I’m running a tomcat server behing a nginx reverse proxy
I forward the requests to non ssl tomcat connection
When I run an java app deployed on the tomcat, I got a popup that the certificate is not trusted?
The certificate works for non tomcat requests perfectly?
Here’s my nginx setup
listen 80;
server_name services.it-hausverstand.at;
access_log off;
root /usr/share/nginx/html;
if ($http_host != "services.it-hausverstand.at") {
rewrite ^ http://services.it-hausverstand.at$request_uri permanent;
}
index index.php index.html;
## Certificates
ssl_certificate /etc/letsencrypt/live/services.it-hausverstand.at/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/services.it-hausverstand.at/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/services.it-hausverstand.at/fullchain.pem;
## Common SSL config
include ssl.conf;
location /services/ {
proxy_pass http://10.0.0.1:8080/services/;
}
Could you be more specific here? How do you "run" the app, are we talking about simply accessing the website? Are you referring to a browser warning, or is this some error Tomcat generates on the server-side? What are the error details (exact message, etc.)?
Java has its own list of trusted CAs. Neither the ISRG root nor the cross-signed DST root are part of it. I believe Oracle is aware and there is a process to get it added, but it would require Java to be updated when that happens.
If you have full control of all end-user systems, you could add the root to the certificate store. Other than that, you’ll either need to deal with the error or use a vendor that’s already on the trusted list.
Double-check which root you’re using on the server. You probably will want the DST root as the cross-signed chain is what’s being generated on the official client right now.
If certificates wouldn't be a problem, why using them in the first place? The logic is lost here, since client doesn't know what you're doing internally. It uses HTTPS connections and fortunately does its job well by failing on a not trusted certificate.