Rob,
On 6/2/22 13:43, Rob Sargent wrote:
I had this overall configuration working until I 'terminated' the AWS
server instance and am trying to rebuild.
Could a lack of network connectivity between client and server
present this same symptom?
Hmm. Your SAN looks okay to me. Are you 100% sure you have that
certificate configured in Tomcat? ARe you using some other component
in front of Tomcat? You should be able to connect using:
$ openssl s_client -showcerts -connect 10.0.2.118:443
This will dump the certificate actually presented by the server. You
can copy/paste that into:
$ openssl x509 -text
and get the details to make sure the SAN appears there.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Thanks Chris, given your vote of confidence I realized I had not updated
the keystore file with my recently regenerated cert.
Also forgot to mention this is tomcat 9.0.63 embedded in my app, running
java17 (correto) at AWS
But I think I'm going backwards.
my actual java command is pretty much this:
java -Djavax.net.ssl.keyStore=/ppr/certs/sgstrust.p12
-Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=p1
-Djavax.net.ssl.trustStore=/ppr/certs/fullca.p12
-Djavax.net.ssl.trustStoreType=PKCS12
-Djavax.net.ssl.trustStorePassword=p2
--oper=1 --seg=id --json-dir=/ppr/report --acc=10.0.2.118:15002
--dbn={dbn} --eff={dbu} -env=AWS
Does that launch your Tomcat JVM or your client? (Or both?)
I add my cert to truststore.
Which one? Are you using client certs for mutual-TLS or just plain-old
"I only need to trust the server" checking?
If it's vanilla, then you need:
1. Key + cert in the key store used by the Tomcat <Connector>
2. cert in the trust store used by the client (optional if it's signed
by a trusted CA)
Remember if your key store from #1 has more than one cert+key in it,
Tomcat will choose the first one (which is basically a crap-shoot, given
the API) unless you specify the alias of the one to use. I think it's
best to have only a single key+cert in each keystore (unless it's
multiple flavors of the same thing, like RSA and ECDSA for the same
server). That way you don't get confused by "too much stuff".
Do I need both trust and key stores on the
commandline. sgstrust.p12 is made by converting x509 key/cert.
fullca.p12 has the worlds CA certs plus mine.
But now I'm hitting
java.net.ConnectException
Probably not running?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
