My objective, is to configure the Jetty in such a way that it enables HTTPS request for Geoserver.
To be a bit specific, I am downloading the Geoserver Windows Installer.
As tested both version 2.9-RC1 and 2.10.2, they throw the warning
"Module not found [ssl]" as soon as it is started.
Jetty version: 9.2.13.v20150730
I am referring to the info here to try setup the simplest test (self-signed) for the jetty, but still no luck.
What I did:
Use Keytool create a self-signed keystore
Replace the keystore generated from 1) to directory etc/keystore
Edit the jetty-ssl.xml, replace the password (attribute default) with mine
Edit the file start.ini, add --module=https, jetty.secure.port=8443
Launch the batch file.
What did i miss?
P.S.: Geoserver works perfectly in HTTP. This post is asking about configuration for HTTPS.
Here are the steps to enable jetty to run geoserver on https, port:8443
• Configuring Jetty for SSL
follow this link to create ssl certificate and keystore. https://www.eclipse.org/jetty/documentation/9.1.5.v20140505/configuring-ssl.html
Now open jetty-ssl.xml file present in Geoserver/etc folder and replace the KeyStorePassword, KeyManagerPassword, TrustStorePassword with the new password which is created while creating keystore.
Open & check jetty.xml file in same folder, on which port https will run.
• Add new Keystore in Geoserver
Copy the created keystore file and replace with the existing available in etc folder of geoserver ex: C:\GeoServer\etc.
Now check if ssl.mod file is present in modules folder or not, ex: C:\GeoServer\modules.
If present, then open the file and replace the password in jetty.keystore.password, jetty.keymanager.password and jetty.truststore.password with the new password. Otherwise download it from “http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.2.13.v20150730/jetty-distribution-9.2.13.v20150730.tar.gz.
NOTE : Please make sure password entered should be same as in jetty-ssl.xml.
Open start.ini file present in C:\GeoServer folder add --module =ssl, --module=https and jetty.secure.port=8443 (if https is running on Port 8443.
Run geoserver, enter url https://localhost:8443/geoserver (assuming geoserver on local system).
The https module has a dependency on the ssl module. The error is stating it cannot find ssl.mod in the ${jetty.home}/modules (or, depending on your config, ${jetty.base}/modules) directory.
The ssl module comes standard as part of the Jetty distribution so it has either been deleted, moved or renamed as part of your implementation.
For Geoserver 2.12.1, I manually installed "ssl.mod" from jetty-distribution-9.2.13.v20150730.tar.gz in Geoserver's etc/modules directory. Then the warning message didn't occur again in the log.
remember to add --module=ssl to start.ini
complete password and keystore/truststore location in jetty-ssl
port in jetty-https default 443
port in jetty xml can stay at default 8443
open ssl mod in a text editor and comment out the keystore under the [files] tag
ini-template tag --jetty secure port can stay at 8443
Comment out anything that refers to jetty keystore as these are set in jetty-ssl
open https mod and change https port to 443, restart geoserver.
Geoserver should now run over jetty https:// with no port number.
Related
I am trying to login to a private repository from a windows machine using the docker command prompt, but I cannot figure out where I am supposed to place the SSL cert on a Windows machine.
I have successfully logged in from a Linux machine by placing the cert file in /etc/docker/certs.d/mydomain.com:port/
I have found in some of the documentation they are suggesting to place this .cert file in
C:\Program Files\Docker\certs.d{my domain goes here }{port}
But Still, I'm getting below error when I'm trying to log in
Error response from daemon: Get https://{my domain goes here }.com:{port No}/v2/: x509: certificate signed by unknown authority.
Can anyone help me to sort out this issue?
I think I have found my mistake, which is I have placed the .cert file in
C:\Program Files\Docker\certs.d{my domain goes here }{port}.
It should be in,
C:\ProgramData\docker\certs.d{my domain goes here }{port}
(Please note that this ProgramData folder is a hidden folder)
On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.
When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.
I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".
My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.
When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log.
What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.
I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.
PHP Install
My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.
