I am new to https configuration in tomcat. I googled a lot but that did not solve my problem.
I have an ec2 machine and tomcat deployed on it. I tried to create self signed certificate , which was easy to generate.I used my domain www.test.com(changed test with my server name) and keystore file was generated. Then I edited conf/server.xml for https configuration as described in ssl howto of tomcat docs.But https is not working. Though when I do "curl https:// localhost :8443 -k " I can get response but it is not working in browser. Takes to long to respond and boom I am done with nothing. Do I need a certificate or It will work with keystore file only? Please tell me .
Please help me out
Thanks
Hi Thanks for you answer, I found my issue and would like explain my resolution
1.) Curl was working but it was not responding in browser . I had to open port 8443 manually from security groups in aws. It was working then :).
2.) For all others if they face with the problem "Failed to establish chain from reply"
i) please check your keystore file. Is it the same used to generate CSR?
ii) Install intermediate certificates provided by your certificate authority.
For some of them you can follow
https://www.sslcertificaten.nl/download/Root_Certificaten/
use alias primary and secondary respectively
$JAVA_HOME/bin/keytool -import -alias primary -keystore sslkey -trustcacerts -file primary_cert.crt -storepass mypass
$JAVA_HOME/bin/keytool -import -alias secondary -keystore sslkey -trustcacerts -file secondary_cert.crt -storepass mypass
iii) finally import your certificate
$JAVA_HOME/bin/keytool -import -alias tomcat -keystore sslkey -trustcacerts -file www_mydomain_com.p7b -storepass mypass
Hope this helps
cheers
If curl works, then the problem is either in the browser or in the servlet - SSL setup should be correct. Check the log files of Tomcat for errors and set breakpoints in your servlets to see what happens.
Related
I have got tests which need to run over HTTPS REST API webservices from bitbucket server CI pipeline, can anyone tell me the step-by-step instructions to plugin the .crt certificate file?
Similal issue, we got that resolved after adding the following line to the bitbucket pipeline yml file
keytool -importcert -trustcacerts -noprompt -alias -ouralias -file OUR.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass ourpass
Currently I am adding ca filepath into my mqtt server. To consume or publish I need to add this certificate into nifi processor, but I could not find any option for adding certicate in nifi.
So I tried to add one certificate property, but throwing error.
#Chintamani You should import your certs into keystore or truststore for your SSL Context Service.
For Example:
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file certificate.cer -alias nifi -keystore truststore.jks
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -trustcacerts -alias nifi -file certificate.cer -keystore keystore.jks
I usually put the files in /etc/nifi/ssl/ and be sure to chown them to nifi:nifi. Then in your controller service, put the path to the files, the type (JKS), the password.
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-ssl-context-service-nar/1.5.0/org.apache.nifi.ssl.StandardRestrictedSSLContextService/index.html
You can't provide the certificate file to Nifi directly. You'll need to create a keystore or truststore that contains your certificate or a certificate higher in the certification path. For instance, if certificate A signed certificate B and certificate B signed your certificate, you could add certificate A or B or your certificate to a truststore. Let's say you used LetsEncrypt.org to sign your certificate. You could browse to LetsEncrypt.org and download their certificate and add that to your truststore. Once you have the certificate file, you can add it to an existing truststore or create a new one in one command using the Java Keytool (available with a JDK or JRE):
keytool -import -alias YOUR_ALIAS -file CERTIFICATE_FILE -storetype TYPE -keystore MY_TRUST_STORE_FILE
For Example:
keytool -import -alias Chintamani_Alias -file Chintamani.cer -storetype JKS -keystore Chintamani.truststore
This command will create Chintamani.truststore with the password you provide if the file doesn't already exist. Then you provide the path to the truststore, the truststore password and set the truststore type (JKS in the example above).
And make sure:
Your MQTT processor is using ssl:// in the Broker Uri
Your StandardSSLContextService or StandardRestrictedSSLContextService is enabled
Your MQTT processor is configured to use your SSL Context Service
or you might see errors like:
o.a.nifi.processors.mqtt.ConsumeMQTT ConsumeMQTT[id=<GUID>] Connection to <YOUR URL>:8883 lost (or was never connected) and connection failed. Yielding processor: java.net.SocketException: Connection reset
? causes: Connection lost (32109) - java.net.SocketException: Connection reset
org.eclipse.paho.client.mqttv3.MqttException: Connection lost
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:190)
I want to access localhost via HTTPS by Chrome.
