Unable to set up ssl

Discussion:

Oleg Andreyev

2013-08-03 15:22:05 UTC

Hi,

Last days I tried to set up SSL on Geronimo 3.0.1 and finally had to
admit defeat.

My steps:

- Downloaded 3.0.1 (Linux x64, Web profile, run with Oracle JDK 1.6.0_14)
- Changed ports to 80/443 in config-substitution.properties
- Log in to Web console
- Created new keystore, enabled it, generated key, CSR, imported answer
from CA

No errors so far. The key looks like:

Version: 3
Subject: CN=xxx.yyyyy.com, OU=Domain Control Validated
Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification
Authority, OU=http://certificates.starfieldtech.com/repository,
O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial Number: 2292395462585499
Valid From: Fri Aug 02 20:15:19 EDT 2013
Valid To: Wed Jul 30 16:46:03 EDT 2014
Signature Alg: SHA1withRSA
Public Key Alg: RSA
critical ext: 2.5.29.15
critical ext: 2.5.29.19
non-critical ext: 2.5.29.14
non-critical ext: 1.3.6.1.5.5.7.1.1
non-critical ext: 2.5.29.31
non-critical ext: 2.5.29.32
non-critical ext: 2.5.29.37
non-critical ext: 2.5.29.35
non-critical ext: 2.5.29.17

Also I have changed Web servers/TomcatWebSSLConnector to set correct
keystoreFile and keystore password and stop/start it.

So, I tried connect with https and after some time "The connection was
reset". And I see error in geronimo log:
2013-08-02 20:19:22,861 ERROR [JIoEndpoint]
java.lang.NullPointerException
at
org.apache.tomcat.util.net.JIoEndpoint.processSocket(JIoEndpoint.java:525)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:230)
at java.lang.Thread.run(Thread.java:619)

I describe this attempts because it is most appropriate to documentation
but I tried different JDK, geronimo 3.0.0, keystore created by keytool
and so on.

Any clue?

thiyagu_r

2013-08-03 19:04:35 UTC

Permalink

Please share the config.xml

Sent from my iPhone

Post by Oleg Andreyev
Hi,
Last days I tried to set up SSL on Geronimo 3.0.1 and finally had to
admit defeat.
- Downloaded 3.0.1 (Linux x64, Web profile, run with Oracle JDK 1.6.0_14)
- Changed ports to 80/443 in config-substitution.properties
- Log in to Web console
- Created new keystore, enabled it, generated key, CSR, imported answer
from CA
Version: 3
Subject: CN=xxx.yyyyy.com, OU=Domain Control Validated
Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification
Authority, OU=http://certificates.starfieldtech.com/repository,
O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial Number: 2292395462585499
Valid From: Fri Aug 02 20:15:19 EDT 2013
Valid To: Wed Jul 30 16:46:03 EDT 2014
Signature Alg: SHA1withRSA
Public Key Alg: RSA
critical ext: 2.5.29.15
critical ext: 2.5.29.19
non-critical ext: 2.5.29.14
non-critical ext: 1.3.6.1.5.5.7.1.1
non-critical ext: 2.5.29.31
non-critical ext: 2.5.29.32
non-critical ext: 2.5.29.37
non-critical ext: 2.5.29.35
non-critical ext: 2.5.29.17
Also I have changed Web servers/TomcatWebSSLConnector to set correct
keystoreFile and keystore password and stop/start it.
So, I tried connect with https and after some time "The connection was
2013-08-02 20:19:22,861 ERROR [JIoEndpoint]
java.lang.NullPointerException
at
org.apache.tomcat.util.net.JIoEndpoint.processSocket(JIoEndpoint.java:525)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:230)
at java.lang.Thread.run(Thread.java:619)
I describe this attempts because it is most appropriate to documentation
but I tried different JDK, geronimo 3.0.0, keystore created by keytool
and so on.
Any clue?
http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094.html
To unsubscribe from Users, click here.
NAML

--
View this message in context: http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094p3987095.html
Sent from the Users mailing list archive at Nabble.com.

