Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3E4C2200D57 for ; Mon, 27 Nov 2017 04:35:38 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 3CC21160C00; Mon, 27 Nov 2017 03:35:38 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0C8F7160BFF for ; Mon, 27 Nov 2017 04:35:36 +0100 (CET) Received: (qmail 47654 invoked by uid 500); 27 Nov 2017 03:35:34 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 47643 invoked by uid 99); 27 Nov 2017 03:35:34 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2017 03:35:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id BF3EAC4050 for ; Mon, 27 Nov 2017 03:35:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.051 X-Spam-Level: * X-Spam-Status: No, score=1.051 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, HTML_OBFUSCATE_10_20=1.162, KB_WAM_FROM_NAME_SINGLEWORD=0.2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id byZbgVe633ma for ; Mon, 27 Nov 2017 03:35:31 +0000 (UTC) Received: from alum-mailsec-scanner-3.mit.edu (alum-mailsec-scanner-3.mit.edu [18.7.68.14]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 65DD65F177 for ; Mon, 27 Nov 2017 03:35:30 +0000 (UTC) X-AuditID: 1207440e-bf9ff70000007085-bb-5a1b87f3941e Received: from outgoing-alum.mit.edu (OUTGOING-ALUM.MIT.EDU [18.7.68.33]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by alum-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 41.E3.28805.3F78B1A5; Sun, 26 Nov 2017 22:35:16 -0500 (EST) Received: from mail-ot0-f172.google.com (mail-ot0-f172.google.com [74.125.82.172]) (authenticated bits=0) (User authenticated as flinn@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.13.8/8.12.4) with ESMTP id vAR3ZDc3020647 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Sun, 26 Nov 2017 22:35:14 -0500 Received: by mail-ot0-f172.google.com with SMTP id s12so23077823otc.0 for ; Sun, 26 Nov 2017 19:35:14 -0800 (PST) X-Gm-Message-State: AJaThX7cK47JB4MDGDSrdwjccpr0cKX9PRHaWLFoKySDj4Gb/UwpglJm tNwDyWpW1E09t+kf058oqTxRjCNo9aCR3bAOPuQ= X-Google-Smtp-Source: AGs4zMZB/TNoH7oucsUeLUUFNSqMkrn6nV4bbRiAeaoD0d/k7wMIkCz8ISgVRRJY2FvvHpQkIesumv8hwGHsSbIUWVI= X-Received: by 10.157.64.68 with SMTP id o4mr26364376oti.387.1511753713568; Sun, 26 Nov 2017 19:35:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.44.35 with HTTP; Sun, 26 Nov 2017 19:35:12 -0800 (PST) In-Reply-To: References: <86948fef-641e-22ee-94a1-12501e98c071@christopherschultz.net> From: Don Flinn Date: Sun, 26 Nov 2017 22:35:12 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Trying to understand How Tomcat uses Keystore for SSL To: Don Flinn Cc: Tomcat Users List Content-Type: multipart/alternative; boundary="f403043e527c15d29c055eee9737" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJKsWRmVeSWpSXmKPExsUixO6iqPulXTrKYN0zFYutH78yOjB6bHzW zRzAGMVlk5Kak1mWWqRvl8CVcWz1KraCJdOZKiZ+6mZrYPz6ibGLkYNDQsBEYvtW3y5GLg4h gR1MEouvXGaGcJ4xSZy9vIQRwpnMKLFh63VWiI5yiYX7eLsYOYHMIomTR/YxQtjFEt/2r2IH sXkFBCVOznzCAmILCXhJvHx0mxXE5hQIlJiyZSo7xMw5TBKv+6+DFbEJqEjc+fIGrJlFQFWi cfcfFoihiRLP9p9ghBgaIPFr5j5mkBuEBZwk1k9WBzFFBJQkpv1KA6lgFtCX+PFzByuE7SPx pesK0wRG4VlILpqFJAVha0q0bv/NDmFrSCy4s48RwtaWWLbwNfMCRtZVjHKJOaW5urmJmTnF qcm6xcmJeXmpRbrGermZJXqpKaWbGCHxwLeDsX29zCFGAQ5GJR5eBR/pKCHWxLLiytxDjJIc TEqivAuypaKE+JLyUyozEosz4otKc1KLDzFKcDArifAKlAPleFMSK6tSi/JhUtIcLErivGpL 1P2EBNITS1KzU1MLUotgsjIcHEoSvJ/bgPYIFqWmp1akZeaUIKSZODhBhvMADf8FUsNbXJCY W5yZDpE/xejNsW/PrT9MHI9u3AWSG26CyH1gcteerf+ZOJ7NfN3ALMSSl5+XKiXOqwRMYkIC ICMySvPgtsBS4CtGcaCnhXkZQap4gOkTbs8roBOYgE54elIc5ISSRISUVAOjdfpXi8oFQkKM bYH77VpVPnF8cdTfmzS1f3Go3MryHWFfz215lzGn6sb9ve9kFkbw1XHdNL9udOlAV0SQ+9bH ae3aIrbLHHRD4x1Xe53nZptc/9hC1WTboXN2IcU3Pjj8/nCX3+MBt0xxRUWJ7PyXFTtf+mjG XH6ZoNU1+2vWnTXX5n1L6fNSYinOSDTUYi4qTgQAofWWnVwDAAA= archived-at: Mon, 27 Nov 2017 03:35:38 -0000 --f403043e527c15d29c055eee9737 Content-Type: text/plain; charset="UTF-8" IT WORKS!!!! My next question is whether the Tomcat team would want this Java program that does the heavy lifting for letsencrypt, which I would be happy to clean up and make available as open source. The guts of the program