-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ognjen,

On 12/18/12 5:05 AM, Ognjen Blagojevic wrote:
> James,
> 
> On 18.12.2012 3:03, James Dekker wrote:
>> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start 
>> INFO: Starting ProtocolHandler ["http-bio-8443"] Dec 17, 2012
>> 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in
>> 9611 ms
> 
> You successfully configured and stared Tomcat with self signed 
> certificate. So far, so good.
> 
> 
>> When I go to my bash shell and type this in:
>> 
>> curl -X GET https://localhost:8443
>> 
>> I get the following error output:
>> 
>> curl: (60) Peer certificate cannot be authenticated with known
>> CA certificates More details here:
>> http://curl.haxx.se/docs/sslcerts.html
> 
> If you are using curl just to check the certificate or test HTTPS,
> it is easier and faster to do that with your favorite web browser.

Better yet, use sslscan.

> If you need to use curl for some other reason (e.g. it is part of
> your business use case), then it makes sense to stick with curl.

+1

>> curl performs SSL certificate verification by default, using a
>> "bundle" of Certificate Authority (CA) public keys (CA certs). If
>> the default bundle file isn't adequate, you can specify an
>> alternate file using the --cacert option. If this HTTPS server
>> uses a certificate signed by a CA represented in the bundle, the
>> certificate verification probably failed due to a problem with
>> the certificate (it might be expired, or the name might not match
>> the domain name in the URL). If you'd like to turn off curl's
>> verification of the certificate, use the -k (or --insecure)
>> option.
>> 
>> Am I missing a step here?
> 
> You seem to be confused by the fact that curl and Java are using 
> different files and different formats for managing CA
> certificates.

Nope, curl doesn't care: X509 certificates are exchanged in a standard
way.

The problem is that curl doesn't trust the self-signed certificate
presented by the server -- which is absolutely the right behavior.

If you want curl to ignore the server's untrusted certificate, just
use -k or --insecure.... just like the error message told you to do.

> Java is using its own .jks format, while curl uses PEM format.
> Java stores system wide trusted CA certificates in file 
> "$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import
> your self signed certificate in step #4), while curl reads them
> from file "ca-bundle.crt" (where your certificate is not stored,
> hence the error). I believe default location for file ca-bundle.crt
> in Red Hat is /etc/pki/tls/certs.
> 
> So, in order to run curl, as suggested by the docs:
> 
> 1. Use curl -k option.

+1

> 2. Convert cert to PEM format and use curl -cacert option.

If you want to go through that effort. If this will be used in a
script in production, then you /absolutely should/ do this.

> 3. Convert cert to PEM format, and add it to system wide CA bundle 
> (ca-bundle.crt).

I wouldn't do #3, here. You don't want to modify the system-trusted
certificates for two reasons:

1) You'll forget why it works on this server but not on one that you
build in 18 months
2) You don't want to modify the system-trusted certificates

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDQx7EACgkQ9CaO5/Lv0PAidwCfTTmgmol4d04dy8J4BXg8SU3V
aB0AnR59bnVU35JIYofolYojiy02Gb49
=Nxeh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to