-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 12/18/12 5:05 AM, Ognjen Blagojevic wrote: > James, > > On 18.12.2012 3:03, James Dekker wrote: >> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start >> INFO: Starting ProtocolHandler ["http-bio-8443"] Dec 17, 2012 >> 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in >> 9611 ms > > You successfully configured and stared Tomcat with self signed > certificate. So far, so good. > > >> When I go to my bash shell and type this in: >> >> curl -X GET https://localhost:8443 >> >> I get the following error output: >> >> curl: (60) Peer certificate cannot be authenticated with known >> CA certificates More details here: >> http://curl.haxx.se/docs/sslcerts.html > > If you are using curl just to check the certificate or test HTTPS, > it is easier and faster to do that with your favorite web browser. Better yet, use sslscan. > If you need to use curl for some other reason (e.g. it is part of > your business use case), then it makes sense to stick with curl. +1 >> curl performs SSL certificate verification by default, using a >> "bundle" of Certificate Authority (CA) public keys (CA certs). If >> the default bundle file isn't adequate, you can specify an >> alternate file using the --cacert option. If this HTTPS server >> uses a certificate signed by a CA represented in the bundle, the >> certificate verification probably failed due to a problem with >> the certificate (it might be expired, or the name might not match >> the domain name in the URL). If you'd like to turn off curl's >> verification of the certificate, use the -k (or --insecure) >> option. >> >> Am I missing a step here? > > You seem to be confused by the fact that curl and Java are using > different files and different formats for managing CA > certificates. Nope, curl doesn't care: X509 certificates are exchanged in a standard way. The problem is that curl doesn't trust the self-signed certificate presented by the server -- which is absolutely the right behavior. If you want curl to ignore the server's untrusted certificate, just use -k or --insecure.... just like the error message told you to do. > Java is using its own .jks format, while curl uses PEM format. > Java stores system wide trusted CA certificates in file > "$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import > your self signed certificate in step #4), while curl reads them > from file "ca-bundle.crt" (where your certificate is not stored, > hence the error). I believe default location for file ca-bundle.crt > in Red Hat is /etc/pki/tls/certs. > > So, in order to run curl, as suggested by the docs: > > 1. Use curl -k option. +1 > 2. Convert cert to PEM format and use curl -cacert option. If you want to go through that effort. If this will be used in a script in production, then you /absolutely should/ do this. > 3. Convert cert to PEM format, and add it to system wide CA bundle > (ca-bundle.crt). I wouldn't do #3, here. You don't want to modify the system-trusted certificates for two reasons: 1) You'll forget why it works on this server but not on one that you build in 18 months 2) You don't want to modify the system-trusted certificates - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDQx7EACgkQ9CaO5/Lv0PAidwCfTTmgmol4d04dy8J4BXg8SU3V aB0AnR59bnVU35JIYofolYojiy02Gb49 =Nxeh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