Oleg Andreyev

2013-08-05 07:36:40 UTC

Permalink

There are no handmade changes in config.xml. It's the same as in
geronimo-tomcat7-javaee6-web-3.0.1-bin.tar.gz

Post by thiyagu_r
Please share the config.xml
Sent from my iPhone
On Aug 3, 2013, at 10:23 AM, "Oleg Andreyev [via Apache Geronimo]"

Post by Oleg Andreyev
Hi,
Last days I tried to set up SSL on Geronimo 3.0.1 and finally had to
admit defeat.
- Downloaded 3.0.1 (Linux x64, Web profile, run with Oracle JDK 1.6.0_14)
- Changed ports to 80/443 in config-substitution.properties
- Log in to Web console
- Created new keystore, enabled it, generated key, CSR, imported answer
from CA
Version: 3
Subject: CN=xxx.yyyyy.com <http://xxx.yyyyy.com>, OU=Domain
Control Validated
Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification
Authority, OU=http://certificates.starfieldtech.com/repository,
O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial Number: 2292395462585499
Valid From: Fri Aug 02 20:15:19 EDT 2013
Valid To: Wed Jul 30 16:46:03 EDT 2014
Signature Alg: SHA1withRSA
Public Key Alg: RSA
critical ext: 2.5.29.15
critical ext: 2.5.29.19
non-critical ext: 2.5.29.14
non-critical ext: 1.3.6.1.5.5.7.1.1
non-critical ext: 2.5.29.31
non-critical ext: 2.5.29.32
non-critical ext: 2.5.29.37
non-critical ext: 2.5.29.35
non-critical ext: 2.5.29.17
Also I have changed Web servers/TomcatWebSSLConnector to set correct
keystoreFile and keystore password and stop/start it.
So, I tried connect with https and after some time "The connection was
2013-08-02 20:19:22,861 ERROR [JIoEndpoint]
java.lang.NullPointerException
at
org.apache.tomcat.util.net.JIoEndpoint.processSocket(JIoEndpoint.java:525)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:230)
at java.lang.Thread.run(Thread.java:619)
I describe this attempts because it is most appropriate to documentation
but I tried different JDK, geronimo 3.0.0, keystore created by keytool
and so on.
Any clue?
------------------------------------------------------------------------
If you reply to this email, your message will be added to the
http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094.html
To start a new topic under Users, email [hidden email]
</user/SendEmail.jtp?type=node&node=3987095&i=1>
To unsubscribe from Users, click here.
NAML
<http://apache-geronimo.328035.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>

------------------------------------------------------------------------
View this message in context: Re: Unable to set up ssl
<http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094p3987095.html>
Sent from the Users mailing list archive
<http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html> at
Nabble.com.

Ivan

2013-08-05 12:45:04 UTC

Permalink

Hi,

Per the stacktrace, it looks like the executor was not configured correctly.

In Geronimo 3.0.*, the var/catalina/server.xml is used as the tomcat
container configuration file, could you show us that file ? I guess that
the ssl connector was updated incorrectly in that file. You may also
compare that file with the original one to check what was changed.

Thanks.

Post by Oleg Andreyev
There are no handmade changes in config.xml. It's the same as in
geronimo-tomcat7-javaee6-web-**3.0.1-bin.tar.gz

Post by thiyagu_r
Please share the config.xml
Sent from my iPhone
On Aug 3, 2013, at 10:23 AM, "Oleg Andreyev [via Apache Geronimo]"
<[hidden email] </user/SendEmail.jtp?type=**node&node=3987095&i=0>>
Hi,

