Olivier,
On 3/14/23 10:07, Olivier Studer wrote:
I use Tomcat 9 version. I have configured the server.xml as following to
use certificate signed.
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/app/config/certs/wildcard.unifr.ch.crt"
SSLCertificateKeyFile="/app/config/certs/wildcard.unifr.ch.key"
SSLCACertificateFile="/app/config/certs/DigiCertCA.crt"
SSLVerifyClient="none"
sslProtocol="TLSv1+TLSv1.1+TLSv1.2"
URIEncoding="UTF-8"
/>
But I have an error with openssl command to verify it is correctly
configured.
Command and output:
echo | openssl s_client -showcerts -connect server.unifr.ch:8443 |head -1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify return:1
DONE
CONNECTED(00000003)
This looks okay to me: your server is returning a certificate for *.unifr.ch
The openssl client is telling you that openssl doesn't trust that
certificate, probably because it's not in the client hosts's list of
trusted certificates.
You probably need to supply a "chain" file which shows openssl that one
of its trusted certificates (e.g. from a Certificate Authority) trusts
an intermediate certificate which in turn trusts the *.unifr.ch certificate.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org