>>>>>>>>>> only modification I did until now was changing
>>>>>>>>>> the http port from 8080 to 80, I did that
>>>>>>>>>> changing the http conector on servers.xml,
>>>>>>>>>> enabling authbind and executing the folowing
>>>>>>>>>> commands:
>>>>>>>>>>
>>>>>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod
>>>>>>>>>> 500 /etc/authbind/byport/80 sudo chown tomcat7
>>>>>>>>>> /etc/authbind/byport/80
>>>>>>>>>>
>>>>>>>>>> So, the server and the application I want to use
>>>>>>>>>> with it are actually working on port 80
>>>>>>>
>>>>>>> You've confirmed this? I've never used authbind before,
>>>>>>> so I just wanted to make sure that you have Tomcat
>>>>>>> working properly with non-SSL before you try to add
>>>>>>> SSL.
>>>>>>>
>>>>>>>>>> , but the next and last step, which is enabling
>>>>>>>>>> an SSL connection, isn't working.
>>>>>>>>>>
>>>>>>>>>> What I did following the site's tutorial was:
>>>>>>>>>> created my self signed certificate with keytools
>>>>>>>>>> and put it on /home/myuser/key.keystore
>>>>>>>
>>>>>>> Can you outline the steps you took? Where is your
>>>>>>> keystore?
>>>>>>>
>>>>>>>>>> Additionally, I've created the folowing
>>>>>>>>>> conector:
>>>>>>>>>>
>>>>>>>>>> <Connector port="8443"
>>>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>>>>>>>>
>>>>>>>>>>
SSLEnabled="true" maxThreads="200" scheme="https"
>>>>>>>>>> secure="true"
>>>>>>>>>> keystoreFile="/home/myuser/key.keystore"
>>>>>>>>>> keystorePass="mypass" clientAuth="false"
>>>>>>>>>> sslProtocol="TLS" />
>>>>>>>
>>>>>>> That looks good so far.
>>>>>>>
>>>>>>>>>> Saved it, restarted server and accessed
>>>>>>>>>> https://myip:8443, but it isn't working. Chrome
>>>>>>>>>> says "No data recieved" and "Unable to load the
>>>>>>>>>> webpage because the server sent no data and
>>>>>>>>>> "Error code: ERR_EMPTY_RESPONSE".
>>>>>>>>>>
>>>>>>>>>> Firefox says that the connection was reset while
>>>>>>>>>> the page was being loaded.
>>>>>>>>>>
>>>>>>>>>> That's where I am now. I don't know what to try
>>>>>>>>>> anymore.
>>>>>>>
>>>>>>> Try:
>>>>>>>
>>>>>>> $ telnet localhost 8443
>>>>>>>
>>>>>>> (on the server with Tomcat running)
>>>>>>>
>>>>>>> That will tell you if the port is open (it should be,
>>>>>>> otherwise you'd be getting different errors from Chrome
>>>>>>> and ff) and what, if anything, gets dumped to it when
>>>>>>> you connect.
>>>>>>>
>>>>>>> If you get a connection and nothing happens, try
>>>>>>> submitting a request like this:
>>>>>>>
>>>>>>> $ telnet localhost 8443 GET /
>>>>>>>
>>>>>>> [output goes here]
>>>>>>>
>>>>>>> Post the results of the above if you get anything.
>>>>>>>
>>>>>>> Dumb question: you restarted Tomcat after updating
>>>>>>> server.xml, right?
>>>>>>>
>>>>>>> -chris
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>
>>>>>>>>
>
>>>>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail:
>>>>>>>> users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>> Thank you for the reply Christopher! I've used the
>>>>>>> command: keytool -genkey -alias tomcat -keyalg RSA
>>>>>>> -keystore /home/myuser/key.keystore to generate the
>>>>>>> keystore. I should put the keystore in some special
>>>>>>> directory or this one is fine? So, after, requesting:
>>>>>>> telnet localhost 8443
>>>>>>>
>>>>>>> I got some strange stuff:
>>>>>>>
>>>>>>> ~$ telnet localhost 8443 Trying ::1... Connected to
>>>>>>> localhost. Escape character is '^]'. GET /
>>>>>>> ^U^C^A^@^B^B
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> And yes, I've restarted it :)
>>>>
>>>> Good. Now, try this:
>>>>
>>>> $ openssl s_client -debug -connect localhost:8443
>>>>
>>>> Assuming that the server is running and listening for SSL
>>>> connections, s_client should be able to connect, and it
>>>> should give you tons of good information about what's
>>>> happening, there.
>>>>
>>>> -chris
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>>
>>>>>
>>>> Hello Chris! I've tried the command you suggested and the
>>>> most important thing I found was this:
>>>>
>>>> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
>>>>
>>>>
>
>>>>
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
>>>> --- No client certificate CA names sent --- SSL handshake has
>>>> read 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3,
>>>> Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 1024
>>>> bit Secure Renegotiation IS supported Compression: NONE
>>>> Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher :
>>>> ECDHE-RSA-AES256-SHA384 Session-ID:
>>>> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
>>>>
>>>>
Session-ID-ctx: Master-Key:
>>>>
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
>>>>
>>>>
>
>
Key-Arg : None
>>>> PSK identity: None PSK identity hint: None SRP username: None
>>>> Start Time: 1421259101 Timeout : 300 (sec) Verify return
>>>> code: 10 (certificate has expired)
>>>>
>>>> SysAid is the application I'm running under tomcat. Does it
>>>> mean that SysAid is a server behind tomcat? And so I would
>>>> have to configure the connection in it? That's strange. I
>>>> would like to hear your opinion.
