On 26/04/2012 15:51, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Miguel,
On 4/26/12 5:58 AM, Miguel González Castaños wrote:
On 26/04/2012 03:58, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Miguel,
On 4/25/12 6:24 PM, Miguel González Castaños wrote:
Please post your SSL<Connector> configuration (cleansed of
any passwords).
By the way, double checking the info from my web browser I get this
is a verisign class 3 secure server G3
It looks like you were using the "EV" intermediate certificates
before. This page[1] says that C3G3 certs are not frequently used
except for client certificates... is that what you've got?
[1] http://www.verisign.com/support/roots.html
I'm sorry but I come from the Apache world and I'm pretty new to
Tomcat. Also I have inherited this server and the configuration is
messy.
When you use Java, you generally have to work with keystores. It's
just a file full of keys and certificates. Think of a Java keystore as
all of the following httpd directives mashed together into a single
binary entity:
SSLCertificateKeyFile
SSLCertificateFile
SSLCertificateChainFile
SSLCACertificateFile
Also, you have to use an "alias" that Tomcat uses (it's "tomcat") as
the alias for the certificate to actually use for the server (as
opposed to any other certificates you might have in the keystore).
Maybe I'm wrong but should I add the CAcert somewhere in the SSL
connector?
There's no place to do that: the whole chain must be in the keystore,
including the CA root all the way down to your own certificate. You
may be able to get away with not having the very top-root CA
certificate... I haven't worked too much with Java keystores so it's
possible that there is a set of root, trusted certificates that are
inherited by all keystores, but there are many ways to
create/configure a ServerSocketFactory, so it's probably possible to
set one up both with or without that globally-recognized set of root
CA certs (i.e. those trusted by the JVM implicitly).
If you are getting this error in Javamelody, then you need to
configure Javamelody properly -- this isn't a Tomcat thing if web
browsers can connect properly to Tomcat via HTTPS.
Thanks for your answers, they have lead me to (partly) the solution.
I found some clues here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4164840&prodTypeId=18964&objectID=c03023432
<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4164840&prodTypeId=18964&objectID=c03023432>
I didn't have to add the certificate to the tomcat keystore, but to the
java keystore of the JRE
Now I get a javamelody error reporting the app hasn't been configured to
use javamelody, so no more SSL handshake errors
Many thanks,
Miguel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
