I have set up my MongoDB to only accept connections over SSL. Mongo has a handle to a certificate that I generated with the following commands
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out server-cert.crt -keyout server-private.key
cat server-cert.crt server-private.key > /etc/ssl/mongoSSL.pem
I added the following to my /etc/mongod.cnf...
sslMode=requireSSL
sslPEMKeyFile=/etc/ssl/mongo/mongoSSL.pem
Whenever Tomcat attempts to talk to Mongo, it fails due to not presenting the SSL certificate.
I set up my /opt/tomcat/conf/server.xml to have the following
<Connector port="27017" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/ssl/mongo/mongoSSL.pem"/>
This, however does not work. Does anyone have a link to a tutorial that can further my knowledge on how this is done? I found a tutorial to configure SSL with Apache and I found the Apache Docs on SSL Support however neither seem to be for my use case.
Thanks.
Whenever Tomcat attempts to talk to Mongo, it fails due to not presenting the SSL certificate. I set up my /opt/tomcat/conf/server.xml to have the following
Your assumption is wrong,your server.xml configuration doesn't instruct Tomcat to present SSL certificate to MongoDB. It tells Tomcat to listen to secure (https) connection on port 27017 (which is occupied by MongoDB anyway). You should discard that Tomcat connector setting.
In fact sslMode=requireSSL doesn't instruct MongoDB to require a client certificate for a two ways authentication. It only instruct MongoDB to accept only secured SSL connections.
What you need to do is not to configure Tomcat, but the MongoDB driver (I assume Java here since you are using Tomcat).
Configuring the Java driver is fairly easy. You can find the instructions here
Related
I have a tomcat server for which I needed a signed certificate. I generated a key using
openssl req -new -newkey rsa:2048 -nodes -out sample_bfc_org.csr -keyout sample_bfc_org.key -subj "/C=BD/ST=Dhaka/L=Dhaka/O=Bangladesh Finance Corporatiobn/OU=IT/CN=sample.bfc.org"
and then generated a CSR and sent it to my company admin.
They gave me back a CER file with the signed certificate and certificate chain.
But when I import the certificate file in tomcat, I am getting the following error:
This site can’t provide a secure connectionehls.bhbfc.org uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
My tomcat server.xml configuration is as follows:
<Connector executor="tomcatThreadPool"
port="443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000"
acceptCount="100"
maxKeepAliveRequests="15"
SSLCACertificateFile="${catalina.base}/SSL/DigiCertCA.crt"
SSLCertificateFile="${catalina.base}/SSL/sample_bfc_org.crt"
SSLCertificateKeyFile="${catalina.base}/SSL/sample_bfc_org.key"
SSLPassword="123456"
SSLEnabled="true"
scheme="https"
secure="true"
sslProtocol="TLS"
/>
But still, the error exists. What can I do to solve the following error?
This site can’t provide a secure connectionehls.bhbfc.org uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
On same machine is running Apache on port 80 and Tomcat on port 8080.
Apache include html;css;js; files and make calls to tomcat services.
Basically exampledomain.com calls exampledomain.com:8080 to receive data.
Now i upgraded the protocol from http to https using Let's Encrypt certbot to generate the certificate, this certificate will be updated every 3 months by certbot. Apache is running fine on port 443 but Tomcat still use port 8080, i can use same certificate to run tomcat on port 8443 but.. for doing this the certificate needs to be converted to Java Keystore.
My question is, if i will convert the certificate it will expire after 3 month and i need to convert the new generated certificate by certbot to Java Keystore again ?
Yes, you have to convert the certificate every time it expires.
Tomcat accept .jks and .pfx certificates and you can make it easy to autoconvert everytime certbot generates new certificate by writing a script and make it run with certbot renewal-hooks.
Script:
#!/bin/bash
# Adjust these variables as necessary
# Where you want to final PKCS12 file to be stored.
CERT_PATH="/opt/app/certificate.pfx"
# Password to encrypt the PKCS12 file.
CERT_PW="ShoobyDooby"
# Path to LE files, RENEWED_LINEAGE provided by CertBot
PRIV_KEY_PEM="$RENEWED_LINEAGE/privkey.pem"
CERT_PEM="$RENEWED_LINEAGE/cert.pem"
CHAIN_PEM="$RENEWED_LINEAGE/chain.pem"
# If there's already a .pfx file, back it up
if [[ -f "$CERT_PATH" ]]; then
now=`date +%Y-%m-%d-%T`
mv $CERT_PATH $CERT_PATH.bak.$now
fi
# Le Conversion
openssl pkcs12 -export -out $CERT_PATH -inkey $PRIV_KEY_PEM -in $CERT_PEM -certfile $CHAIN_PEM -password pass:$CERT_PW
Place this script in /etc/letsencrypt/renewal-hooks/deploy/auto_pfx.sh
Don't forget to chmod! If the script isn't executable, it's ignored.
Automatic PKCS12 Conversion for Let's Encrypt Certificates
The answer is yes and no:
yes, if you want to keep your certificate in PKCS12 or JKS format, you'll have to convert it after every renewal, like in your answer,
no, converting to PKCS12 is not necessary on any supported version of Tomcat, except 7.0 (which reaches end-of-life in two months anyway). Tomcat 8.5, 9.0 and the upcoming 10.0 have no problem reading PEM-encoded certificates, just configure it like this:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="/etc/letsencrypt/live/example.org/privkey.pem"
certificateFile="/etc/letsencrypt/live/example.org/cert.pem"
certificateChainFile="/etc/letsencrypt/live/example.org/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
This works on all three types of connector (NIO, NIO2 and APR). On the other hand the APR connector never supported PKCS12 and JKS keystores.
for the past two days I've been trying to do one thing, be able to access my webapp (localhost:8080/evop) as www.gestao.com.br and furthermore enable https on my web server so that https://www.gestao.com.br also works.