>
> Well, the subject and issuer look a little strange, but that may
> be just because you configured them that way (when keytool asked
> you all those questions).
>
> Generally speaking, when keytool asks you for your "first and last
> name", it really means your "common name" which for nearly
> everybody is actually the DNS name of the server (e.g.
> www.mysite.com).
>
> If you list the contents of your keystore, what's in there?
>
> $ keytool -list -keystore path/to/keystore
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> I actually didn't configure it that way! I didn't put "sysaid"
> anywhere when I was making the keystore. That's why I think that my
> application (Sysaid) created that keystore shown, otherwise there
> wouldn't be "O=SysAid"... That's really strange... I think I'm
> gonna ask this on SysAid forums. It's realling giving my a
> headache.
Well, if you have Tomcat listening on port 8443 and you have
configured your own keystore, then you should have your own
certificate in there and not something coming from SysAid.
But it looks like you have found a critical symptom of the problem:
your keystore is not being used. I'm curious to see what else is in
your keystore, since Tomcat will use the "first" certificate in the
keystore unless you supply an "alias" in your configuration, which you
did not do.
If You have multiple certificates in your keystore, I highly recommend
that you use the "alias" attribute in your <Connector> to point to
your own certificate. I'll bet that Chrome/ff aren't willing to
connect to a web server with an SSL certificate with such an odd CN
value. I'm not sure if the CN value is actually "Unknown" (which
should be valid... "Unknown" is a perfectly valid hostname) or that
the value is somehow NULL (or "unset" or whatever) in the certificate.
If that's the case, the cert is essentially invalid and these clients
might be refusing to connect and giving you a really weird error
message in the process.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUts18AAoJEBzwKT+lPKRY9OwP/2AcG61t5Agrok1lJ2ZwDMQr
Mz122PV0ureMRf0rwmWhp8VEv/svTIK/RfKRG7TAc/CHH+BalqPAhD7JDRIKQP4V
VwcVsNOLr1LogBldIAVbiyv2mWbfWxxawZVIoV7dRN6h6MPBenPNOJoCve3gRlgp
DXcXHHp4fOybifOO1Cith5Tp6OPx+7FZzuGplwFJD337xkuQ4TtkKp9yzOmYbBKn
kluXeekQgdygQHtfOxWS4iA0p6+OVnjDXbyeI/u5ffITtr6DP/ystoDI3ZS5EcdS
rrJixy4O+mnaov0880r/Is2xIYspBxSEeQHZ3SdBvjGRPeAiO+aShc5xZtFdikvx
rzhFinxYzegma4NICeHjkuowW4nLWRk3Vo9kaiY+WB+6GHywkdeYIQYBP5s6u0D3
MWMlEpSWRMwc5e71cfq0m9NzA92bGtqwdfvKIyG8EGz9Oote3Iu5ATZ0tR5zkW3v
st1CC7HeR06RaFmPJUyHinQGvBMNyptNw2JEHBxwS6LcQci10VZHe3ghA6keASHQ
hODuq/L52XMH2hJ8l1E3C3SAfY7WIGkPe1wLL4GWBerFNqS2wn13R0rklnJr2hM0
B/YlJ3/MhSRbxVfTL4ys9V2PNl+deHhVfx6HSimYJ8ipa3YS+UjCYGk545fM8pc8
mak2EoGgEFcN9fK81xRp
=fKI9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 14 January 2015 at 15:59, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alexandre,
>
> On 1/14/15 1:18 PM, Alexandre Lima wrote:
> > On 13 January 2015 at 18:20, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Alexandre,
> >
> > On 1/13/15 2:41 PM, Alexandre Lima wrote:
> >>>> On 13 January 2015 at 16:11, Christopher Schultz <
> >>>> chris@christopherschultz.net> wrote:
> >>>>
> >>>> Alexandre,
> >>>>
> >>>> On 1/13/15 1:37 PM, Alexandre Lima wrote:
> >>>>>>> Hello! This is the first time I'm using tomcat, so I'm
> >>>>>>> a little bit lost...
> >>>>
> >>>> Welcome! Configuring SSL always turns out to be a pain in
> >>>> the neck.
> >>>>
> >>>>>>> Using the tutorials, I could make the server and the
> >>>>>>> application I want to run with it work. The only
> >>>>>>> modification I did until now was changing the http port
> >>>>>>> from 8080 to 80, I did that changing the http conector
> >>>>>>> on servers.xml, enabling authbind and executing the
> >>>>>>> folowing commands:
> >>>>>>>
> >>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
> >>>>>>> /etc/authbind/byport/80 sudo chown tomcat7
> >>>>>>> /etc/authbind/byport/80
> >>>>>>>
> >>>>>>> So, the server and the application I want to use with
> >>>>>>> it are actually working on port 80
> >>>>
> >>>> You've confirmed this? I've never used authbind before, so I
> >>>> just wanted to make sure that you have Tomcat working
> >>>> properly with non-SSL before you try to add SSL.
