You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mavenpol Saulon <ma...@gmail.com> on 2013/09/16 21:57:02 UTC
Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Good Day!
Everything was followed perfectly from this URL:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this
setup a lot of times already and mostly I have been successful.
Until our security team noticed that the installed root CA is incorrect.
Instead of just importing the correct root CA, I deleted all the imported
certificates (originally 2 certificates) using the "keytool -delete -alias
<certificate nicknames> -keystore .keystore". Afterwards, I imported the 2
certificates again.
Now when I access https://mydomain:8443, it gives me a webpage not found
with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap
in Firefox.
Could anyone please let me know what I must have did wrong?
Thank you in advance.
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ognjen,
On 9/17/13 4:37 AM, Ognjen Blagojevic wrote:
> Mavenpol,
>
> On 16.9.2013 22:47, Mavenpol Saulon wrote:
>> This server where I imported the certificates and has been
>> encountering errors is just one of the servers that are
>> configured to run SSL. All of the other servers have the same
>> setup except for the "keytool -delete.." that I used in this
>> particular erring server. Other servers are OK in SSL.
>>
>> I'm worried that the keytool delete might have caused the
>> problem?
>
> (On this list it is standard to put your text below the quote.)
>
> What is the content of your Java keystore now? You should have
> PrivateKeyEntry with valid certificate chain. Check it using
>
> keytool -list -v
>
>
> You may also check if the certificate chain is served properly to
> the client using openssl:
>
> openssl s_client -connect server.example.com:443 -showcerts
>
>
> Other than that, you may try to turn on TLS/SSL Java debugging
> using VM option:
>
> -Djavax.net.debug=all
>
>
> These commands/option will give you some insight what is wrong
> with keystore and TLS/SSL handshake.
It also would be helpful for OP to:
a) Specify the version of Tomcat you are using
b) Provide the <Connector> configuration from your conf/server.xml
(without any sensitive material such as passwords)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSOFwPAAoJEBzwKT+lPKRYBWMQAIAE5pRZHe0xyCPBV5hMH81H
ZNz9k94I/+vSdLOgBzFT0biT2jd+LUHU9jv8SMpwJ8UCDtz5HGCc/QGWZF1gpZ/3
0WzHx5dDMXLgKmV1ht82xWWNVrTvzFRob8vwRIFse3bc/GjavX/aTnrKKArkJKs+
Vl+IxLwtvcrdbUNefIBNFSvNbMb33BM0hy6vvAYgGbMVwavImn54FnXO9Ud+V3nr
GXTwD7Wt4Es9ZgQDPIWJWPNKSjA8xhpvh90pZEIXw7/MBGUZbcbCYhPKOEVaHS1y
8gWVGnnbh1MsW2ZAUD1Z3UWVE7UIVDAca1YH7VOGjmuF4iGWAlsPaDWqj9cOzc8D
GpE66qdDFvotvGN0uTBe+QHLoyh95u9i1BgBPy6aI4BQRQZS9gz0L9s+vjVGMBQ/
8YJoGBdIyLe1zrHgIFJBi/lYhzNzUh9Ozh/+X+EEDd1S3NuqokELI/WsnPkHdoGO
dg3ubzt6IEYWMu/5QJCfWneI+cbbgB/E/iLWUK0vmK4F/C6Li1Fi3WNB/8qoy5Ot
ib5lVTIOhS1ovGclQd3E2Zl/JRms84gt1YuTa/AaV3swwDUz7g4nnbhs9ozDtnp5
2RYdkUKVeqKNC3GFQma119hCR55xQu8P/91IkVrR/kHLLIaklGLSlXnbqlH4wnBk
GnvW4oyilc0IjjLwif9b
=ociN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Ognjen Blagojevic <og...@gmail.com>.
Mavenpol,
On 16.9.2013 22:47, Mavenpol Saulon wrote:
> This server where I imported the certificates and has been encountering
> errors is just one of the servers that are configured to run SSL. All of
> the other servers have the same setup except for the "keytool -delete.."
> that I used in this particular erring server. Other servers are OK in SSL.
>
> I'm worried that the keytool delete might have caused the problem?
(On this list it is standard to put your text below the quote.)
What is the content of your Java keystore now? You should have
PrivateKeyEntry with valid certificate chain. Check it using
keytool -list -v
You may also check if the certificate chain is served properly to the
client using openssl:
openssl s_client -connect server.example.com:443 -showcerts
Other than that, you may try to turn on TLS/SSL Java debugging using VM
option:
-Djavax.net.debug=all
These commands/option will give you some insight what is wrong with
keystore and TLS/SSL handshake.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Mavenpol Saulon <ma...@gmail.com>.
Thanks Jan for replying. Unfortunately, I'm not inclined on going to the
direction that it's a browser problem.
This server where I imported the certificates and has been encountering
errors is just one of the servers that are configured to run SSL. All of
the other servers have the same setup except for the "keytool -delete.."
that I used in this particular erring server. Other servers are OK in SSL.
