On 09/10/17 18:48, John Ellis wrote: > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, October 9, 2017 12:33 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Tomcat SSL issue > > On 09/10/17 16:01, John Ellis wrote: >> I posted questions about this a couple of weeks ago I think it was. I >> have been trying to get Tomcat running on a secure port with a valid >> SSL certificate. We finally got version 9.0.0.M20 setup successfully >> on port >> 9443 and I can go to that IP:port and get a Tomcat webpage but when I >> go through all the steps using the keytool commands to submit a >> certificate (we use Cacert.org) and try to plug that certificate into >> the mix it doesn’t work. I still get an error message telling me that >> I will have to create an exception to go to that IP address and port. >> Last Friday I even deleted the certificate and all the keystore file, >> etc. and got the same exact error. So it appears that Tomcat is not >> seeing the certificate at all since I get the same error about having >> to add an exception whether or not I have a valid certificate in place on > the server. > > If you get that error then Tomcat has the certificate but the client doesn't > trust it. You need to check if: > > - Tomcat is supplying the full certificate chain > - If the client trusts the issuing CA > > Mark > > OK Mark can you explain to me why we get the same exact error condition with > no certificate in place at all as when we provide a certificate?
That isn't possible. If no certificate is provided, Tomcat won't even open the port. I think you are going to need to provide more details about exactly how things are configured, how you are testing it and the log messages Tomcat provides when started (note you have to restart Tomcat after changing the connector configuration - or anything in server.xml) Mark > I'm not arguing that just doesn't make any sense to me but as I said before > I am not a programmer or developer or anything like that. > Thanks, > John > >> >> The lines we added to the server.xml file to get the secure port >> working >> are- >> >> >> >> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" >> >> maxThreads="150" scheme="https" secure="true" >> >> clientAuth="false" sslProtocol="TLS" >> >> >> > keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk > s" >> >> keystorePass="changeit" /> >> >> >> >> John Ellis >> >> >> >> 405.285.2500 office >> >> >> >> United States >> >> bize-logo-rgb-original_Ryan_Revised_portal size >> cid:image002.jpg@01CECFDA.65B42CD0 >> >> >> >> http://biz-e.io >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