> >>>>
> >>>>>>> , but the next and last step, which is enabling an SSL
> >>>>>>> connection, isn't working.
> >>>>>>>
> >>>>>>> What I did following the site's tutorial was: created
> >>>>>>> my self signed certificate with keytools and put it on
> >>>>>>> /home/myuser/key.keystore
> >>>>
> >>>> Can you outline the steps you took? Where is your keystore?
> >>>>
> >>>>>>> Additionally, I've created the folowing conector:
> >>>>>>>
> >>>>>>> <Connector port="8443"
> >>>>>>> protocol="org.apache.coyote.http11.Http11Protocol"
> >>>>>>> SSLEnabled="true" maxThreads="200" scheme="https"
> >>>>>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> >>>>>>> keystorePass="mypass" clientAuth="false"
> >>>>>>> sslProtocol="TLS" />
> >>>>
> >>>> That looks good so far.
> >>>>
> >>>>>>> Saved it, restarted server and accessed
> >>>>>>> https://myip:8443, but it isn't working. Chrome says
> >>>>>>> "No data recieved" and "Unable to load the webpage
> >>>>>>> because the server sent no data and "Error code:
> >>>>>>> ERR_EMPTY_RESPONSE".
> >>>>>>>
> >>>>>>> Firefox says that the connection was reset while the
> >>>>>>> page was being loaded.
> >>>>>>>
> >>>>>>> That's where I am now. I don't know what to try
> >>>>>>> anymore.
> >>>>
> >>>> Try:
> >>>>
> >>>> $ telnet localhost 8443
> >>>>
> >>>> (on the server with Tomcat running)
> >>>>
> >>>> That will tell you if the port is open (it should be,
> >>>> otherwise you'd be getting different errors from Chrome and
> >>>> ff) and what, if anything, gets dumped to it when you
> >>>> connect.
> >>>>
> >>>> If you get a connection and nothing happens, try submitting
> >>>> a request like this:
> >>>>
> >>>> $ telnet localhost 8443 GET /
> >>>>
> >>>> [output goes here]
> >>>>
> >>>> Post the results of the above if you get anything.
> >>>>
> >>>> Dumb question: you restarted Tomcat after updating
> >>>> server.xml, right?
> >>>>
> >>>> -chris
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>
> >>>>>
> >
> >>>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail:
> >>>>> users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>> Thank you for the reply Christopher! I've used the command:
> >>>> keytool -genkey -alias tomcat -keyalg RSA -keystore
> >>>> /home/myuser/key.keystore to generate the keystore. I should
> >>>> put the keystore in some special directory or this one is
> >>>> fine? So, after, requesting: telnet localhost 8443
> >>>>
> >>>> I got some strange stuff:
> >>>>
> >>>> ~$ telnet localhost 8443 Trying ::1... Connected to
> >>>> localhost. Escape character is '^]'. GET / ^U^C^A^@^B^B
> >>>>
> >>>>
> >>>>
> >>>> And yes, I've restarted it :)
> >
> > Good. Now, try this:
> >
> > $ openssl s_client -debug -connect localhost:8443
> >
> > Assuming that the server is running and listening for SSL
> > connections, s_client should be able to connect, and it should give
> > you tons of good information about what's happening, there.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> > Hello Chris! I've tried the command you suggested and the most
> > important thing I found was this:
> >
> > subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> >
> >
> issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> > --- No client certificate CA names sent --- SSL handshake has read
> > 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, Cipher is
> > ECDHE-RSA-AES256-SHA384 Server public key is 1024 bit Secure
> > Renegotiation IS supported Compression: NONE Expansion: NONE
> > SSL-Session: Protocol : TLSv1.2 Cipher :
> > ECDHE-RSA-AES256-SHA384 Session-ID:
> > 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
> > Session-ID-ctx: Master-Key:
> >
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
> >
> >
> Key-Arg : None
> > PSK identity: None PSK identity hint: None SRP username: None Start
> > Time: 1421259101 Timeout : 300 (sec) Verify return code: 10
> > (certificate has expired)
> >
> > SysAid is the application I'm running under tomcat. Does it mean
> > that SysAid is a server behind tomcat? And so I would have to
> > configure the connection in it? That's strange. I would like to
> > hear your opinion.
>
> Well, the subject and issuer look a little strange, but that may be
> just because you configured them that way (when keytool asked you all
> those questions).
>
> Generally speaking, when keytool asks you for your "first and last
> name", it really means your "common name" which for nearly everybody
> is actually the DNS name of the server (e.g. www.mysite.com).
>
> If you list the contents of your keystore, what's in there?
