I have installed my SSL certificates on Glassfish 3.2 and everything works as it is supposed to.
I am facing a very strange problem: On server restart, SSL does not work, but when I click the save button on the web interface of the listener, without making any further changes, it immediately starts working!!!!
Any ideas???
PS. All passwords for the certificates and the master-password are the same.
Related
We are running a legacy application on an Apache v7.0.47 server behind an Apache2 HTTPD proxy (v2.4.23).
I am trying to upgrade the Java version on the server (used by both the proxy as well as the tomcat) from v1.8.0_181 to v1.8.0_303.
After that upgrade the Tomcat does not respond any more to the Apache's passed-on requests (the application itself comes up and runs fine).
Both the Apache on its network facing side as well as Apache and Tomcat among each other were configured to "talk" TLS1.2 already for a while, so I don't think that the disabling of TLSv1.0 and TLSv1.1 in the later Java version is the cause of the issue here. And there is no error message in the logs giving any clue. The only indication is, that the Tomcat seems to close and tear down the connection without any response after having receiving the request. That seems to happen already in the SSL layer, since there is no entry in the access-log (of Tomcat).
Switching back to the "old" Java gets things going again, so firewall, network etc. are definitely NOT the issue here. With the newer Java version the connection setup fais again, causing the HTTPD to emit a "502 Bad gateway" error.
Any idea anyone what could cause the Tomcat to reject the HTTPD's requests just based on the Java version? Additional SSL verifications enabled by default in the newer stack? I searched extensively but didn't surface any suspect, yet.
Later addition: trying to identify the issue I found out that with Java v1.8.0_231 things are still working, with v1.8.0_241 and higher it fails.
Inspecting the release notes now to find a hint...
Any ideas or experiences with that upgrade anyone?
Just for the records - in case someone else stumbles over this question:
The issue here was that from Java v1.8.0_241 on upwards Java security verifies that a certificate chain read from a certificate store is rooted in a CA certificate that has a proper CA-flag. Since we were using an old certificate and trust store that had been generated with an old release of the java keytool back than this flag was missing and the new Java version thus rejected all the entries in that certificate file. It thus aborted the SSL connection setup and simply closed the connection without any response or indication.
There is a VM option -Djdk.security.allowNonCaAnchor=true that one can add to Tomcat's JAVA_OPTS variable (typically in a file setenv.sh) to disable this verification. After adding that our Tomcat was again responding to SSL-requests and worked OK again.
BTW: when trying to analyze SSL issues like the above the option -Djavax.net.debug=all:handshake:verbose proved to be a real live-saver! With this option one gets very details log output and can follow SSL handshakes and connection setups in detail. Once I had finally gotten a first useful error message pointing to this CA-flag issue searching for a solution (or rather workaround in this case) proved to be a snap compared to the initial search for what could be the issue here.
Problem: Since Chrome updated a while back (version 58?), I'm not able to access my computer's development Express web server with HTTPS from a remote machine on the same private LAN.
I have created a self-signed certificate on the server (my laptop), and it works great from the same machine via https://localhost:8383 (the local SSL port).
In the past I could bypass the warning on a remote machine on the same network but it has stopped working.
I've gone through the steps of creating a local secure DNS server on my own router with DD-WRT, and self-signed a new certificate with SAN so I could use a DNS host name to access it without specifying an IP address.
I'm able to get to the page after bypassing the message that warns the site's SSL certificate could not be verified. But that's not good enough because while the site will load, the underlying websocket service I'm using on the same port does not work, and so the application loads but is broken on the remote machine. Still works on the local machine because the certificate is valid.
It seems the issue centers around Websockets within Express.
Any guidance would be greatly appreciated! This is a strictly secure environment that's meant to be used on a private network and it makes no sense for me to spend a bunch of money on a public certificate if that even matters.
Thank you.
It appears that the issue is with mobile Chrome and Safari on IOS -- I can get untrusted SSL certificates to work with websockets from another computer on the same network with the latest versions of Chrome and Safari. But on IOS (ipads and iphones), the page will load after being prompted, but Websockets FAIL to function whatsoever.
I've found a couple other people finding this issue.
My workaround for this problem was to revert away from SSL for my private network and completely avoid self-signed certificates.
In a private environment this is OK.
An installed SSL certificate (via Lucee server admin > Services > SSL Certificates) keeps getting lost. We enter the target host name click LIST, see the cert and click INSTALL.
It's all fine for a few weeks the suddenly it just disappears (and our 2 way SSL automation dies). We have no idea why it suddenly just goes though, the cert is valid for another year and there doesn't appear to be a way of manually removing the certs so we are at a loss.
We also don't know where that install process actually stores the cert (in a file, Database, memory) in order to try and monitor it a bit better.
Whats confusing me even more is this is happening across 3 servers (Win 2012).
Each time this happens all we've done is reinstall the cert to Lucee (its already on the cert store on the windows box & the java store) and that seems to resolve it.
Any ideas on why it's happening and how to stop it from happening again?
I am having some trouble with RavenDB after enabling SSL. I have followed the instructions on the RavenDB documentation for enabling SSL which can be found here.
Namely, I updated the Raver.Server.exe.config file to include the new setting and I also installed the cert using /installSSL on Raven.Server.exe.
If I disable SSL - everything works fine, but once I enable SSL I get a connection was reset message in the browser.
I have enabled the Raven logs with the Nlog.config file and also checked the event viewer for logs. Neither of these two have any information. The RavenDB service is running, but it just won't connect when I go to the studio. The problem is beyond the studio because I can't get our APIs to connect to it either.
I have been searching around for a couple of days, but I can't find anything, anywhere.
Any ideas on how to fix this?
It appears that this error occurs when the SSL cert has not been installed correctly into the Windows Cert Store. After inspecting the cert store, I found that the cert was not installed correctly into the Personal collection.
It might be important to note that I disabled SSL on RavenDB and then fixed the Cert Store.
After installing the cert, I re-enabled SSL on RavenDB and everything was working fine again.
I have a Docusign Connect listener running on an EC2 instance. I setup SSL on this with a self signed certificate. This was working fine but I had to reboot my instance yesterday. After rebooting I updated the endpoint in my connect settings with the new DNS alias. Now I've started getting the below error in connect
Could not establish trust relationship for the SSL/TLS secure channel.
I double checked the cert settings were still setup the same in tomcat and they were. I also tried generating a new cert but no luck. I'm working on the demo environment at the moment which should work (and was working) with a self signed cert.
I can also access the SSL URL directly in the browser
Anyone come across this behavior before or have any thoughts on anything I need to change in my config to get it working again?
An update on this - I'm not actively looking into it but it looks to be a sporadic issue. Not sure if it's just a problem in the demo sandbox or not but having not touched the listener in 3 months some days I see the error and other days everything works as expected. I still haven't been able to find root cause but my guess is that the error message been shown is not the actual issue. Since sometimes it works and other times it doesn't, without changing any settings on the DS side or touching the listener or EC2 instance it's running on, I'm guessing there may be some kind of bandwidth or throttling going on in the demo sandbox. I haven't been able to confirm this though. Will add an update if I figure out what's going on.