comes from - http://acme4j.shredzone.org, which is under the Apache license. I've made a number of enhancements, e;g. a GUI front end; the ability to do the letsencrypt authorization without any user intervention; the ability to sit on an admin node retrieve and install the retrieved letsencrypt SSL certificates on a remote tomcat node. If the answer is yes, let me know the procedure to make it available as open sourcce. Don On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn wrote: > Didn't read closely enough. The protocol that I used is no longer > applicable for Tomcat 9. > > Don > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn wrote: > >> Chris >> >> Thank you for your excellent reply and references. >> >> I've been doing a lot of reading on SSL, certificates, keys, algorithms, >> etc. Woo! However I still don't have it correct. >> >> I've retrieved certificates from letsencrypt and following your >> suggestions did the following. >> >> Created a pkcs12 store using the following command line. >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout >> "pass:changeit" >> >> where the domain-chain.crt contains two certificates and ICDTrustRoot >> contains one as shown below - >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer >> -in domaincert1.crt (the first cert in domain-chain.crt) >> subject= /CN=info.finwoks.com >> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >> >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer >> -in domaincert2.crt (the second cert in domain-chain.crt) >> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> >> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer >> -in ICDTrustRoot.crt >> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> so I have the three certificates and the private key which is shared with >> letsencrypt called domain.key >> My server.xml contains: >> > sslImplementationName="org.apache.tomcat.util.net.openssl.O >> penSSLImplementation" >> port="8443" maxThreads="200" >> scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12" >> keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit" >> clientAuth="false" sslProtocol="TLS" >> /> >> >> However when I restart Tomcat is get the following error in the Tomcat >> error log and of course it fails in the handshake with the browser >> >> org.apache.catalina.core.StandardService.initInternal Failed to >> initialize connector [Connector[HTTP/1.1-8443]] >> org.apache.catalina.LifecycleException: Failed to initialize component >> [Connector[HTTP/1.1-8443]] >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) >> at org.apache.catalina.core.StandardService.initInternal(Standa >> rdService.java:549) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.core.StandardServer.initInternal(Standar >> dServer.java:873) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:629) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) >> at java.lang.reflect.Method.invoke(Unknown Source) >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.cre >> ate(J)J >> at org.apache.tomcat.jni.Pool.create(Native Method) >> at org.apache.tomcat.util.net.openssl.OpenSSLEngine.(Op >> enSSLEngine.java:75) >> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplemente >> dProtocols(OpenSSLUtil.java:61) >> at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46) >> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(OpenSS >> LUtil.java:41) >> at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.get >> SSLUtil(OpenSSLImplementation.java:36) >> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSs >> l(AbstractJsseEndpoint.java:82) >> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261) >> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd >> point.java:798) >> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547) >> at org.apache.coyote.http11.AbstractHttp11Protocol.init(Abstrac >> tHttp11Protocol.java:66) >> at org.apache.catalina.connector.Connector.initInternal(Connect >> or.java:1010) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> ... 