Site is still not secure

I followed the steps outlined in this video: https://youtu.be/lNcpLlZbBiw
I completed the following steps and the site is still not secure:
Any help would be greatly appreciated.

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/serveradmin/.keystor e -keysize 2048

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: spendwithfriends.com
What is the name of your organizational unit?
[Unknown]: spendwithfriends
What is the name of your organization?
[Unknown]: spendwithfriends
What is the name of your City or Locality?
[Unknown]: Some city
What is the name of your State or Province?
[Unknown]: ST
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=spendwithfriends.com, OU=spendwithfriends, O=spendwithfriends, L=Some city, ST=ST, C=US corr ect?
[no]: yes

Enter key password for
(RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an in dustry standard format using “keytool -importkeystore -srckeystore /home/serveradmin/.keystore -destk eystore /home/serveradmin/.keystore -deststoretype pkcs12”.

keytool -importkeystore -srckeystore /home/serveradmin/.keystore -destkeystore /home/serveradmin/.keystore -deststoretype pkcs12

Enter source keystore password:
Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated “/home/serveradmin/.keystore” to Non JKS/JCEKS. The JKS keystore is backed up as “/home/ serveradmin/.keystore.old”.

keytool -certreq -alias tomcat -file request.csr -keystore /home/serveradmin/. keystore

Enter keystore password:

openssl req -text -in request.csr Certificate Request:

Data:
    Version: 0 (0x0)
    Subject: C=US, ST=ST, L=Some city, O=spendwithfriends, OU=spendwithfriends, CN=spendwithfr                                                                                                    iends.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                
            Exponent: 65537 (0x10001)
    Attributes:
    Requested Extensions:
        X509v3 Subject Key Identifier:
        {content removed}    
Signature Algorithm: sha256WithRSAEncryption
{content removed} 

-----BEGIN CERTIFICATE REQUEST-----
{content removed}
-----END CERTIFICATE REQUEST-----

certbot certonly --http-01-port 8080 --csr request.csr --no-bootstrap Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Server issued certificate; certificate written to /home/waadmin/0000_cert.pem
Cert chain written to
Cert chain written to

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /home/serveradmin/0001_chain.pem
    Your cert will expire on 2019-09-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore .keystore

Then modified server.xml:

Bounced tomcat

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443

My web server is (include version): Tomcat 8.5.32

The operating system my web server runs on is (include version): RHEL 7.6

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.34.2

Hi @nroborea79

you have created two different certificates ( https://check-your-website.server-daten.de/?q=spendwithfriends.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-06-27 2019-09-25 spendwithfriends.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-06-21 2019-09-19 spendwithfriends.com, www.spendwithfriends.com - 2 entries

The newer is wrong, it has only one domain name. The older is good, there you have both domain names (non-www and www).

But I see only timeouts:

Domainname Http-Status redirect Sec. G
http://spendwithfriends.com/
52.165.170.145 200 0.290 H
http://www.spendwithfriends.com/
52.165.170.145 200 0.296 H
https://spendwithfriends.com/
52.165.170.145 -14 10.027 T
Timeout - The operation has timed out
https://www.spendwithfriends.com/
52.165.170.145 -14 10.030 T
Timeout - The operation has timed out

So I don't know which certificate is used.

What says

certbot certificates

You should see the old and the new certificate.

Start the row

keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore .keystore

with the old certificate with both domain names.

Works your Tomcat internal?

curl https://spendwithfriends.com/
curl https://www.spendwithfriends.com/

Thank you for the fast response!

Here are the outputs:

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: spendwithfriends.com
Domains: spendwithfriends.com www.spendwithfriends.com
Expiry Date: 2019-09-19 02:25:04+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/spendwithfriends.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/spendwithfriends.com/privkey.pem


Looks like this ends with an error:

keytool -import -trustcacerts -alias tomcat -file /opt/tomcat/conf/ssl/chain.pem -keystore .keystore

Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

Not sure what needs done to correct this.

You have to add the private key of this other certificate.

Please forgive me for so many questions. I am very new to ssl and securing sites. So do I need to rerun:

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/waadmin/.keystore -keysize 2048

and input both www and non-www versions of the url?

I don’t know, I’ve never used tomcat.

That command keytool -genkey looks like a new private key is generated. But you have already the private key in your certbot folder. So you have only to import the correct private key.

Check the documentation of keytool how to import an existing private key.

