On 13 January 2015 at 18:20, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alexandre, > > On 1/13/15 2:41 PM, Alexandre Lima wrote: > > On 13 January 2015 at 16:11, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Alexandre, > > > > On 1/13/15 1:37 PM, Alexandre Lima wrote: > >>>> Hello! This is the first time I'm using tomcat, so I'm a > >>>> little bit lost... > > > > Welcome! Configuring SSL always turns out to be a pain in the > > neck. > > > >>>> Using the tutorials, I could make the server and the > >>>> application I want to run with it work. The only modification > >>>> I did until now was changing the http port from 8080 to 80, I > >>>> did that changing the http conector on servers.xml, enabling > >>>> authbind and executing the folowing commands: > >>>> > >>>> sudo touch /etc/authbind/byport/80 sudo chmod 500 > >>>> /etc/authbind/byport/80 sudo chown tomcat7 > >>>> /etc/authbind/byport/80 > >>>> > >>>> So, the server and the application I want to use with it are > >>>> actually working on port 80 > > > > You've confirmed this? I've never used authbind before, so I just > > wanted to make sure that you have Tomcat working properly with > > non-SSL before you try to add SSL. > > > >>>> , but the next and last step, which is enabling an SSL > >>>> connection, isn't working. > >>>> > >>>> What I did following the site's tutorial was: created my > >>>> self signed certificate with keytools and put it on > >>>> /home/myuser/key.keystore > > > > Can you outline the steps you took? Where is your keystore? > > > >>>> Additionally, I've created the folowing conector: > >>>> > >>>> <Connector port="8443" > >>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>> SSLEnabled="true" maxThreads="200" scheme="https" > >>>> secure="true" keystoreFile="/home/myuser/key.keystore" > >>>> keystorePass="mypass" clientAuth="false" sslProtocol="TLS" > >>>> /> > > > > That looks good so far. > > > >>>> Saved it, restarted server and accessed https://myip:8443, > >>>> but it isn't working. Chrome says "No data recieved" and > >>>> "Unable to load the webpage because the server sent no data > >>>> and "Error code: ERR_EMPTY_RESPONSE". > >>>> > >>>> Firefox says that the connection was reset while the page was > >>>> being loaded. > >>>> > >>>> That's where I am now. I don't know what to try anymore. > > > > Try: > > > > $ telnet localhost 8443 > > > > (on the server with Tomcat running) > > > > That will tell you if the port is open (it should be, otherwise > > you'd be getting different errors from Chrome and ff) and what, if > > anything, gets dumped to it when you connect. > > > > If you get a connection and nothing happens, try submitting a > > request like this: > > > > $ telnet localhost 8443 GET / > > > > [output goes here] > > > > Post the results of the above if you get anything. > > > > Dumb question: you restarted Tomcat after updating server.xml, > > right? > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > Thank you for the reply Christopher! I've used the command: keytool > > -genkey -alias tomcat -keyalg RSA -keystore > > /home/myuser/key.keystore to generate the keystore. I should put > > the keystore in some special directory or this one is fine? So, > > after, requesting: telnet localhost 8443 > > > > I got some strange stuff: > > > > ~$ telnet localhost 8443 Trying ::1... Connected to localhost. > > Escape character is '^]'. GET / ^U^C^A^@^B^B > > > > > > > > And yes, I've restarted it :) > > Good. Now, try this: > > $ openssl s_client -debug -connect localhost:8443 > > Assuming that the server is running and listening for SSL connections, > s_client should be able to connect, and it should give you tons of > good information about what's happening, there. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr > AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke > +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx > Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl > A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV > ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o > ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M > qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG > omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw > eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5 > OZ7Mh5wEal8zNnBC7sQeuoekkiQKDRQlQdATSAthlszFMByn+k5A5IJNWUB1asUp > VPf4zB2XaBIxgnKm3qPV > =Bl3E > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hello Chris! I've tried the command you suggested and the most important thing I found was this: subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown --- No client certificate CA names sent --- SSL handshake has read 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6 Session-ID-ctx: Master-Key: F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1421259101 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) SysAid is the application I'm running under tomcat. Does it mean that SysAid is a server behind tomcat? And so I would have to configure the connection in it? That's strange. I would like to hear your opinion. -- -- Alexandre Lima
