there hundreds of guides installing ssl on tomcat, none of them can find answer these key questions.
there 2 ways install ssl: 1 keytool, other put cert files on fs , point server.xml @ these files (not using keytool).
here questions grateful if knows answer:
- is there advantage using more complex keytool, vs putting certs on fs, e.g. in /etc/ssl
- if using keytool, have supply "-keystore xxx.jks". should xxx.jks located e.g. /root, /home/tomcat7, /etc /var/lib/tomcat7? find 1 guide said how setup keystore, , said put in tomcat dir, seems mad when upgrade tomcat, lose certs, if hard requirement can it.
- if using keytool, user should use tool import cert, tomcat7 or root?
- they available examples show how import cert keystore used generate original csr. didn't use generate csr (we given certs 3rd party). mean cant use keystore, or need generate dummy csr first?
we don't know ca used issue cert, cant there answers. have 3 files: gd_bundle-g2-g1.crt, our.crt , our.key
we use java 7.
----- update 1 ------
having received advice cant use keytool our existing key/crt files (issued go daddy think), tried old way of putting key/certs right server.xml, used work older versions of tomcat:
we error:
java.io.filenotfoundexception: /usr/share/tomcat7/.keystore (no such file or directory) ---- update 2 -----
we found this post showed how use existing certs tomcat:
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out our.p12 -name tomcat -cafile myca.crt -caname root -chain
then edit server.xml:
<connector port="443" protocol="http/1.1" sslenabled="true" maxthreads="200" scheme="https" secure="true" keystoretype="pkcs12" keystorefile="/etc/ssl/our.p12" keystorepass="" clientauth="false" sslprotocol="tls" /> however, brings message in catalina.out:
severe: failed initialize end point associated protocolhandler ["http-bio-443"] java.net.socketexception: no such file or directory ----- update 3 -----
so don't know why 433 fails (port 80 works, , nothing else on 443, , starting root), if change 8443, tomcat starts no errors (horay!), when navigate www.oursite.com/ourwebapp:8443 404. if try https://www.oursite.com/ourwebapp:8443 "this web page not available" chrome.
netstat -a shows listening on port 8443 (and 80, nothing on 443)
any ideas?
to address part of above problem reported in catalina.out...
severe: failed initialize end point associated protocolhandler ["http-bio-443"] java.net.socketexception: no such file or directory
for me caused tomcat not being allowed bind port 443, , nothing keystore/certificates.
i fixed running...
sudo touch /etc/authbind/byport/443 sudo chmod 500 /etc/authbind/byport/443 sudo chown tomcat7 /etc/authbind/byport/443 if don't have authbind installed, install via
apt-get install authbind 
Comments
Post a Comment