Rob,
On 6/2/22 01:13, Rob Sargent wrote:
This part always confuses me
I supply the trust and key store files on the command line and I see the
SAN for the tomcat server IP (in ObjectId #3). I try to connect to
tomcat by host-IP and port. Here's the text of the keystore sent in.
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: sgsagent
Creation date: Jun 2, 2022
Entry type: trustedCertEntry
Owner: EMAILADDRESS=rob.sarg...@utah.edu,
CN=ip-10-0-2-118.us-west-2.compute.internal, OU=PPR, O=University of
Utah, L=Salt Lake City, ST=UT, C=US
Issuer: EMAILADDRESS=rob.sarg...@utah.edu,
CN=ip-10-0-2-118.us-west-2.compute.internal, OU=PPR, O=University of
Utah, L=Salt Lake City, ST=UT, C=US
Serial number: 2f543ea5b1ce847034a34dfb4d26ecbdac1959d5
Valid from: Thu Jun 02 03:12:01 UTC 2022 until: Sat Jul 02 03:12:01
UTC 2022
Certificate fingerprints:
SHA1:
61:92:93:E7:A1:05:85:ED:66:6F:BC:6C:76:7E:CA:E8:7F:A7:0D:93
SHA256:
23:85:E4:85:08:93:B1:4C:D7:40:47:E7:EF:3F:8F:5F:FC:FA:CA:57:0F:B1:4C:A8:3F:25:AE:D7:98:0C:4B:28
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F4 FC 13 D9 FC 1C C1 A0 DB 0A 81 28 C0 EF DC FF
...........(....
0010: 28 64 81 BE (d..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen: no limit
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 10.0.2.118
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F4 FC 13 D9 FC 1C C1 A0 DB 0A 81 28 C0 EF DC FF
...........(....
0010: 28 64 81 BE (d..
]
]
but I get
javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address 10.0.2.118 found
at
java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:578)
at
java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:123)
at
edu.utah.camplab.sgs.AbstractSGSRun.canConnect(AbstractSGSRun.java:386)
at
edu.utah.camplab.sgs.AbstractSGSRun.init(AbstractSGSRun.java:296)
at
edu.utah.camplab.sgs.AbstractSGSOptions.init(AbstractSGSOptions.java:37)
at edu.utah.camplab.sgs.SGSChase.init(SGSChase.java:76)
at edu.utah.camplab.sgs.SGSChase.init(SGSChase.java:85)
at edu.utah.camplab.app.SGSPValue.<init>(SGSPValue.java:68)
at edu.utah.camplab.app.SGSPValue.main(SGSPValue.java:27)
Caused by: javax.net.ssl.SSLHandshakeException: No subject
alternative names matching IP address 10.0.2.118 found
Then comes my summary log:
03:52:04.752 [main] ERROR edu.utah.camplab.sgs.AbstractSGSRun -
cannot get to saver, trying 10.0.2.118:15002
Could not establish connection to 10.0.2.118:15002
from
if (! canConnect() ) {
logger.error("cannot get to saver, trying {}:{}",
getAccumulationHost(), getAccumulationPort());
throw new RuntimeException(String.format("Could not establish
connection to %s:%d", getAccumulationHost(), getAccumulationPort()));
}
protected boolean canConnect() {
boolean retval = false;
String weburl = String.format("https://%s:%d";,
getAccumulationHost(), getAccumulationPort());
try {
HttpRequest request = HttpRequest.newBuilder()
.header("dbrole", getProjectName())
.header("dbname", getDbName())
.header("dbhost", System.getProperty("SGSSRVR_databaseHost",
"localhost"))
.uri(URI.create(weburl+"/sgs/webmonitor"))
.build();
HttpResponse response = getHttpClient().send(request,
HttpResponse.BodyHandlers.ofString());
retval = response.statusCode() == 200;
}
catch (IOException | InterruptedException ie) {
retval = false;
ie.printStackTrace();
}
return retval;
}
I had this overall configuration working until I 'terminated' the AWS
server instance and am trying to rebuild.
Could a lack of network connectivity between client and server present
this same symptom?
Hmm. Your SAN looks okay to me. Are you 100% sure you have that
certificate configured in Tomcat? ARe you using some other component in
front of Tomcat? You should be able to connect using:
$ openssl s_client -showcerts -connect 10.0.2.118:443
This will dump the certificate actually presented by the server. You can
copy/paste that into:
$ openssl x509 -text
and get the details to make sure the SAN appears there.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