Post by Oleg Andreyev
Last days I tried to set up SSL on Geronimo 3.0.1 and finally had to
admit defeat.
- Downloaded 3.0.1 (Linux x64, Web profile, run with Oracle JDK 1.6.0_14)
- Changed ports to 80/443 in config-substitution.properties
- Log in to Web console
- Created new keystore, enabled it, generated key, CSR, imported answer
from CA
Version: 3
Subject: CN=xxx.yyyyy.com <http://xxx.yyyyy.com>, OU=Domain
Control Validated
Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification
Authority, OU=http://certificates.**starfieldtech.com/repository<http://certificates.starfieldtech.com/repository>
,
O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial Number: 2292395462585499
Valid From: Fri Aug 02 20:15:19 EDT 2013
Valid To: Wed Jul 30 16:46:03 EDT 2014
Signature Alg: SHA1withRSA
Public Key Alg: RSA
critical ext: 2.5.29.15
critical ext: 2.5.29.19
non-critical ext: 2.5.29.14
non-critical ext: 1.3.6.1.5.5.7.1.1
non-critical ext: 2.5.29.31
non-critical ext: 2.5.29.32
non-critical ext: 2.5.29.37
non-critical ext: 2.5.29.35
non-critical ext: 2.5.29.17
Also I have changed Web servers/TomcatWebSSLConnector to set correct
keystoreFile and keystore password and stop/start it.
So, I tried connect with https and after some time "The connection was
2013-08-02 20:19:22,861 ERROR [JIoEndpoint]
java.lang.NullPointerException
at
org.apache.tomcat.util.net.**JIoEndpoint.processSocket(**
JIoEndpoint.java:525)
at
org.apache.tomcat.util.net.**JIoEndpoint$Acceptor.run(**
JIoEndpoint.java:230)
at java.lang.Thread.run(Thread.**java:619)
I describe this attempts because it is most appropriate to documentation
but I tried different JDK, geronimo 3.0.0, keystore created by keytool
and so on.
Any clue?
------------------------------**------------------------------**
------------
http://apache-geronimo.328035.**n3.nabble.com/Unable-to-set-**
up-ssl-tp3987094.html<http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094.html>
To start a new topic under Users, email [hidden email]
</user/SendEmail.jtp?type=**node&node=3987095&i=1>
To unsubscribe from Users, click here.
NAML
<http://apache-geronimo.**328035.n3.nabble.com/template/**
NamlServlet.jtp?macro=macro_**viewer&id=instant_html%**
21nabble%3Aemail.naml&base=**nabble.naml.namespaces.**
BasicNamespace-nabble.view.**web.template.NabbleNamespace-**
nabble.view.web.template.**NodeNamespace&breadcrumbs=**
notify_subscribers%21nabble%**3Aemail.naml-instant_emails%**
21nabble%3Aemail.naml-send_**instant_email%21nabble%**3Aemail.naml<http://apache-geronimo.328035.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>

------------------------------**------------------------------**
------------
View this message in context: Re: Unable to set up ssl
<http://apache-geronimo.**328035.n3.nabble.com/Unable-**to-set-up-ssl-**
tp3987094p3987095.html<http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094p3987095.html>
Sent from the Users mailing list archive
<http://apache-geronimo.**328035.n3.nabble.com/Users-**f328036.html<http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html>>
at
Nabble.com.

--
Ivan

Oleg Andreyev

2013-08-06 08:47:06 UTC

Permalink

Well, I am very sorry first. It's production system on EC2 and I had to
find fast solution and made next AMI. Finally this works with apache +
mod_jk and original directory is removed. I can not share this file.
However all my steps were very simple and based on standard distribution
without any application code or customization (except changing ports).
And although the problem is no longer relevant to me, I ask you to pay
attention to it when you have time. I believe that fundamental
functionality should not require such efforts to set.