>
> $ keytool -list -keystore path/to/keystore
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUtrydAAoJEBzwKT+lPKRYRtwP/jgYWXK6RolwNr+EHcRIwma/
> BdqpbQeZond1QZkA30MkT+MBFEfW+tjCixd6vXAMwe8WSEFmqhiXSi26KvCk9YG8
> 65xUwL03aLfz7KBCPbomtJEsSWNdCbYgJZIRMT8Q36xbvrJcHbsPKp913xXp151G
> D5bgLkfz5ha32FJOTvxrU0l7Tc/QWIm3jAc/jfMut62ZlbLBgM6dZ5Te/ss5PXTS
> 4fm4qPIwzP2ygCq+EIebj84TWmlkRy8Fqn6eHFsi0000s7dNP5KhkJCd51MN2KnY
> dpoHsnLCjyvXd9/22MtRcL0rF74UdFyxG43ogr2h28C+SYMJeUXVK4un1UosYbkj
> xnfOb63g834yOV9ca5+5NABYBStBKXb8GHUwdfsfjf1rA6CXIUvrWj5GN15nyiLO
> dU6j6WWFhSvmcVrkZwevR2I0N47tqKN9aCpWFX/QNL92Ue/UyVZB9ACtZ7bnmNQT
> 4xqpVx/CEXOq3SfAYPVWjcCRp+h7D+mi32KqFYc+g7zJA8yGSqReDBHC4ml+jZNA
> t3KwByiGvVNH1uZvaFRvpCM3EnYXW05uvV8+PgXwLcKgT/TSmgAEUW6mNhAR68iF
> UEFp7fkF768Rc+TR6XqZC/eJuWOduz1l6cTbSm4Xo85VZ/sbST3diPzRu806nopp
> 7t32DNf5MJicDsR5uFE6
> =CnvE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> I actually didn't configure it that way!
I didn't put "sysaid" anywhere when I was making the keystore. That's why I
think that my application (Sysaid) created that keystore shown, otherwise
there wouldn't be "O=SysAid"... That's really strange...
I think I'm gonna ask this on SysAid forums. It's realling giving my a
headache.
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexandre,
On 1/14/15 1:18 PM, Alexandre Lima wrote:
> On 13 January 2015 at 18:20, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Alexandre,
>
> On 1/13/15 2:41 PM, Alexandre Lima wrote:
>>>> On 13 January 2015 at 16:11, Christopher Schultz <
>>>> chris@christopherschultz.net> wrote:
>>>>
>>>> Alexandre,
>>>>
>>>> On 1/13/15 1:37 PM, Alexandre Lima wrote:
>>>>>>> Hello! This is the first time I'm using tomcat, so I'm
>>>>>>> a little bit lost...
>>>>
>>>> Welcome! Configuring SSL always turns out to be a pain in
>>>> the neck.
>>>>
>>>>>>> Using the tutorials, I could make the server and the
>>>>>>> application I want to run with it work. The only
>>>>>>> modification I did until now was changing the http port
>>>>>>> from 8080 to 80, I did that changing the http conector
>>>>>>> on servers.xml, enabling authbind and executing the
>>>>>>> folowing commands:
>>>>>>>
>>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
>>>>>>> /etc/authbind/byport/80 sudo chown tomcat7
>>>>>>> /etc/authbind/byport/80
>>>>>>>
>>>>>>> So, the server and the application I want to use with
>>>>>>> it are actually working on port 80
>>>>
>>>> You've confirmed this? I've never used authbind before, so I
>>>> just wanted to make sure that you have Tomcat working
>>>> properly with non-SSL before you try to add SSL.
>>>>
>>>>>>> , but the next and last step, which is enabling an SSL
>>>>>>> connection, isn't working.
>>>>>>>
>>>>>>> What I did following the site's tutorial was: created
>>>>>>> my self signed certificate with keytools and put it on
>>>>>>> /home/myuser/key.keystore
>>>>
>>>> Can you outline the steps you took? Where is your keystore?
>>>>
>>>>>>> Additionally, I've created the folowing conector:
>>>>>>>
>>>>>>> <Connector port="8443"
>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>>>>> SSLEnabled="true" maxThreads="200" scheme="https"
>>>>>>> secure="true" keystoreFile="/home/myuser/key.keystore"
>>>>>>> keystorePass="mypass" clientAuth="false"
>>>>>>> sslProtocol="TLS" />
>>>>
>>>> That looks good so far.
>>>>
>>>>>>> Saved it, restarted server and accessed
>>>>>>> https://myip:8443, but it isn't working. Chrome says
>>>>>>> "No data recieved" and "Unable to load the webpage
>>>>>>> because the server sent no data and "Error code:
>>>>>>> ERR_EMPTY_RESPONSE".
>>>>>>>
>>>>>>> Firefox says that the connection was reset while the
>>>>>>> page was being loaded.
>>>>>>>
>>>>>>> That's where I am now. I don't know what to try
>>>>>>> anymore.
>>>>
>>>> Try:
>>>>
>>>> $ telnet localhost 8443
>>>>
>>>> (on the server with Tomcat running)
>>>>
>>>> That will tell you if the port is open (it should be,
>>>> otherwise you'd be getting different errors from Chrome and
>>>> ff) and what, if anything, gets dumped to it when you
>>>> connect.
>>>>
>>>> If you get a connection and nothing happens, try submitting
>>>> a request like this:
>>>>
>>>> $ telnet localhost 8443 GET /
>>>>
>>>> [output goes here]
>>>>
>>>> Post the results of the above if you get anything.
>>>>
>>>> Dumb question: you restarted Tomcat after updating
>>>> server.xml, right?