Would you tell me how to solve ?
localhost is building with tomcat in Spring Boot.
I finished to
create self-signed certification(*1)
enable HTTPS on Spring Boot(*2)
import the certificattion by Chrome(*3)
But when I access localhost Chrome display "NET::ERR_CERT_AUTHORITY_INVALID".
my environment:
Ubuntu 18.04
Chrome 79
Spring Boot 2.2.2
Tomcat 9
*1 create self-signed certification:
$ keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650 -ext san=dns:localhost -ext san=ip:127.0.0.1
*2 enable HTTPS on Spring Boot
$ vi src/main/resources/application.properties
server.port=8443↲
server.ssl.enabled=true↲
server.ssl.key-store=keystore.p12↲
server.ssl.key-store-password=password↲
server.ssl.key-password=password↲
server.ssl.key-store-type=PKCS12↲
server.ssl.key-alias=tomcat↲
security.require-ssl=true↲
*3 import the certificattion
$ keytool -exportcert -keystore keystore.p12 -alias tomcat -file keystore.der
(or when I access localhost, export the certificate from Chrome display)
After do, on Manage certificates import keystore.der.(Chrome setting:GUI)
Thanks Regard.
Your certificate is self-signed, so Chrome has no way of verifying that the certificate is valid. Self signed means that you confirm that you are you.
You can either add an exception (preferred way) or import your certificate into Chrome and trust this certificate. If you do the later it means that from now own Chrome will trust this certificate. If you loose it, or share it (eg. with your source code) someone could potentially create a secure site that your browser will no accept as valid no matter what.
Witch Chrome you could also allow invalid certificates for localhost by visiting
chrome://flags/#allow-insecure-localhost
and check "Enable".
Solved
Getting Chrome to accept self-signed localhost certificate
Excerpt from the above link
on Terminal
$ sudo apt-get install libnss3-tools
on Chrome
click the lock icon with an X,
choose Certificate Information
go to Details tab
Click on Export... (save as a file)
on Terminal
$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n YOUR_FILE -i YOUR_FILE
I want to use SSL on my server, therefore I have bout an SSL certificate, however the certificate had two parts one of them is the intermediate.
Now how to create the keystore for them?
What I did is the following:
1- chained both certificates and put them in one file.
2- I have usedd the next command to generate the keystore from the (chained certificate)
keytool -import -alias tomcat -file myCertificate.crt -keystore keystore.p12 -storepass password
3- I have add this code into my spring boot:
server.ssl.key-store: C:/Program Files/Java/jdk1.8.0_231/bin/keystore.p12
server.ssl.key-store-password: password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
But I am still having the next issue:
'Alias name [tomcat] does not identify a key entry'
From looking into google I have found out that the issu is my keystore is generating my certificate as trustedCertEntry instead of PrivateKeyEntry.
How to fix this and what am I missing?
I took sample webapp from https://github.com/vdenotaris/spring-boot-security-saml-sample and it is working file. Later. I tried to connect kennisnet staging environment.
Kennisnet details here
https://developers.wiki.kennisnet.nl/index.php?title=KNF:Hoofdpagina/en
I updated metadata which is downloadable from this url https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml2/
I generated smalKeyStore.jks using below commands
keytool -genkey -alias tomcat -keyalg RSA -keystore samlKeyStore.jks
keytool -importkeystore -srckeystore samlKeyStore.jks -destkeystore
samlKeyStore.jks -deststoretype pkcs12
I followed all Spring SAML https threads in stackoverflow and not able to figure it out this issue.
LOGS:
Add the certificate to your JDK so that your application can get the metadata from URL https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2.
These are the steps you need to fillow:
Download the certificate for aselect-s.entree.kennisnet.nl
Import the certificate to your JDK/JRE using this command:
keytool -keystore #path to java_home#/lib/security/cacerts -importcert -alias #anything relevent# -file #path to certificate#
Make sure your server is using same java_home where you are importing the certificate, also verify the subjectname in the certificate before importing, it must be "CN = *.entree.kennisnet.nl"
Restart the server.