Christoph,
On 6/6/24 08:33, Christoph Kukulies wrote:
I have the following configuration:
|HAPROXY TOMCAT9 https://cms.site.org/ <http://cms.site.org/> ==>
https://cms.site.org:8443/ <http://cms.site.org:8443/>|
Haproxy is passing the https-request through to tomcat.
So far the request seems to arrive on the tomcat side but a secure
connection can't be established since the
certificate infomation is missing.
I looked at the server.xml config file, especially into the section:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
This will use the file $CATALINA_BASE/bonf/localhost-rsa.jks for your
key and certificate. Can you confirm that file contains both the key and
the certificate? If you use "keytool -list -keystore
conf/localhost-rsa.jks" it should show that you have a PrivateKeyEntry.
It's a stupid name for "private key AND certificate" instead of
"certificate without key".
Please also confirm there is only a single PrivateKeyEntry in there.
I can supply the information where the site.cer and priv.key are located
but which protocol to use and what else parameters are required
is a closed book to me. Could anyone help?
What you have above should "work" but it's possible haproxy wants to
trust the origin (Tomcat) server and so it needs the certificate from
your Tomcat server.
Do you get some kind of error (from haproxy) when trying to connect to
Tomcat? If so, please post the error.
To extract the cert from the keystore (to give to haproxy for trusting),
do "keytool -exportcert -keystore conf/localhost-rsa.jks -rfc -alias
[name of cert]". The "name of cert" can be seen when you do the "-list"
above. It might just be called "mykey" if you didn't give it a name when
you imported/created the keystore.
Some unsolicited advice:
1. Use a full-path for the certificateKeystoreFile so everyone reading
the file knows *exactly* where the file is.
2. Use a PKCS12 file instead of JKS. You can use "keytool
-importkeystore -deststoretype PKCS12" and other options to convert.
PKCS12 is a standard and JKS is a weird Java-only thing. Better yet, use
text-based PEM files and the certificateFile and
certificateKeystoreFile configuration attributes on <Certificate>. You
can even put both the key and the cert into the certificateFile and save
yourself some work. The documentation says this is "NOT RECOMMENDED" but
I'm not sure why. I don't see any security impact in keeping the key and
cert in the same file.
3. You should probably set proxyPort and proxyName on the <Connector>.
When Tomcat or your application generates URLs dynamically, it will call
HttpServletRequet.getServerName and getServerPort to figure out what the
server's name is. Without these two settings, it will probably generate
"https://cms.site.com:8443/"; which probably won't work for your visitors.
Hope that helps,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
