I am trying to configure Godaddy SSL certificate on my AWS EC2 Linux AMI Instance. But whatever I try it just refuses the connection. However I have already opened the inbound 443 port in the security group.
I have configured it several time on LAMP but its first time on java so maybe I am missing something?
I followed this Godaddy's tomcat guide to setup the SSL on my instance. And I also read the below threads to overcome the problem but still its not working
1. Install SSL on EC2 Server
2. EC2 instance running apache tomcat port 8443 not accessible
These are the steps I followed:
This is how I setup the tomcat keystore
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
sudo keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file /etc/ssl/WSssl/gd_bundle-g2-g1.crt
sudo keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file /etc/ssl/WSssl/gdig2.crt.pem
sudo keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file /etc/ssl/WSssl/ab51xxxxx79.crt
Configured the key file on tomcat 8.5 server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/ec2-user/tomcat.keystore" keystorePass="exxxxxxxxxxxxxM"
clientAuth="false" sslProtocol="TLS" />
IP Tables to redirect
sudo iptables -t nat -n -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
These are Security Group inbound rules, directly connected without my ec2 instance with any load balancer
Inbound Rules
This is the problem, it is refusing every Https request
Refused Error
And this is Godaddy certificate checker result
I think the issue is with port because request is not even hitting to server. Can anyone point out any problem?
For clearification this is the specs: AWS EC2 running on Amazon Linux AMIJava 8 , Tomcat 8.5 Spring MVC with Spring Security Project
Finally, it is working there was nothing wrong with the configurations itself. While reading catalina.out I found that tomcat was not able to read tomcat.keystore file due to user permissions.
Learnings: Always read the logs first
EDIT: Anyone can use it as a guide for setting up SSL
Related
I want to access localhost via HTTPS by Chrome.
Would you tell me how to solve ?
localhost is building with tomcat in Spring Boot.
I finished to
create self-signed certification(*1)
enable HTTPS on Spring Boot(*2)
import the certificattion by Chrome(*3)
But when I access localhost Chrome display "NET::ERR_CERT_AUTHORITY_INVALID".
my environment:
Ubuntu 18.04
Chrome 79
Spring Boot 2.2.2
Tomcat 9
*1 create self-signed certification:
$ keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650 -ext san=dns:localhost -ext san=ip:127.0.0.1
*2 enable HTTPS on Spring Boot
$ vi src/main/resources/application.properties
server.port=8443↲
server.ssl.enabled=true↲
server.ssl.key-store=keystore.p12↲
server.ssl.key-store-password=password↲
server.ssl.key-password=password↲
server.ssl.key-store-type=PKCS12↲
server.ssl.key-alias=tomcat↲
security.require-ssl=true↲
*3 import the certificattion
$ keytool -exportcert -keystore keystore.p12 -alias tomcat -file keystore.der
(or when I access localhost, export the certificate from Chrome display)
After do, on Manage certificates import keystore.der.(Chrome setting:GUI)
Thanks Regard.
Your certificate is self-signed, so Chrome has no way of verifying that the certificate is valid. Self signed means that you confirm that you are you.
You can either add an exception (preferred way) or import your certificate into Chrome and trust this certificate. If you do the later it means that from now own Chrome will trust this certificate. If you loose it, or share it (eg. with your source code) someone could potentially create a secure site that your browser will no accept as valid no matter what.
Witch Chrome you could also allow invalid certificates for localhost by visiting
chrome://flags/#allow-insecure-localhost
and check "Enable".
Solved
Getting Chrome to accept self-signed localhost certificate
Excerpt from the above link
on Terminal
$ sudo apt-get install libnss3-tools
on Chrome
click the lock icon with an X,
choose Certificate Information
go to Details tab
Click on Export... (save as a file)
on Terminal
$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n YOUR_FILE -i YOUR_FILE
I want to use SSL on my server, therefore I have bout an SSL certificate, however the certificate had two parts one of them is the intermediate.
Now how to create the keystore for them?
What I did is the following:
1- chained both certificates and put them in one file.
2- I have usedd the next command to generate the keystore from the (chained certificate)
keytool -import -alias tomcat -file myCertificate.crt -keystore keystore.p12 -storepass password
3- I have add this code into my spring boot:
server.ssl.key-store: C:/Program Files/Java/jdk1.8.0_231/bin/keystore.p12
server.ssl.key-store-password: password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
But I am still having the next issue:
'Alias name [tomcat] does not identify a key entry'
From looking into google I have found out that the issu is my keystore is generating my certificate as trustedCertEntry instead of PrivateKeyEntry.