>>>>
>>>> -chris
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>>
>>>>>
>>>> Thank you for the reply Christopher! I've used the command:
>>>> keytool -genkey -alias tomcat -keyalg RSA -keystore
>>>> /home/myuser/key.keystore to generate the keystore. I should
>>>> put the keystore in some special directory or this one is
>>>> fine? So, after, requesting: telnet localhost 8443
>>>>
>>>> I got some strange stuff:
>>>>
>>>> ~$ telnet localhost 8443 Trying ::1... Connected to
>>>> localhost. Escape character is '^]'. GET / ^U^C^A^@^B^B
>>>>
>>>>
>>>>
>>>> And yes, I've restarted it :)
>
> Good. Now, try this:
>
> $ openssl s_client -debug -connect localhost:8443
>
> Assuming that the server is running and listening for SSL
> connections, s_client should be able to connect, and it should give
> you tons of good information about what's happening, there.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> Hello Chris! I've tried the command you suggested and the most
> important thing I found was this:
>
> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
>
>
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
> --- No client certificate CA names sent --- SSL handshake has read
> 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, Cipher is
> ECDHE-RSA-AES256-SHA384 Server public key is 1024 bit Secure
> Renegotiation IS supported Compression: NONE Expansion: NONE
> SSL-Session: Protocol : TLSv1.2 Cipher :
> ECDHE-RSA-AES256-SHA384 Session-ID:
> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
> Session-ID-ctx: Master-Key:
> F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
>
>
Key-Arg : None
> PSK identity: None PSK identity hint: None SRP username: None Start
> Time: 1421259101 Timeout : 300 (sec) Verify return code: 10
> (certificate has expired)
>
> SysAid is the application I'm running under tomcat. Does it mean
> that SysAid is a server behind tomcat? And so I would have to
> configure the connection in it? That's strange. I would like to
> hear your opinion.
Well, the subject and issuer look a little strange, but that may be
just because you configured them that way (when keytool asked you all
those questions).
Generally speaking, when keytool asks you for your "first and last
name", it really means your "common name" which for nearly everybody
is actually the DNS name of the server (e.g. www.mysite.com).
If you list the contents of your keystore, what's in there?
$ keytool -list -keystore path/to/keystore
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUtrydAAoJEBzwKT+lPKRYRtwP/jgYWXK6RolwNr+EHcRIwma/
BdqpbQeZond1QZkA30MkT+MBFEfW+tjCixd6vXAMwe8WSEFmqhiXSi26KvCk9YG8
65xUwL03aLfz7KBCPbomtJEsSWNdCbYgJZIRMT8Q36xbvrJcHbsPKp913xXp151G
D5bgLkfz5ha32FJOTvxrU0l7Tc/QWIm3jAc/jfMut62ZlbLBgM6dZ5Te/ss5PXTS
4fm4qPIwzP2ygCq+EIebj84TWmlkRy8Fqn6eHFsi0000s7dNP5KhkJCd51MN2KnY
dpoHsnLCjyvXd9/22MtRcL0rF74UdFyxG43ogr2h28C+SYMJeUXVK4un1UosYbkj
xnfOb63g834yOV9ca5+5NABYBStBKXb8GHUwdfsfjf1rA6CXIUvrWj5GN15nyiLO
dU6j6WWFhSvmcVrkZwevR2I0N47tqKN9aCpWFX/QNL92Ue/UyVZB9ACtZ7bnmNQT
4xqpVx/CEXOq3SfAYPVWjcCRp+h7D+mi32KqFYc+g7zJA8yGSqReDBHC4ml+jZNA
t3KwByiGvVNH1uZvaFRvpCM3EnYXW05uvV8+PgXwLcKgT/TSmgAEUW6mNhAR68iF
UEFp7fkF768Rc+TR6XqZC/eJuWOduz1l6cTbSm4Xo85VZ/sbST3diPzRu806nopp
7t32DNf5MJicDsR5uFE6
=CnvE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 13 January 2015 at 18:20, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alexandre,
>
> On 1/13/15 2:41 PM, Alexandre Lima wrote:
> > On 13 January 2015 at 16:11, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Alexandre,
> >
> > On 1/13/15 1:37 PM, Alexandre Lima wrote:
> >>>> Hello! This is the first time I'm using tomcat, so I'm a
> >>>> little bit lost...
> >
> > Welcome! Configuring SSL always turns out to be a pain in the
> > neck.
> >
> >>>> Using the tutorials, I could make the server and the
> >>>> application I want to run with it work. The only modification
> >>>> I did until now was changing the http port from 8080 to 80, I
> >>>> did that changing the http conector on servers.xml, enabling
> >>>> authbind and executing the folowing commands:
> >>>>
> >>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
> >>>> /etc/authbind/byport/80 sudo chown tomcat7
> >>>> /etc/authbind/byport/80
> >>>>
> >>>> So, the server and the application I want to use with it are
> >>>> actually working on port 80
> >
> > You've confirmed this? I've never used authbind before, so I just
> > wanted to make sure that you have Tomcat working properly with
> > non-SSL before you try to add SSL.
> >
> >>>> , but the next and last step, which is enabling an SSL
> >>>> connection, isn't working.
