Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

Tue, 18 Dec 2012 02:06:22 -0800 

James,

On 18.12.2012 3:03, James Dekker wrote:

     Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
     INFO: Starting ProtocolHandler ["http-bio-8443"]
     Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
     INFO: Server startup in 9611 ms



You successfully configured and stared Tomcat with self signed 
certificate. So far, so good.




When I go to my bash shell and type this in:

     curl -X GET https://localhost:8443

I get the following error output:

curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html



If you are using curl just to check the certificate or test HTTPS, it is 
easier and faster to do that with your favorite web browser.



If you need to use curl for some other reason (e.g. it is part of your 
business use case), then it makes sense to stick with curl.




curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Am I missing a step here?



You seem to be confused by the fact that curl and Java are using 
different files and different formats for managing CA certificates.



Java is using its own .jks format, while curl uses PEM format. Java 
stores system wide trusted CA certificates in file 
"$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import your 
self signed certificate in step #4), while curl reads them from file 
"ca-bundle.crt" (where your certificate is not stored, hence the error). 
I believe default location for file ca-bundle.crt in Red Hat is 
/etc/pki/tls/certs.


So, in order to run curl, as suggested by the docs:

1. Use curl -k option.
2. Convert cert to PEM format and use curl -cacert option.

3. Convert cert to PEM format, and add it to system wide CA bundle 
(ca-bundle.crt).


-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to