I'm worried that the keytool delete might have caused the problem?
On Mon, Sep 16, 2013 at 3:36 PM, Jan Vávra <va...@602.cz> wrote:
> |Hello,
> on http://support.mozilla.org/cs/**questions/952242<http://support.mozilla.org/cs/questions/952242>there is described smthg about ssl protocol settings for Firefox. It seems
> like ||||you have configured ||in server.xml||eg. only SSLv2 protocol that
> is disabled in the client browser
>
> http://tomcat.apache.org/**tomcat-7.0-doc/config/http.**html<http://tomcat.apache.org/tomcat-7.0-doc/config/http.html>
> sslProtocol
> http://docs.oracle.com/javase/**7/docs/technotes/guides/**
> security/StandardNames.html#**SSLContext<http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext>
>
> Jan
>
> |
>
>> Good Day!
>>
>> Everything was followed perfectly from this URL:
>> http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.html<http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html>.
>> I've done this
>> setup a lot of times already and mostly I have been successful.
>>
>> Until our security team noticed that the installed root CA is incorrect.
>>
>> Instead of just importing the correct root CA, I deleted all the imported
>> certificates (originally 2 certificates) using the "keytool -delete
>> -alias
>> <certificate nicknames> -keystore .keystore". Afterwards, I imported the 2
>> certificates again.
>>
>> Now when I access https://mydomain:8443, it gives me a webpage not found
>> with ERR_CONNECTION_REFUSED error in Chrome and
>> ssl_error_no_cypher_overlap
>> in Firefox.
>>
>> Could anyone please let me know what I must have did wrong?
>>
>>
>> Thank you in advance.
>>
>>
>
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Jan Vávra <va...@602.cz>.
|Hello,
on http://support.mozilla.org/cs/questions/952242 there is described
smthg about ssl protocol settings for Firefox. It seems like ||||you
have configured ||in server.xml||eg. only SSLv2 protocol that is
disabled in the client browser
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
sslProtocol
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
Jan
|
> Good Day!
>
> Everything was followed perfectly from this URL:
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this
> setup a lot of times already and mostly I have been successful.
>
> Until our security team noticed that the installed root CA is incorrect.
>
> Instead of just importing the correct root CA, I deleted all the imported
> certificates (originally 2 certificates) using the "keytool -delete -alias
> <certificate nicknames> -keystore .keystore". Afterwards, I imported the 2
> certificates again.
>
> Now when I access https://mydomain:8443, it gives me a webpage not found
> with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap
> in Firefox.
>
> Could anyone please let me know what I must have did wrong?
>
>
> Thank you in advance.
>
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Mavenpol Saulon <ma...@gmail.com>.
Thank you all for your help. It just came to a point where I just had to
delete the old keystore and create a new one, and request for new
certificates. Now everything's working.
On Tue, Sep 17, 2013 at 9:58 AM, Jan Vávra <va...@602.cz> wrote:
> Maybe it'd helpful not using the java key store (JKS).
> Personally on Linux Tomcat installations without native APR I use the .p12
> files with this config
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile=${catalina.home}/**ssl/serverkey.p12"
> keystorePass="**PASS**" keystoreType="pkcs12" />
> Jan
>
>
>
>
> Good Day!
>>
>> Everything was followed perfectly from this URL:
>> http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.html<http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html>.
>> I've done this
>> setup a lot of times already and mostly I have been successful.
>>
>> Until our security team noticed that the installed root CA is incorrect.
>>
>> Instead of just importing the correct root CA, I deleted all the imported
>> certificates (originally 2 certificates) using the "keytool -delete
>> -alias
>> <certificate nicknames> -keystore .keystore". Afterwards, I imported the 2
>> certificates again.
>>
>> Now when I access https://mydomain:8443, it gives me a webpage not found
>> with ERR_CONNECTION_REFUSED error in Chrome and
>> ssl_error_no_cypher_overlap
>> in Firefox.
>>
>> Could anyone please let me know what I must have did wrong?
>>
>>
>> Thank you in advance.
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Posted by Jan Vávra <va...@602.cz>.
Maybe it'd helpful not using the java key store (JKS).
Personally on Linux Tomcat installations without native APR I use the
.p12 files with this config
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile=${catalina.home}/ssl/serverkey.p12"
keystorePass="**PASS**" keystoreType="pkcs12" />
Jan
> Good Day!
>
> Everything was followed perfectly from this URL:
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this
> setup a lot of times already and mostly I have been successful.
>
> Until our security team noticed that the installed root CA is incorrect.
>
> Instead of just importing the correct root CA, I deleted all the imported
> certificates (originally 2 certificates) using the "keytool -delete -alias
> <certificate nicknames> -keystore .keystore". Afterwards, I imported the 2
> certificates again.
>
> Now when I access https://mydomain:8443, it gives me a webpage not found
> with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap
> in Firefox.
>
> Could anyone please let me know what I must have did wrong?
>
>
> Thank you in advance.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org