How to fix this and what am I missing?
The Error:
javax.net.ssl.SSLException: Certificate for <localhost> doesn't match any of the subject alternative names: [xxxxxxx.xxx.xxxxxx.xxx]
I have a Spring Boot App running in my localhost. I also have a tunnel ssh via putty to a server.
Things I have done:
I manually created/imported keys/certificates of all ways.
I used -ext from keytool to add the dns addr and the localhost to SAN.
I also used a openSource java file to install the cert.
I changed the hosts files to: 127.0.0.1 xxx.xxx.xxxxxxx.xxx (if I ping the dns name it responds to the localhost address)
I used the VM Arguments -Djavax.net.debug=ssl to check if the certs are loading properly.
What am I missing? BTW, I'm also using a VPN.
You need to provide localhost as a subject alternative name when creating your certificate. You can do that by provide the following additional parameter: -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
So something like this:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias stackoverflow \
-dname "CN=stackoverflow,OU=Hakan,O=Hakan,C=NL" \
-ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 \
-storepass <password> -keypass <password> \
-keystore identity.jks -deststoretype pkcs12
Some explanation:
The SAN field will be used to match the hostname, which will be provided in the request. So when you are running your application on localhost, lets say https://localhost:443, and you also want to make a request to that specific host, then that hostname should also be available within the SAN field; otherwise, it will fail during the handshake process.
Let's grab Stackoverflow as an example. To be able to reach stackoverflow over https we would expect that the certificate should contain at least an entry of stackoverflow.com
Below is the certificate SAN value of stackoverflow with the specific DNS highlighted for this example:
As you can see already it contains also other DNS values. In this way websites owners can use the same certificate for multiple websites/subdomains etc.
I am on OSX and in my hosts file I have:
127.0.0.1 localhost MacBook-Pro.local
127.0.0.1 innbound
255.255.255.255 broadcasthost
Please note I have added the following line:
127.0.0.1 innbound
I have also a certificate installed on my machine which is trusted for the dns entry "innbound".
I imported this certificate to keystore.jks in Glassfish, but when I visit "innbound" from my browser, I still see certificate for localhost being used:
How can I test this certificate from Glassfish with customising my local environment so that the browser actually checks for a certificate for the "innbound" address and not localhost?
Have you activated your imported Certificate in your config? Have a look at: https://www.namecheap.com/support/knowledgebase/article.aspx/9825//ssl-certificate-installation-on-a-glassfish-application-server (Headline: Editing http-listeners in the Glassfish Administration Console).
When importing your certificate in the Glassfish keystore.jks, try to use the alias s1as.
It should look similar to this:
keytool -import -trustcacerts -alias s1as -file /your_cert.pem -keystore /keystore.jks
Don't forget to insert the correct paths before executing the command.
I am new to https configuration in tomcat. I googled a lot but that did not solve my problem.
I have an ec2 machine and tomcat deployed on it. I tried to create self signed certificate , which was easy to generate.I used my domain www.test.com(changed test with my server name) and keystore file was generated. Then I edited conf/server.xml for https configuration as described in ssl howto of tomcat docs.But https is not working. Though when I do "curl https:// localhost :8443 -k " I can get response but it is not working in browser. Takes to long to respond and boom I am done with nothing. Do I need a certificate or It will work with keystore file only? Please tell me .
Please help me out
Thanks
Hi Thanks for you answer, I found my issue and would like explain my resolution
1.) Curl was working but it was not responding in browser . I had to open port 8443 manually from security groups in aws. It was working then :).
2.) For all others if they face with the problem "Failed to establish chain from reply"
i) please check your keystore file. Is it the same used to generate CSR?
ii) Install intermediate certificates provided by your certificate authority.
For some of them you can follow
https://www.sslcertificaten.nl/download/Root_Certificaten/
use alias primary and secondary respectively
$JAVA_HOME/bin/keytool -import -alias primary -keystore sslkey -trustcacerts -file primary_cert.crt -storepass mypass
$JAVA_HOME/bin/keytool -import -alias secondary -keystore sslkey -trustcacerts -file secondary_cert.crt -storepass mypass
iii) finally import your certificate
$JAVA_HOME/bin/keytool -import -alias tomcat -keystore sslkey -trustcacerts -file www_mydomain_com.p7b -storepass mypass
Hope this helps
cheers
If curl works, then the problem is either in the browser or in the servlet - SSL setup should be correct. Check the log files of Tomcat for errors and set breakpoints in your servlets to see what happens.