> >>>>
> >>>> What I did following the site's tutorial was: created my
> >>>> self signed certificate with keytools and put it on
> >>>> /home/myuser/key.keystore
> >
> > Can you outline the steps you took? Where is your keystore?
> >
> >>>> Additionally, I've created the folowing conector:
> >>>>
> >>>> <Connector port="8443"
> >>>> protocol="org.apache.coyote.http11.Http11Protocol"
> >>>> SSLEnabled="true" maxThreads="200" scheme="https"
> >>>> secure="true" keystoreFile="/home/myuser/key.keystore"
> >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
> >>>> />
> >
> > That looks good so far.
> >
> >>>> Saved it, restarted server and accessed https://myip:8443,
> >>>> but it isn't working. Chrome says "No data recieved" and
> >>>> "Unable to load the webpage because the server sent no data
> >>>> and "Error code: ERR_EMPTY_RESPONSE".
> >>>>
> >>>> Firefox says that the connection was reset while the page was
> >>>> being loaded.
> >>>>
> >>>> That's where I am now. I don't know what to try anymore.
> >
> > Try:
> >
> > $ telnet localhost 8443
> >
> > (on the server with Tomcat running)
> >
> > That will tell you if the port is open (it should be, otherwise
> > you'd be getting different errors from Chrome and ff) and what, if
> > anything, gets dumped to it when you connect.
> >
> > If you get a connection and nothing happens, try submitting a
> > request like this:
> >
> > $ telnet localhost 8443 GET /
> >
> > [output goes here]
> >
> > Post the results of the above if you get anything.
> >
> > Dumb question: you restarted Tomcat after updating server.xml,
> > right?
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> > Thank you for the reply Christopher! I've used the command: keytool
> > -genkey -alias tomcat -keyalg RSA -keystore
> > /home/myuser/key.keystore to generate the keystore. I should put
> > the keystore in some special directory or this one is fine? So,
> > after, requesting: telnet localhost 8443
> >
> > I got some strange stuff:
> >
> > ~$ telnet localhost 8443 Trying ::1... Connected to localhost.
> > Escape character is '^]'. GET / ^U^C^A^@^B^B
> >
> >
> >
> > And yes, I've restarted it :)
>
> Good. Now, try this:
>
> $ openssl s_client -debug -connect localhost:8443
>
> Assuming that the server is running and listening for SSL connections,
> s_client should be able to connect, and it should give you tons of
> good information about what's happening, there.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr
> AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke
> +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
> Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl
> A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV
> ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o
> ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M
> qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG
> omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw
> eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5
> OZ7Mh5wEal8zNnBC7sQeuoekkiQKDRQlQdATSAthlszFMByn+k5A5IJNWUB1asUp
> VPf4zB2XaBIxgnKm3qPV
> =Bl3E
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hello Chris!
I've tried the command you suggested and the most important thing I found
was this:
subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown
---
No client certificate CA names sent
---
SSL handshake has read 1073 bytes and written 555 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6
Session-ID-ctx:
Master-Key:
F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1421259101
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
SysAid is the application I'm running under tomcat.
Does it mean that SysAid is a server behind tomcat? And so I would have to
configure the connection in it?
That's strange. I would like to hear your opinion.
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexandre,
On 1/13/15 2:41 PM, Alexandre Lima wrote:
> On 13 January 2015 at 16:11, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Alexandre,
>
> On 1/13/15 1:37 PM, Alexandre Lima wrote:
>>>> Hello! This is the first time I'm using tomcat, so I'm a
>>>> little bit lost...
>
> Welcome! Configuring SSL always turns out to be a pain in the
> neck.
>
>>>> Using the tutorials, I could make the server and the
>>>> application I want to run with it work. The only modification
>>>> I did until now was changing the http port from 8080 to 80, I
>>>> did that changing the http conector on servers.xml, enabling
>>>> authbind and executing the folowing commands:
>>>>
>>>> sudo touch /etc/authbind/byport/80 sudo chmod 500
>>>> /etc/authbind/byport/80 sudo chown tomcat7
>>>> /etc/authbind/byport/80
>>>>
>>>> So, the server and the application I want to use with it are
>>>> actually working on port 80
>
> You've confirmed this? I've never used authbind before, so I just
> wanted to make sure that you have Tomcat working properly with
> non-SSL before you try to add SSL.
>
>>>> , but the next and last step, which is enabling an SSL
>>>> connection, isn't working.
>>>>
>>>> What I did following the site's tutorial was: created my
>>>> self signed certificate with keytools and put it on
>>>> /home/myuser/key.keystore
>
> Can you outline the steps you took? Where is your keystore?
>
>>>> Additionally, I've created the folowing conector:
>>>>
>>>> <Connector port="8443"
>>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>> SSLEnabled="true" maxThreads="200" scheme="https"
>>>> secure="true" keystoreFile="/home/myuser/key.keystore"
>>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS"
>>>> />
>
> That looks good so far.
>
>>>> Saved it, restarted server and accessed https://myip:8443,
>>>> but it isn't working. Chrome says "No data recieved" and
>>>> "Unable to load the webpage because the server sent no data
>>>> and "Error code: ERR_EMPTY_RESPONSE".