12 more >> >> I'm running Tomcat 9 in Amazon Web services using Windows Server. I >> don't know what I'm doing wrong. Further help will be appreciated. It >> appears I have the pkcs12 wrong. >> >> Don >> >> On Tue, Nov 14, 2017 at 4:33 PM, Christopher Schultz < >> chris@christopherschultz.net> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Don, >>> >>> On 11/14/17 1:57 AM, Don Flinn wrote: >>> > I've done some reading on SSL and understand the protocol is as >>> > follows; Client/Browser sends ClientHello and server Tomcat replies >>> > with ServerHello. This establishes the protocol they will use. The >>> > server then sends the certificate and the public key - in the >>> > clear The browser encrypts a message containing the servers domain, >>> > all encrypted with the server's public key to the CA which the >>> > browser trusts. The public key is in the certificate. The CA >>> > de-crypts the message with the server's private key. So the >>> > server's name/ domain must be not encrypted. If the server can >>> > decrypt the message it knows the server and it then sends a ack >>> > message back to the browser encrypted with the client's private >>> > key. >>> >>> Most of that is correct (enough) except for the last part: the server >>> never has the client's private key. The handshake is done using >>> public-key/asymmetric encryption and part of that handshake includes >>> establishing the keys to be used for the bulk encryption -- the >>> encryption used after the handshake. >>> >>> > The browser and Tomcat then establish a secret key to send messages >>> > back and forth. >>> >>> That's the bulk encryption key. Note that it can be re-negotiated at >>> intervals during the conversation if necessary. >>> >>> > If I have the above correct, I must have keystore set up >>> > incorrectly, since running my scenario I get an error in the Chrome >>> > debugger,which says >>> > >>> > This page is not secure "Valid certificate The connection to this >>> > site is using a valid, trusted server certificate issued by unknown >>> > name. Secure resources All resources on this page are served >>> > securely. " >>> > >>> > Note the 'the certificate is valid and it is issued by unknown >>> > name" Why is the issuer unknown, since the issuer's name is in the >>> > certificate? >>> >>> That message may be misleading. If the certificate is self-signed than >>> of course the certificate signer is "known" to the client (Chrome) >>> because it's just identified itself (as itself!). What it means to be >>> "unknown" is that it is /untrusted/. You haven't told Chrome that you >>> specifically trust the certificate that signed the server's >>> certificate. If you e.g. self-sign then the self-signature isn't >>> recognized as authoritative. If a real CA signs it -- e.g. Verisign, >>> DigiCert, Let's Encrypt, etc. -- then the browser /will/ recognize it. >>> >>> > letsencrypt has an online web site from which one can download a >>> > ca_bundle, a private key and a certificate for your domain >>> >>> Theoretically, you should generate your own private key and then use >>> LE's tools to obtain a signed certificate. >>> >>> > Oracle has an article on keytool which says that keytool can not >>> > create a pkcs12 keystore but can read it and to use openssl, which >>> > I did following their instructions. >>> >>> OpenSSL will do DER/PEM files and also PKCS12 keystores, but they are >>> interchangeable and contain the same types of key material... just in >>> different kinds of packages. >>> >>> > Concatenate the CA cert, the private key and the user cert then put >>> > these in keystore. >>> >>> Be careful with terms. Concatenation usually means just slamming bytes >>> together. This only works with PEM-encoded files like OpenSSL likes to >>> use -- the ones that start with e.g. "---- BEGIN CERTIFICATE ----". >>> The other types of files have a very specific format and you can't >>> just slam them together. >>> >>> > The result is shown below. Tomcat isn't able to use this keystore >>> > to communicate with the browser for some