Summary
I need to have a localhost web application showing the https in front of it's URL (not the crossed red https).
PS: Using Tomcat as the web server and Windows and the host OS.
Explanation
We install Tomcat on each client so they can run our webapp locally at their companies, after sometime we started receiving some complaints that the connection is not secure, even though they are locally, so in order to please our client we decided to enable SSL on their Tomcat servers locally.
Using the keytool provided with JDK it was quite easy to enable https on the server, however the https was crossed by a read line because it was self-signed. At this point I knew a CA was needed to sign the certificate, but since this was all done locally and there were no real domains bought, using a CA like LetsEncrypt was not possible.
So enough of a background story, basically I have a Tomcat server on a Windows 10 machine and it needs to have a signed SSL certificate so the applications hosted on that server have https in front of their urls (not the crossed https)
What I did
In order to do that I found out I was gonna have to be my own CA. Here are my steps:
1. Being able to access my webapp using only a local domain www.gestao.com.br
My webapp url was localhost:8080/evop; However, I changed C:\Windows\System32\drivers\etc\hosts by adding 127.0.0.1 www.gestao.com.br to the end of the file, so I could access it using www.gestao.com.br:8080/evop
I solved the port in the URL problem by editing the server.xml on Tomcat conf folder and adding:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" />
With that I was able to access it using www.gestao.com.br/evop
Last step was to change the folder called evop on Tomcat's webapps folder to ROOT and I was able to load my application with wwww.gestao.com.br
2. Becoming my own CA
Created a private key with:
openssl genrsa -des3 -out rootSSL.key 2048
Created the root certificate file:
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Added my new created root certificate to Microsoft Management Console (MMC) so Windows knows it can trust certificates signed by me.
3. Creating and signing a certificate for my own application
Created a private key for the new local domain with:
openssl req -new -sha256 -nodes -out gestao.csr -newkey rsa:2048 -keyout gestao.key -subj "/C=BR/ST=MS/L=Campo Grande/O=Evop/OU=Dev/CN=www.gestao.com.br/emailAddress=dev#evop.com.br"
Issue the certificate with:
openssl x509 -req -in gestao.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out gestao.crt -days 500 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNS:www.gestao.com.br"
4. Configure Tomcat to use the certificate
I tried this two ways, first I opened a powershell on Tomcat conf folder to use rootSSL.pem to create a keystore using JDK's keytool with:
keytool -import -alias root -keystore tomcat.jks -trustcacerts -file rootSSL.pem
Then I also added the local domain certificate with:
keytool -import -alias tomcat -keystore tomcat.jks -file gestao.crt
After that I configured a connector on server.xml like so:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" compression="on" scheme="https" secure="true" keystoreFile="conf/tomcat.jks" keyAlias="tomcat" keystorePass="password" clientAuth="false" SSLVerifyClient="none" sslProtocol="TLSv1.2" />
However I was only able to access Tomcat using the 8080 port, if I tried to access it using port 443 I got a connection refused error.
Secondly I tried not using the keytool and setting the local domain certificate and key directly into the conector, like so:
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/gestao.key" certificateFile="conf/gestao.crt" type="RSA" />
</SSLHostConfig>
</Connector>
However, that also did not let me connect using the 443 port.
References
Wil Brown’s article - Be your own certificate authority (CA) and issue certificates for your local development environment and get HTTPS working in Windows 10.
How to install an SSL certificate on a Tomcat server
I have learnt about SSL and SSL certificates used on client and server side. I pretty much understand how things work and have generated server and client certificates and keys. I have studied how can I use my own CA with https in Android.
I want to setup a server where I can put the server certificate and then access it from my android device to make an emulation of what I have learnt so far.
Is there any server available where I just need to put cert and key and it will start working? I have gone through wamp and apache configuration stuff but unfortunately I am unable to make it work properly.
If you're using OpenSSL it includes a very simple server named s_server which is very useful for this kind of experimentation. Here's an example that might get you started
$ openssl s_server -key test.key -cert test.crt -accept 8443 -WWW
This will serve up files in the current working directory from https://localhost:8443/
The manpage for s_server should give you all the info you need. I think you'll want the -CApath or -CAfile options if you're also experimenting with client certs.
This is my first time setting up HTTPS (2016. Scary, I know) and I am having trouble migrating a certificate from a server running CPanel.
There seems to be no Export button so I assume I can create myself an SSL certificate simply by copying the different keys I have:
Unfortunately I dont know how the file should be saved (I assume as *.domain.com.crt as mentioned in DigitalOcean. Yet I see they need other certificates (such as intermediate cert). Anothe unfortunality is that the site was hosted and run by an external manager so I dont have root access to export the ssl certificate using CLI.
How can I get around this?
Do I have to buy a new certificate?
Thanks
Copying an SSL from server to server is, sadly, no easy matter. The SSL was generated from a CSR specific to the server itself, so it is very likely the SSL certificate itself is not valid on the new server.
If the SSL was self-signed, you can just make a new one on the new server using this command:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
If it was a SSL you paid for, contact the SSL provider to work with them to regenerate it for the new server.
Alternatively, you can use cert-bot to make a whole new SSL on the new server pretty quickly.