#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so
You can create a similar setup of php using home brew by the following commands:
brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug
Create the CA Cert Bundle File
The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.
I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:
cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc
After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.
Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:
mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart
I am setting up a HTTPS server using Spring boot. I followed the Configure SSL on Spring Boot Docs.
My application.properties file is as follows.
# SSL
server.port = 8443
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = rootroot
But when I access https://localhost:8443 . The server returns no response and server is temporarily down.
Can you guide me what is going wrong?
Finally, I found the answer. I was using the keystore.jks generated from another machine instead of generating in server machine.
Now I solved the problem by using the keystore generated by keytool on server machine and everything went well.
Anyway, thank you for your answers.
Your information did not work for me, then I've did some researches and now it's working after I followed the below steps:
openssl pkcs12 -export -in <mycert.crt> -inkey <mykey.key> -out <mycert.p12> -name tomcat -CAfile <myca.ca> -caname root -chain
(I ran the above command to generate a pkcs12 in my digitalcert, which the only file that does not exists yet is the mycert.p12)
After that I've copied the mycert.p12 to src/main/resources
And finally this is my application.properties file configuration:
server.context-path=/cv2
server.port=8880
server.ssl.key-store=classpath:java_admin_checkverification_com.p12
And now everything is working like a charm!
PS: The configuration server.ssl.key-store was not working for me when I was at the version 1.2.4, because it was not finding the file in the classpath at all... Always throwing FileNotFoundException, so I updated to 1.3.5, with the above configurations and now everything is working.
I've had the same problem and adding the key-store-type fixed it:
server.ssl.key-store-type: JKS
"Tomcat requires the key store (and trust store if you’re using one) to be directly accessible on the filesystem, i.e. it cannot be read from within a jar file. This limitation doesn’t apply to Jetty and Undertow."
by default tomcat is used
If someone has same issue -
my settings are
server.port=8443
server.ssl.key-store=classpath:certs/localhost.keystore
server.ssl.key-store-password=somepass
server.ssl.key-password=somepass
I had a problem with my request - Ive been sending request to 127.0.0.1:8443, but my certificate had name localhost! I fixed request to localhost:8443 and all went right.
Reinstalling my cert with certbot fixed it for me. Just ran certbot and 1: Attempt to reinstall this existing certificate. I already had my config setup like the other answers. I'm not sure how this fixed it, but I figure I'd leave this answer here. I'm using Nginx.
The application log in the event viewer shows
Unable to load SiteMinder host configuration object or host configuration file
for Siteminder 12.51 on IIS 7.5 (64bit) OS Windows 2008 (64bit).
When do you get the error? Is it when you're configuring the Webagent?
Anyway, verify the following.
Verify your environment variables are set correctly, if must have references to the Webagent files, you may need to export the envvars in the webagent or policy server folder (nete_wa_env...) file.
if the host config object you're using exists? Verify this using the
Admin UI
If the hostname is configured in the policy server as a trusted host
Verify if the settings are correct in the corresponding SmHost.conf file in the webagent folder
Verify and eliminate any duplicate or conflicting lines in your IIS config files which refer to siteminder.
Verify the host config object and the agent config object settings.
make sure WebAgent.conf is pointing to the correct SmHost.conf and SmHost.conf has the correct HostConfigObject defined (with the exact case that is used in the Policy Store).
If the HCO in the Policy Store is named "DefaultHostSettings" and SmHost.conf contains HostConfigObject=defaulthostsettings you will get this type of error.
Try re-registering the web agent with the policy server using the smreghost command.
when i made https enabled in secure url and front end secure url usage to yes in magento the checkout page becomes not found. Should i need to do anything more? where i have to place my ssl certificates.
please help me in this
You need to configure your web server (presumably apache?) and point it to your ssl certificate. You also need to make sure that mod_ssl is enabled. The config files will be in /etc/apache2 or /etc/httpd depending on the OS. You should find the ssl.conf file and set the location of the certificate there. To enable mod_ssl you can issue the following command in the command line:
a2enmod ssl