reason. Why? What's >>> > missing or incorrect? >>> > >>> > C:\Users\don\Security\letsenc>%keytool% -list -keystore MMcert.p12 >>> > -v -storetype pkcs12 Enter keystore password: >>> > >>> > Keystore type: PKCS12 Keystore provider: SunJSSE >>> > >>> > Your keystore contains 1 entry >>> > >>> > Alias name: tomcat Creation date: Nov 13, 2017 Entry type: >>> > PrivateKeyEntry >>> >>> So this is one of the things that makes me angry about keytool: it >>> tells you there is only a single entry in the keystore and tells you >>> that it's a "private key". Well... there is also a certificate in >>> there and it's got signatures on it and stuff. I'd count that as at >>> least 2 items. Anyway... >>> >>> > Certificate chain length: 1 Certificate[1]: Owner: >>> > CN=info.finwoks.com >>> >>> Okay, this is traditionally called the "subject": info.finworks.com. >>> This is *your certificate*, usually called the "server certificate". >>> It's usually the last link in a chain of trust going from the CA down >>> to the server cert. >>> >>> > Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US >>> >>> Good: you have a certificate that has been issued (aka signed) by >>> Let's Encrypt. >>> >>> You appear to be missing the Let's Encrypt intermediate certificate in >>> your keystore, which will be required for most browsers to trust the >>> certificate (chain). >>> >>> Might I recommend using Qualys's fine SSL server test tool: >>> https://www.ssllabs.com/ssltest/ >>> >>> It probably would have told you that you have a single certificate in >>> your chain and that you need to have an intermediate certificate. >>> >>> It turns out that it's fairly easy to fix this: just import LE's >>> intermediate certificate into your keystore, like this: >>> >>> $ keytool -import -alias [Authority.intermediate] -trustcacerts \ >>> -file [authority's intermediate cert file] \ >>> -keystore yourkeystore.jks >>> >>> Once you add this certificate, you will likely have to restart Tomcat >>> to pick-up the changes. >>> >>> You can do this in a single operation to convert from the PEM-encoded >>> files that LE gives to you into a PKCS12 package like this: >>> >>> $ openssl pkcs12 -export -in "${LE_BASE}/cert.pem" \ >>> -inkey "${LE_BASE}/privkey.pem" \ >>> -certfile "${LE_BASE}/fullchain.pem" \ >>> -out "${CATALINA_BASE}/${HOSTNAME}.p12" -name tomcat \ >>> -passout "pass:changeit" >>> >>> Note that this command imports all 3 items (server key, server >>> certificate, and CA intermediate certs) into a single PKCS12 bundle. >>> Then you can convert that into a Java keystore. Or just use PKCS12 as >>> your keystore type from Tomcat and avoid the use of keytool altogether. >>> >>> You might find these two presentations informative: >>> http://people.apache.org/~markt/presentations/2017-05-16-b-tomcat-ssl.pd >>> f >>> >>> >>> http://people.apache.org/~schultz/ApacheCon%20NA%202017/Let's%20Encrypt% >>> 20Apache%20Tomcat.pdf >>> >>> >>> Hope that helps, >>> - -chris >>> -----BEGIN PGP SIGNATURE----- >>> Comment: GPGTools - http://gpgtools.org >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloLYUYdHGNocmlzQGNo >>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjtxRAAisLpBKPg9VFN5dPH >>> tEeZQs7Bd6hM3NDBjRXE7RYAJhvBlOE2ImDkWXjRkJGedf00nTTQly6zKWHrusbC >>> VlJMoEK+T72XeJIv2y5up3K+VmartQZLK6twMCqDEVZBv0gaEz1T7yfe6WC6/G4W >>> oqGCkcDAF61P2u0K4QXldXBl1I83VCfEWWGpI7Bc1/5u7c/SE3kEN0D/V8Gs0H1r >>> 8/LF2MzPSpGoJqSuRhyPWzklaK/ks+LSv1d7ur+ZrHHobSeMFtIHuhk6KakbheIL >>> 3APEHZw3vHv70SFjvhviYg873CYOT52/x8zfzqpxc1z3X9JC/hAqzZUL7qKHPSMd >>> bbWTSu8Tv7XWARe2BdyRQDKFJSTPnUNFxvyWviekNK5HkJx2sSgcH8iiTJN5lrMQ >>> uEDZ4RukyT/b3VWn0RWtqvHnxZrLmXjWyV3MWNPFI0LYNuorJu6cROy4WnO7NFOV >>> dmvDKC79qJ/XOziOmaGKgL11hNGwqYB2pn/aS7G+VCLCG0UGp8B/64j/5mNd9BL5 >>> a4DZXmonIPoKhjO/OP5H7hte2uqQAprrQgVI1JzKlYAb6wV+f4123nctlM+UeFBM >>> ytYYVpwyD/TXxeVr0SnmNpOlyPHnO6RRXPXfmiNEbdsjMef+Inljc4DlcLnlbdvK >>> Fc/zRGoUIB8+LN0T8NxVvXMAGGc= >>> =IHty >>> -----END PGP SIGNATURE----- >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >> > --f403043e527c15d29c055eee9737--