HTTPS Connection Times out after Tomcat 8 SSL Config

1
votes

I've never set up SSL/TLS before, it's not working, and I have no idea how to debug it. Intial googling is not turning up options. Here's what i've done:

  1. used openSSL to generate a private key and CSR

    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

  2. gotten my csr signed and downloaded the certificates from startssl.com (free for first year)

  3. installed the root, intermediate, and my domain cert into the .keystore like:

    keytool -import -trustcacerts -alias root -file root.crt -keystore .keystore

    keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore .keystore

    keytool -import -trustcacerts -alias tomcat -file mydomain.crt -keystore .keystore

  4. added the tomcat connector (shown below but i had to remove the xml angle braces or stack overflow wouldnt display it)

    Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="8443" keystoreFile="/home/ec2-user/.keystore" keystorePass="password" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"

  5. bounced tomcat, server starts successfully and serves http requests

  6. opened catalina.out to see the following error

    java.io.IOException: Alias name tomcat does not identify a key entry

  7. I was advised to create a .pkcs12 file by concatenating the root an intermediate certs and then using the command below

    openssl pkcs12 -in mydomain.crt -certfile CA.crt -chain -inkey privateKey.key -out tomcat.p12

  8. Unfortunately this resulted in the following error:

4294956672:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1201: 4294956672:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type =PKCS12

  1. Then I tried to concatenate the private key, domain, intermediate, and root certificate into one .pem file, and then convert it to a x509

  2. I then tried to use the x509 cert in jks & tomcat but i got the same error

java.io.IOException: Alias name tomcat does not identify a key entry

Reading up on this via google makes me more confused - i read these extremely confident tutorials on how to do this and they appear to have been dead wrong. Where can I find an accurate guide on how to set this up.

2
tomcatsslhttps
Ok, good, that's what I was reading. I tried to create the pkcs12 and got some error about cert chains and I haven't had time to work past that one yet. The one guide I saw said to use the openssl root cert but it's no longer bundled with open ssl.Patrick

2 Answers

2
votes
  1. concatenate PEM format cert chain.

    cat 2_host.domain.net.crt 1_Intermediate.crt CA.crt > fullchain.crt

  2. convert PEM format fullchain to PKCS12

    openssl pkcs12 -export -out tomcat.p12 -inkey ../ssh.key -in fullchain.crt

  3. check tomcat.pk12

    keytool -list -keystore tomcat.p12 -storetype PKCS12
    keytool -list -keystore tomcat.p12 -storetype PKCS12 -v

  4. convert PKCS12 to PKS

    keytool -importkeystore -srckeystore tomcat.p12 -srcstoretype PKCS12 -srcalias 1 -destkeystore tomcat.jks -deststoretype JKS -destalias tomcat

  5. tomcat server.xml file
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           SSLVerifyClient="optional"
           keystoreFile="tomcat.jks"
           keystoreType="JKS"
           keystorePass="mypass"
           clientAuth="false" sslProtocol="TLS" />
  1. test tomcat config

    configtest.sh

0
votes

The entries you have imported are certificates - for this to work you need to have the private key as well.

To correctly set this up, you will need to utilize something like openssl's PKCS12 functionality to create a PKCS#12 format archive then import THAT into a JKS file (.keystore) containing the contents of the PKCS#12.

You may need to concatenate mydomain.crt+intermediate.crt first.

EDIT

To hopefully make this more clear:

  1. Concatenate intermediate.crt+root.crt from the CA as provided into one file CA.crt
  2. Run openssl pkcs12 -in mydomain.crt -certfile CA.crt -chain -inkey privateKey.key -out tomcat.p12

Once that is completed you can verify using keytool as

keytool -list -keystore tomcat.p12 -storetype PKCS12

If you see it as privateKeyEntry - you're most of the way there.

keytool -list -keystore tomcat.p12 -storetype PKCS12 -v

will list the entry certificate and any chain information. If that spits out your cert + the chain (should be 3 entries in the one alias) you can then import it to a JKS file.

keytool -importkeystore -srckeystore tomcat.p12 -srcstoretype PKCS12 -srcalias 1 -destkeystore tomcat.jks -deststoretype JKS -destalias tomcat

Follow the prompts and you should be complete.

EDIT 2

Order of the certificates is important - cat mydomain.crt intermediate.crt root.crt > full-chain.crt

The following may possibly help openssl pkcs12 -certfile full-chain.crt -chain -inkey privateKey.key -out tomcat.p12