I want to setup SSL certificate on tomcat, specification of my server:
OS: ubuntu 18.04 LTS
tomcat: 9.0.31
java: 1.8.0_242
I have these files:
xyz.key
xyz.ca-bundle
xyz.crt
I want to run tomcat on port 443 although I Know I can change port by using server.xml file.
By using the above files I can easily setup ssl in apache, But my question is which type of file format I should have in order to setup ssl in tomcat server and if I need some other format then how should I convert these files ?
Question is pretty unclear, but I assume what you're trying to do is run Tomcat standalone, not with Apache Httpd as a proxy. In that case, the easiest and best thing to do is to upgrade to a modern version of Java. Java 9 and later support PKCS12, which is easier than using JKS, so you should upgrade, either to 11 (the current LTS release) or 14 (current release).
Once that is done, you can use this tool to generate a CSR and save a key and help set up your configuration. It might be easier than doing this by editing files.
Related
I am using Mamp Pro 5 and last week I can set up and using SSL by generated a self-signed certificate.
But today when I am trying to start server again, it is doesn't work anymore. I checked on log files and it said : [Sat Oct 12 13:36:58 2019] [error] (1)Operation not permitted: Init: Can't open server certificate file (path to file)/uf.o.crt
Please let me know how to fix this.
Thanks
This is a screenshot of error log.
Move the SSL certificates into the default MAMP certificates folder:
/Applications/MAMP/Library/OpenSSL/certs/
I have experienced the same problem after upgrading MacOS 10.15 Catalina to build 19A602 (security updates from yesterday). I used to store self created SSL Certs in my user folder and apache could not be started any more.
After moving all .crt and .key files into the folder where MAMP itself stores it's automatically generated certificates (which is /Applications/MAMP/Library/OpenSSL/certs) the problem was gone.
Of course you will have to check every single host and re-link certificate files (marked with a red exclamation mark) to make it work - but no need to completely uninstall MAMP
Usually this problem appears after upgrading MacOS.
Disable Apache
Disable SSL in MAMP
Start Apache
Disable Apache
Enable SSL in MAMP and generate new SSL certificate
Start Apache
It works for me :)
I just solved it by myself and I also got this solutions from developers after I solved it.
What I did is just full uninstall Mamp and try to install it again.
That's all fixed.
I had similar issue and solved this by moving my all projects under my home folder. SSL certificates were regenerated (I use MAMP Pro and prefer to keep ssl certs under my projects for development purpose)
With MAMP PRO 6, certificates are managed by MAMP. I had a problem with a certificate that was expired. I simply deleted the host and recreated the host afterwards. MAMP has generated new certificates and everything is ok.
Has anyone been successful with using Letsencrypt SSL with a default jetty install? I can't seem to get it right.
More info:
OS: Ubuntu 16.04
Jetty Path: /opt/jetty
Only thing adjusted is enabling http on port 80 in start.ini.
Problems I have run into:
When I input --module-ssl into the start ini, I get the error
No default protocol for ServerConnector#48aca48b{null,[]}{0.0.0.0:8443}`
starting jetty and it fails.
I have tried inputting the SSL info into the ini, as well as editing the .xml files with the info.
I know this is an older question, but in-case people stumble across it on Google with a similar issue:
The SSL module in Jetty is just the base cryptographic functionality. You need to do something with it - i.e. also enable the https or http2 modules.
In other words, for standard https you actually need:
java -jar start.jar --add-to-startd=ssl,https
So it's not the best of error messages, but:
No default protocol for ServerConnector
Means just that - it didn't previously have a protocol (implementation) to use the ssl module with, because the https (or http2) modules hadn't been loaded.
When running maven 3.0.5 our (newly swapped, apache proxy hosted) https certificate for Nexus is rejected with error:
hostname in certificate didn't match: <new.domain.com> != <*.old.domain.com> OR ..
This does not happen with earlier maven version (e.g. 3.0.3) and I noticed that the fix for 3.0.5 seem to match my problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253
I've reviewed the certificate via Chrome etc and it seems fine. Running maven in debug (-X) doesn't give me much more information.
(I know it's boarder-lining to an Apache/Nexus question).
Also - this is a wildcard SSL certificate used by several other services, also proxied by the same Apache instance.
Any ideas?
Ok. Problem solved.
After reading up on Apache HTTPS and virtual hosts along with a crash course in HTTP proxies I got it.
Simply put: Apache cannot support multiple virtual hosts with different SSL certificates. This is because the Host-header used to proxy request is encrypted so we're in a hen-or-the-egg-situation.
We had Apache our configured like this as we wanted to re-directs from our old domain to the new one. In this situation Apache simply uses the certificate set up for the first virtual host: https://wiki.apache.org/httpd/NameBasedSSLVHosts
So why did Chrome get the correct certificate? Well - it appears that Chrome (and Apache) support an TLS extension which sends the host-name un-encrypted in the Client Hello (eg the 1st SSL message). Hence Apache knows which virtual host (eg Certificate) to send back.
Problem solved.
We will now set up our new domains virtual hosts 1st and our old re-directs last. This will enabled clients with the TLS extension to work 100% meanwhile it will enable the other clients to work for our new domain.
I am trying to run to tomcat on linux where glassfish is already running on port 8080 ( you can check here - vhost2.cs.rit.edu:8080 . So i changed the tomcat port to 8181 by editing the server.xml file. NOw with the command startup.sh and i get the following output
Using CATALINA_BASE: /home/krs8785/apache-tomcat-7.0.54
Using CATALINA_HOME: /home/krs8785/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /home/krs8785/apache-tomcat-7.0.54/temp
Using JRE_HOME: /usr
Using CLASSPATH: /home/krs8785/apache-tomcat-7.0.54/bin/bootstrap.jar:/home/krs8785/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.
I am assuming that tomcat is now working. Now when i test the server by - vhost3.cs.rit.edu:8181 I get
No data received on the browser.
What is the problem here and how do i solve it?
The problem may be unrelated to tomcat. I think your first step should be to exclude networking issues.
I have assumed you are accessing vhost3.cs.rit.edu:8181 from another machine. If that is the case, try to access localhost:8181 from vhost3.cs.rit.edu. If this is not possible in a conventional browser, perhaps because it is a headless server with X forwarding disabled then use a terminal based browser. Try typing the following in the terminal on vhost3.cs.rit.edu
lynx localhost:8181
If you are able to see a representation of a tomcat splash page then you can attribute it to networking issues. This could be firewall related (perhaps even an issue with iptables on linux).
I am moving my site from a tomcat only instance to an apache httd/ apache tomcat setup. I'm trying to set up the ssl with mod_ssl on apache httpd. But I don't know how to convert my tomcat keystoreFile/keystorePass to the apache httpd SSLCertificateFile/SSLCertificateKeyFile format. I am pouring over the openssl man pages with no luck. I am running the site on Fedora 13. Any suggestions?
Use the Java keytool -importkeystore utility to convert the "JKS" format key store file to a standard "PKCS #12" format. Then use OpenSSL to convert the PKCS #12 file to whatever format you require. You can see full details in this answer to a duplicate question.