On 14 January 2015 at 15:59, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alexandre, > > On 1/14/15 1:18 PM, Alexandre Lima wrote: > > On 13 January 2015 at 18:20, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Alexandre, > > > > On 1/13/15 2:41 PM, Alexandre Lima wrote: > >>>> On 13 January 2015 at 16:11, Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Alexandre, > >>>> > >>>> On 1/13/15 1:37 PM, Alexandre Lima wrote: > >>>>>>> Hello! This is the first time I'm using tomcat, so I'm > >>>>>>> a little bit lost... > >>>> > >>>> Welcome! Configuring SSL always turns out to be a pain in > >>>> the neck. > >>>> > >>>>>>> Using the tutorials, I could make the server and the > >>>>>>> application I want to run with it work. The only > >>>>>>> modification I did until now was changing the http port > >>>>>>> from 8080 to 80, I did that changing the http conector > >>>>>>> on servers.xml, enabling authbind and executing the > >>>>>>> folowing commands: > >>>>>>> > >>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod 500 > >>>>>>> /etc/authbind/byport/80 sudo chown tomcat7 > >>>>>>> /etc/authbind/byport/80 > >>>>>>> > >>>>>>> So, the server and the application I want to use with > >>>>>>> it are actually working on port 80 > >>>> > >>>> You've confirmed this? I've never used authbind before, so I > >>>> just wanted to make sure that you have Tomcat working > >>>> properly with non-SSL before you try to add SSL. > >>>> > >>>>>>> , but the next and last step, which is enabling an SSL > >>>>>>> connection, isn't working. > >>>>>>> > >>>>>>> What I did following the site's tutorial was: created > >>>>>>> my self signed certificate with keytools and put it on > >>>>>>> /home/myuser/key.keystore > >>>> > >>>> Can you outline the steps you took? Where is your keystore? > >>>> > >>>>>>> Additionally, I've created the folowing conector: > >>>>>>> > >>>>>>> <Connector port="8443" > >>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" > >>>>>>> SSLEnabled="true" maxThreads="200" scheme="https" > >>>>>>> secure="true" keystoreFile="/home/myuser/key.keystore" > >>>>>>> keystorePass="mypass" clientAuth="false" > >>>>>>> sslProtocol="TLS" /> > >>>> > >>>> That looks good so far. > >>>> > >>>>>>> Saved it, restarted server and accessed > >>>>>>> https://myip:8443, but it isn't working. Chrome says > >>>>>>> "No data recieved" and "Unable to load the webpage > >>>>>>> because the server sent no data and "Error code: > >>>>>>> ERR_EMPTY_RESPONSE". > >>>>>>> > >>>>>>> Firefox says that the connection was reset while the > >>>>>>> page was being loaded. > >>>>>>> > >>>>>>> That's where I am now. I don't know what to try > >>>>>>> anymore. > >>>> > >>>> Try: > >>>> > >>>> $ telnet localhost 8443 > >>>> > >>>> (on the server with Tomcat running) > >>>> > >>>> That will tell you if the port is open (it should be, > >>>> otherwise you'd be getting different errors from Chrome and > >>>> ff) and what, if anything, gets dumped to it when you > >>>> connect. > >>>> > >>>> If you get a connection and nothing happens, try submitting > >>>> a request like this: > >>>> > >>>> $ telnet localhost 8443 GET / > >>>> > >>>> [output goes here] > >>>> > >>>> Post the results of the above if you get anything. > >>>> > >>>> Dumb question: you restarted Tomcat after updating > >>>> server.xml, right? > >>>> > >>>> -chris > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> > >>>>> > > > >>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: > >>>>> users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> Thank you for the reply Christopher! I've used the command: > >>>> keytool -genkey -alias