tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Prezioso <dp...@ashland.edu>
Subject RE: SSL with multiple Tomcat instances
Date Wed, 26 Aug 2009 21:14:45 GMT
When I connect to webui.ashland.edu I get the message in msg1.jpg.

When I click on 'More Information...', I get the message in msg2.jpg

When I click on 'Certificate Details...' I get what you see in msg3a-c.jpg

Now this is the really strange thing. It appears to be a perfectly valid certificate with
a valid CA. When connecting to webadvisor.ashland.edu, I see almost identical certificate
details (the signature and CN are appropriately different). These are the same messages I
have been getting all along.

The only thing that I can think is different between the two instances is that the webui instance
is behind the firewall and cannot be seen from off campus. I didn't think that was an issue
with validating certificates, is it?

Thanks again

Don

--
Don Prezioso
Director of Administrative I.T.
Ashland University
Ashland, Ohio


-----Original Message-----
From: Crypto Sal [mailto:crypto.sal@gmail.com] 
Sent: Wednesday, August 26, 2009 4:48 PM
To: Tomcat Users List
Subject: Re: SSL with multiple Tomcat instances

Don,
It's very strange that one works and the other does not especially since
they're from the same CA and presenting the same information. (Just
different common names) I can't connect to your external site [webadvisor]
via Firefox 3.5 or Chrome 4.0 due to the fact that your CA's OCSP responder
is down.[ Error Code: 403 Forbidden. The server denied the specified Uniform
Resource Locator (URL). Contact the server administrator. (12202) ].  I have
to disable OCSP in Firefox 3.5 to continue, but I do get a valid connection.

Has the error message changed at all since we've been working? Or are you
still getting a response that relates to "Unknown Issuer"?



On Wed, Aug 26, 2009 at 9:01 AM, Don Prezioso <dprez@ashland.edu> wrote:

> Sal,
>
> Thanks again.
>
> When I connect using port 8443 or 443, or using the FQDN or the IP address,
> I get the same response from the s_client request.
>
> The reason I am using port 8443 is so I don't have to have root running the
> tomcat instance. My understanding was that you had to be root to allocate
> ports under 1024. Just to have that extra little bit of security we have a
> user 'tomcat' that runs the tomcat instances. I didn't want to have to
> specify the port number in URLs, and we had some problems with people who
> weren't able to connect out through their company's firewall on port 8443,
> so we wanted to make it appear that they were connecting on port 443, but
> really be using 8443.
>
> So, when I connect in a browser, I use https://webui.ashland.edu
>
> Don
>
>


Mime
View raw message