Post by Ivan
Hi,
Per the stacktrace, it looks like the executor was not configured correctly.
In Geronimo 3.0.*, the var/catalina/server.xml is used as the tomcat
container configuration file, could you show us that file ? I guess that
the ssl connector was updated incorrectly in that file. You may also
compare that file with the original one to check what was changed.
Thanks.
There are no handmade changes in config.xml. It's the same as in
geronimo-tomcat7-javaee6-web-__3.0.1-bin.tar.gz
Please share the config.xml
Sent from my iPhone
On Aug 3, 2013, at 10:23 AM, "Oleg Andreyev [via Apache Geronimo]"
<[hidden email]
Hi,
Last days I tried to set up SSL on Geronimo 3.0.1 and
finally had to
admit defeat.
- Downloaded 3.0.1 (Linux x64, Web profile, run with Oracle
JDK 1.6.0_14)
- Changed ports to 80/443 in config-substitution.properties
- Log in to Web console
- Created new keystore, enabled it, generated key, CSR,
imported answer
from CA
Version: 3
Subject: CN=xxx.yyyyy.com <http://xxx.yyyyy.com>
<http://xxx.yyyyy.com>, OU=Domain
Control Validated
Issuer: SERIALNUMBER=10688435, CN=Starfield Secure
Certification
Authority,
OU=http://certificates.__starfieldtech.com/repository
<http://certificates.starfieldtech.com/repository>,
O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial Number: 2292395462585499
Valid From: Fri Aug 02 20:15:19 EDT 2013
Valid To: Wed Jul 30 16:46:03 EDT 2014
Signature Alg: SHA1withRSA
Public Key Alg: RSA
critical ext: 2.5.29.15
critical ext: 2.5.29.19
non-critical ext: 2.5.29.14
non-critical ext: 1.3.6.1.5.5.7.1.1
non-critical ext: 2.5.29.31
non-critical ext: 2.5.29.32
non-critical ext: 2.5.29.37
non-critical ext: 2.5.29.35
non-critical ext: 2.5.29.17
Also I have changed Web servers/TomcatWebSSLConnector to set
correct
keystoreFile and keystore password and stop/start it.
So, I tried connect with https and after some time "The
connection was
2013-08-02 20:19:22,861 ERROR [JIoEndpoint]
java.lang.NullPointerException
at
org.apache.tomcat.util.net
<http://org.apache.tomcat.util.net>.__JIoEndpoint.processSocket(__JIoEndpoint.java:525)
at
org.apache.tomcat.util.net
<http://org.apache.tomcat.util.net>.__JIoEndpoint$Acceptor.run(__JIoEndpoint.java:230)
at java.lang.Thread.run(Thread.__java:619)
I describe this attempts because it is most appropriate to
documentation
but I tried different JDK, geronimo 3.0.0, keystore created
by keytool
and so on.
Any clue?
------------------------------__------------------------------__------------
If you reply to this email, your message will be added to the
http://apache-geronimo.328035.__n3.nabble.com/Unable-to-set-__up-ssl-tp3987094.html
<http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094.html>
To start a new topic under Users, email [hidden email]
</user/SendEmail.jtp?type=__node&node=3987095&i=1>
To unsubscribe from Users, click here.
NAML
<http://apache-geronimo.__328035.n3.nabble.com/template/__NamlServlet.jtp?macro=macro___viewer&id=instant_html%__21nabble%3Aemail.naml&base=__nabble.naml.namespaces.__BasicNamespace-nabble.view.__web.template.NabbleNamespace-__nabble.view.web.template.__NodeNamespace&breadcrumbs=__notify_subscribers%21nabble%__3Aemail.naml-instant_emails%__21nabble%3Aemail.naml-send___instant_email%21nabble%__3Aemail.naml
<http://apache-geronimo.328035.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
------------------------------__------------------------------__------------
View this message in context: Re: Unable to set up ssl
<http://apache-geronimo.__328035.n3.nabble.com/Unable-__to-set-up-ssl-__tp3987094p3987095.html
<http://apache-geronimo.328035.n3.nabble.com/Unable-to-set-up-ssl-tp3987094p3987095.html>>
Sent from the Users mailing list archive
<http://apache-geronimo.__328035.n3.nabble.com/Users-__f328036.html
<http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html>> at
Nabble.com.
--
Ivan