tomcat -keyalg RSA -keystore > >>>> /home/myuser/key.keystore to generate the keystore. I should > >>>> put the keystore in some special directory or this one is > >>>> fine? So, after, requesting: telnet localhost 8443 > >>>> > >>>> I got some strange stuff: > >>>> > >>>> ~$ telnet localhost 8443 Trying ::1... Connected to > >>>> localhost. Escape character is '^]'. GET / ^U^C^A^@^B^B > >>>> > >>>> > >>>> > >>>> And yes, I've restarted it :) > > > > Good. Now, try this: > > > > $ openssl s_client -debug -connect localhost:8443 > > > > Assuming that the server is running and listening for SSL > > connections, s_client should be able to connect, and it should give > > you tons of good information about what's happening, there. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > Hello Chris! I've tried the command you suggested and the most > > important thing I found was this: > > > > subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > > > > > issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > > --- No client certificate CA names sent --- SSL handshake has read > > 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, Cipher is > > ECDHE-RSA-AES256-SHA384 Server public key is 1024 bit Secure > > Renegotiation IS supported Compression: NONE Expansion: NONE > > SSL-Session: Protocol : TLSv1.2 Cipher : > > ECDHE-RSA-AES256-SHA384 Session-ID: > > 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6 > > Session-ID-ctx: Master-Key: > > > F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1 > > > > > Key-Arg : None > > PSK identity: None PSK identity hint: None SRP username: None Start > > Time: 1421259101 Timeout : 300 (sec) Verify return code: 10 > > (certificate has expired) > > > > SysAid is the application I'm running under tomcat. Does it mean > > that SysAid is a server behind tomcat? And so I would have to > > configure the connection in it? That's strange. I would like to > > hear your opinion. > > Well, the subject and issuer look a little strange, but that may be > just because you configured them that way (when keytool asked you all > those questions). > > Generally speaking, when keytool asks you for your "first and last > name", it really means your "common name" which for nearly everybody > is actually the DNS name of the server (e.g. www.mysite.com). > > If you list the contents of your keystore, what's in there? > > $ keytool -list -keystore path/to/keystore > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUtrydAAoJEBzwKT+lPKRYRtwP/jgYWXK6RolwNr+EHcRIwma/ > BdqpbQeZond1QZkA30MkT+MBFEfW+tjCixd6vXAMwe8WSEFmqhiXSi26KvCk9YG8 > 65xUwL03aLfz7KBCPbomtJEsSWNdCbYgJZIRMT8Q36xbvrJcHbsPKp913xXp151G > D5bgLkfz5ha32FJOTvxrU0l7Tc/QWIm3jAc/jfMut62ZlbLBgM6dZ5Te/ss5PXTS > 4fm4qPIwzP2ygCq+EIebj84TWmlkRy8Fqn6eHFsi0000s7dNP5KhkJCd51MN2KnY > dpoHsnLCjyvXd9/22MtRcL0rF74UdFyxG43ogr2h28C+SYMJeUXVK4un1UosYbkj > xnfOb63g834yOV9ca5+5NABYBStBKXb8GHUwdfsfjf1rA6CXIUvrWj5GN15nyiLO > dU6j6WWFhSvmcVrkZwevR2I0N47tqKN9aCpWFX/QNL92Ue/UyVZB9ACtZ7bnmNQT > 4xqpVx/CEXOq3SfAYPVWjcCRp+h7D+mi32KqFYc+g7zJA8yGSqReDBHC4ml+jZNA > t3KwByiGvVNH1uZvaFRvpCM3EnYXW05uvV8+PgXwLcKgT/TSmgAEUW6mNhAR68iF > UEFp7fkF768Rc+TR6XqZC/eJuWOduz1l6cTbSm4Xo85VZ/sbST3diPzRu806nopp > 7t32DNf5MJicDsR5uFE6 > =CnvE > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > I actually didn't configure it that way! I didn't put "sysaid" anywhere when I was making the keystore. That's why I think that my application (Sysaid) created that keystore shown, otherwise there wouldn't be "O=SysAid"... That's really strange... I think I'm gonna ask this on SysAid forums. It's realling giving my a headache. -- -- Alexandre Lima