>>>>
>>>> Firefox says that the connection was reset while the page was
>>>> being loaded.
>>>>
>>>> That's where I am now. I don't know what to try anymore.
>
> Try:
>
> $ telnet localhost 8443
>
> (on the server with Tomcat running)
>
> That will tell you if the port is open (it should be, otherwise
> you'd be getting different errors from Chrome and ff) and what, if
> anything, gets dumped to it when you connect.
>
> If you get a connection and nothing happens, try submitting a
> request like this:
>
> $ telnet localhost 8443 GET /
>
> [output goes here]
>
> Post the results of the above if you get anything.
>
> Dumb question: you restarted Tomcat after updating server.xml,
> right?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> Thank you for the reply Christopher! I've used the command: keytool
> -genkey -alias tomcat -keyalg RSA -keystore
> /home/myuser/key.keystore to generate the keystore. I should put
> the keystore in some special directory or this one is fine? So,
> after, requesting: telnet localhost 8443
>
> I got some strange stuff:
>
> ~$ telnet localhost 8443 Trying ::1... Connected to localhost.
> Escape character is '^]'. GET / ^U^C^A^@^B^B
>
>
>
> And yes, I've restarted it :)
Good. Now, try this:
$ openssl s_client -debug -connect localhost:8443
Assuming that the server is running and listening for SSL connections,
s_client should be able to connect, and it should give you tons of
good information about what's happening, there.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr
AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke
+QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl
A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV
ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o
ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M
qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG
omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw
eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5
OZ7Mh5wEal8zNnBC7sQeuoekkiQKDRQlQdATSAthlszFMByn+k5A5IJNWUB1asUp
VPf4zB2XaBIxgnKm3qPV
=Bl3E
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Alexandre Lima <le...@gmail.com>.
On 13 January 2015 at 16:11, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alexandre,
>
> On 1/13/15 1:37 PM, Alexandre Lima wrote:
> > Hello! This is the first time I'm using tomcat, so I'm a little bit
> > lost...
>
> Welcome! Configuring SSL always turns out to be a pain in the neck.
>
> > Using the tutorials, I could make the server and the application I
> > want to run with it work. The only modification I did until now was
> > changing the http port from 8080 to 80, I did that changing the
> > http conector on servers.xml, enabling authbind and executing the
> > folowing commands:
> >
> > sudo touch /etc/authbind/byport/80 sudo chmod 500
> > /etc/authbind/byport/80 sudo chown tomcat7 /etc/authbind/byport/80
> >
> > So, the server and the application I want to use with it are
> > actually working on port 80
>
> You've confirmed this? I've never used authbind before, so I just
> wanted to make sure that you have Tomcat working properly with non-SSL
> before you try to add SSL.
>
> > , but the next and last step, which is enabling an SSL connection,
> > isn't working.
> >
> > What I did following the site's tutorial was: created my self
> > signed certificate with keytools and put it on
> > /home/myuser/key.keystore
>
> Can you outline the steps you took? Where is your keystore?
>
> > Additionally, I've created the folowing conector:
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol"
> > SSLEnabled="true" maxThreads="200" scheme="https" secure="true"
> > keystoreFile="/home/myuser/key.keystore" keystorePass="mypass"
> > clientAuth="false" sslProtocol="TLS" />
>
> That looks good so far.
>
> > Saved it, restarted server and accessed https://myip:8443, but it
> > isn't working. Chrome says "No data recieved" and "Unable to load
> > the webpage because the server sent no data and "Error code:
> > ERR_EMPTY_RESPONSE".
> >
> > Firefox says that the connection was reset while the page was being
> > loaded.
> >
> > That's where I am now. I don't know what to try anymore.
>
> Try:
>
> $ telnet localhost 8443
>
> (on the server with Tomcat running)
>
> That will tell you if the port is open (it should be, otherwise you'd
> be getting different errors from Chrome and ff) and what, if anything,
> gets dumped to it when you connect.
>
> If you get a connection and nothing happens, try submitting a request
> like this:
>
> $ telnet localhost 8443
> GET /
>
> [output goes here]
>
> Post the results of the above if you get anything.
>
> Dumb question: you restarted Tomcat after updating server.xml, right?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUtW3WAAoJEBzwKT+lPKRYzVMP/Rl9RP6tpuU+leyUcyNjLy+2
> hMSmXJ1GfttVxuC6KmD+leV19uyd6dKu16dA4v/LZMX+Un7uQIfY97vUleqg1LkA
> HnwQYv6Sond5TOJR4PeY644qULBOOh4Bi+kJuS4HFjrAUCcG6KHSJfkhLluX/w6c
> +I4/G5MYQQ0r68TOnLAn9ijTZl957ekj3ainc4XmL1U5BA7q0/fOttgVmytuUq3k
> q3Kh/IU1S2ovu4milc0IWGcQttlZ9cn1nZf/nGZyuyWun0gQNLL5oX6ZY5ys5x1D
> 1LQ1TZWb6XL3TK1qBHvbs+u4qnfl3ZSWEKMWntYq0JHLDC2lvL8QcLvVkPguYN/W
> 6HHEp4fNfmqeWLvS7aj6ugNT6UQ4iWxhPJ882YeVQ06D9sLHGL5gIqJE+OPYp8pU
> hyA7MnGDwKpbrTRq6u+QOUUF4Z+g/j++xTsdBk/+rrzaZs4HuLsBtikRbOoNr6ZJ
> 4c1WnuUiFkXbWYkMOEA9p3/Iy/nIay1aAmnqBEuWSBr83+WJvkB+/Nyf4HDZX6Ti
> AElDG4K6yBVtN1bThmwFfWOPqO+zieP/RhdHUgVw7VOU7hi4xBMpcF+UZKImrkGs
> kfN0tqSMriAQ7CL49UbrFxY4bsC0u4uVRJyoB4EOtaPy9cQH01rIrlotwOuPOwD4
> lK/2rtEZo3uAazzi7oTP
> =sNDG
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Thank you for the reply Christopher!
