Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 18962 invoked from network); 26 Aug 2009 21:15:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Aug 2009 21:15:24 -0000 Received: (qmail 10702 invoked by uid 500); 26 Aug 2009 21:15:19 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 10634 invoked by uid 500); 26 Aug 2009 21:15:18 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 10623 invoked by uid 99); 26 Aug 2009 21:15:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Aug 2009 21:15:18 +0000 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=MSGID_FROM_MTA_HEADER,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of prvs=1489023D65=dprez@ashland.edu designates 198.30.217.204 as permitted sender) Received: from [198.30.217.204] (HELO antispam.ashland.edu) (198.30.217.204) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Aug 2009 21:15:09 +0000 Accept-Language: en-US acceptlanguage: en-US Content-Language: en-US Content-Type: multipart/mixed; boundary="_006_E756D911D421FE47BEF500663B5CE50007A761839Aexmb1adashlan_" Date: Wed, 26 Aug 2009 17:14:45 -0400 From: Don Prezioso In-Reply-To: Message-ID: MIME-Version: 1.0 Received: from mail.ashland.edu (unverified [172.18.63.12]) by antispam.ashland.edu (Vircom SMTPRS 4.7.840.0) with ESMTP id for ; Wed, 26 Aug 2009 17:23:28 -0400 Received: from ex-mb1.ad.ashland.edu ([172.18.63.12]) by ex-mb1.ad.ashland.edu([172.18.63.12]) with mapi; Wed, 26 Aug 2009 17:14:46 -0400 References: <4A8DE363.2050502@gmail.com><4A9330DC.2060505@gmail.com> <4A94ABD8.7060704@gmail.com> Subject: RE: SSL with multiple Tomcat instances Thread-Index: Acomjp1iO0L8HIa3QZqIe7CV79sK0gAAwtqQ Thread-Topic: SSL with multiple Tomcat instances To: Tomcat Users List X-Modus-Audit: FALSE;0;0;0 X-Modus-BlackList: 172.18.63.12=OK;dprez@ashland.edu=OK X-Modus-SURBL: =OK X-Modus-Trusted: 172.18.63.12=YES X-MS-Has-Attach: yes X-MS-TNEF-Correlator: X-Virus-Checked: Checked by ClamAV on apache.org --_006_E756D911D421FE47BEF500663B5CE50007A761839Aexmb1adashlan_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable When I connect to webui.ashland.edu I get the message in msg1.jpg. When I click on 'More Information...', I get the message in msg2.jpg When I click on 'Certificate Details...' I get what you see in msg3a-c.jpg Now this is the really strange thing. It appears to be a perfectly valid ce= rtificate with a valid CA. When connecting to webadvisor.ashland.edu, I see= almost identical certificate details (the signature and CN are appropriate= ly different). These are the same messages I have been getting all along. The only thing that I can think is different between the two instances is t= hat the webui instance is behind the firewall and cannot be seen from off c= ampus. I didn't think that was an issue with validating certificates, is it= ? Thanks again Don -- Don Prezioso Director of Administrative I.T. Ashland University Ashland, Ohio -----Original Message----- From: Crypto Sal [mailto:crypto.sal@gmail.com]=20 Sent: Wednesday, August 26, 2009 4:48 PM To: Tomcat Users List Subject: Re: SSL with multiple Tomcat instances Don, It's very strange that one works and the other does not especially since they're from the same CA and presenting the same information. (Just different common names) I can't connect to your external site [webadvisor] via Firefox 3.5 or Chrome 4.0 due to the fact that your CA's OCSP responder is down.[ Error Code: 403 Forbidden. The server denied the specified Unifor= m Resource Locator (URL). Contact the server administrator. (12202) ]. I hav= e to disable OCSP in Firefox 3.5 to continue, but I do get a valid connection= . Has the error message changed at all since we've been working? Or are you still getting a response that relates to "Unknown Issuer"? On Wed, Aug 26, 2009 at 9:01 AM, Don Prezioso wrote: > Sal, > > Thanks again. > > When I connect using port 8443 or 443, or using the FQDN or the IP addres= s, > I get the same response from the s_client request. > > The reason I am using port 8443 is so I don't have to have root running t= he > tomcat instance. My understanding was that you had to be root to allocate > ports under 1024. Just to have that extra little bit of security we have = a > user 'tomcat' that runs the tomcat instances. I didn't want to have to > specify the port number in URLs, and we had some problems with people who > weren't able to connect out through their company's firewall on port 8443= , > so we wanted to make it appear that they were connecting on port 443, but > really be using 8443. > > So, when I connect in a browser, I use https://webui.ashland.edu > > Don > > --_006_E756D911D421FE47BEF500663B5CE50007A761839Aexmb1adashlan_ Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --_006_E756D911D421FE47BEF500663B5CE50007A761839Aexmb1adashlan_--