I've used the command: keytool -genkey -alias tomcat -keyalg RSA -keystore
/home/myuser/key.keystore
to generate the keystore. I should put the keystore in some special
directory or this one is fine?
So, after, requesting: telnet localhost 8443
I got some strange stuff:
~$ telnet localhost 8443
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET /
^U^C^A^@^B^B
And yes, I've restarted it :)
--
--
Alexandre Lima
Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexandre,
On 1/13/15 1:37 PM, Alexandre Lima wrote:
> Hello! This is the first time I'm using tomcat, so I'm a little bit
> lost...
Welcome! Configuring SSL always turns out to be a pain in the neck.
> Using the tutorials, I could make the server and the application I
> want to run with it work. The only modification I did until now was
> changing the http port from 8080 to 80, I did that changing the
> http conector on servers.xml, enabling authbind and executing the
> folowing commands:
>
> sudo touch /etc/authbind/byport/80 sudo chmod 500
> /etc/authbind/byport/80 sudo chown tomcat7 /etc/authbind/byport/80
>
> So, the server and the application I want to use with it are
> actually working on port 80
You've confirmed this? I've never used authbind before, so I just
wanted to make sure that you have Tomcat working properly with non-SSL
before you try to add SSL.
> , but the next and last step, which is enabling an SSL connection,
> isn't working.
>
> What I did following the site's tutorial was: created my self
> signed certificate with keytools and put it on
> /home/myuser/key.keystore
Can you outline the steps you took? Where is your keystore?
> Additionally, I've created the folowing conector:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> SSLEnabled="true" maxThreads="200" scheme="https" secure="true"
> keystoreFile="/home/myuser/key.keystore" keystorePass="mypass"
> clientAuth="false" sslProtocol="TLS" />
That looks good so far.
> Saved it, restarted server and accessed https://myip:8443, but it
> isn't working. Chrome says "No data recieved" and "Unable to load
> the webpage because the server sent no data and "Error code:
> ERR_EMPTY_RESPONSE".
>
> Firefox says that the connection was reset while the page was being
> loaded.
>
> That's where I am now. I don't know what to try anymore.
Try:
$ telnet localhost 8443
(on the server with Tomcat running)
That will tell you if the port is open (it should be, otherwise you'd
be getting different errors from Chrome and ff) and what, if anything,
gets dumped to it when you connect.
If you get a connection and nothing happens, try submitting a request
like this:
$ telnet localhost 8443
GET /
[output goes here]
Post the results of the above if you get anything.
Dumb question: you restarted Tomcat after updating server.xml, right?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUtW3WAAoJEBzwKT+lPKRYzVMP/Rl9RP6tpuU+leyUcyNjLy+2
hMSmXJ1GfttVxuC6KmD+leV19uyd6dKu16dA4v/LZMX+Un7uQIfY97vUleqg1LkA
HnwQYv6Sond5TOJR4PeY644qULBOOh4Bi+kJuS4HFjrAUCcG6KHSJfkhLluX/w6c
+I4/G5MYQQ0r68TOnLAn9ijTZl957ekj3ainc4XmL1U5BA7q0/fOttgVmytuUq3k
q3Kh/IU1S2ovu4milc0IWGcQttlZ9cn1nZf/nGZyuyWun0gQNLL5oX6ZY5ys5x1D
1LQ1TZWb6XL3TK1qBHvbs+u4qnfl3ZSWEKMWntYq0JHLDC2lvL8QcLvVkPguYN/W
6HHEp4fNfmqeWLvS7aj6ugNT6UQ4iWxhPJ882YeVQ06D9sLHGL5gIqJE+OPYp8pU
hyA7MnGDwKpbrTRq6u+QOUUF4Z+g/j++xTsdBk/+rrzaZs4HuLsBtikRbOoNr6ZJ
4c1WnuUiFkXbWYkMOEA9p3/Iy/nIay1aAmnqBEuWSBr83+WJvkB+/Nyf4HDZX6Ti
AElDG4K6yBVtN1bThmwFfWOPqO+zieP/RhdHUgVw7VOU7hi4xBMpcF+UZKImrkGs
kfN0tqSMriAQ7CL49UbrFxY4bsC0u4uVRJyoB4EOtaPy9cQH01rIrlotwOuPOwD4
lK/2rtEZo3uAazzi7oTP
=sNDG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org