I have completed numerous step-by-step instructions to establish ssl on tomcat using letsencrypt pem files with none of them succeeding. Here are the most recent steps:

$ /etc/letsencrypt/live/spendwithfriends.com
openssl pkcs12 -export -out fullchain_and_key.p12 -in fullchain.pem -inkey privkey.pem -name tomcat

keytool -importkeystore -deststorepass a1rPl@n31 -destkeypass pswd -destkeystore swf.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass pswd1 -alias tomcat

vi /opt/tomcat/conf/server.xml

Commented out:
Connector port=“8080” protocol=“HTTP/1.1”
connectionTimeout=“20000”
redirectPort=“8443”

Uncommented:
Connector executor=“tomcatThreadPool”
port=“8080” protocol=“HTTP/1.1”
connectionTimeout=“20000”
redirectPort=“8443”

Configured:
Connector port=“8443”
protocol=“org.apache.coyote.http11.Http11Protocol”
maxThreads=“150”
SSLEnabled=“true”
scheme=“https”
secure=“true”
keystoreFile="/etc/letsencrypt/live/spendwithfriends.com/swf.jks"
keystorePass=“pswd”
clientAuth=“false” sslProtocol=“TLS”

Bounced tomcat.

And still > site is not secure. ¯_(ツ)_/¯

Let’s simplify your commands and configuration a little bit.

Begin in the Tomcat directory:

cd /opt/tomcat/

Define which certificate we’re working with:

export CERT_DOMAIN=spendwithfriends.com

Convert from Certbot PEMs to PKCS#12:

openssl pkcs12 -export -out $CERT_DOMAIN.p12 \
-in /etc/letsencrypt/live/$CERT_DOMAIN/fullchain.pem \
-inkey /etc/letsencrypt/live/$CERT_DOMAIN/privkey.pem \
-passout pass:changeit

Then convert from PKCS#12 to JKS:

rm -f $CERT_DOMAIN.jks && keytool -importkeystore \
-destkeystore $CERT_DOMAIN.jks \
-srckeystore $CERT_DOMAIN.p12 -srcstoretype PKCS12 \
-deststoretype JKS -srcstorepass changeit -deststorepass changeit

Then configure a connector in Tomcat (Tomcat 9 in this case). Note, the absence of the keystore password below only works if you leave the above passwords as changeit:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
            maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="spendwithfriends.com.jks"
                      type="RSA" />
    </SSLHostConfig>
</Connector>

While Tomcat is running, check that it is serving the certificate:

openssl s_client -connect localhost:8443 -showcerts | openssl x509 -noout -subject -issuer -dates

Assuming you see your certificate’s details appear, that’s all working. Any remaining problems, you can blame on your iptables DNAT.

Edit: I noticed you’re using Tomcat 8, so I’ve also tested these instructions on Tomcat 8.5.43.

1 Like

_az,

Thank you very much for the help. I greatly appreciate it. I performed the steps successfully as directed. However, when I perform:

it just hangs on the cmd line.

I tried the command without the pipe resulting in this output:

It hangs on the cmd line after it states connected.
image

Never have seen this before. Does this mean I have issues with my iptables DNAT?

It’s unlikely that iptables is interfering with loopback traffic.

I think it probably means you messed up your server.xml. Show the contents of that file, as well as the catalina log for you last server startup.

server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
    maxThreads="150" minSpareThreads="4"/>
-->

<!-- A "Connector" represents an endpoint by which requests are received
     and responses are returned. Documentation at :
     Java HTTP Connector: /docs/config/http.html
     Java AJP  Connector: /docs/config/ajp.html
     APR (HTTP/AJP) Connector: /docs/apr.html
     Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
-->

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
     This connector uses the NIO implementation. The default
     SSLImplementation will depend on the presence of the APR/native
     library and the useOpenSSL attribute of the
     AprLifecycleListener.
     Either JSSE or OpenSSL style configuration may be used regardless of
     the SSLImplementation selected. JSSE style configuration is used below.
-->

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="spendwithfriends.com.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
     This connector uses the APR/native implementation which always uses
     OpenSSL for TLS.
     Either JSSE or OpenSSL style configuration may be used. OpenSSL style
     configuration is used below.
-->

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

<!-- An Engine represents the entry point (within Catalina) that processes
     every request.  The Engine implementation for Tomcat stand alone
     analyzes the HTTP headers included with the request, and passes them
     on to the appropriate Host (virtual host).
     Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">

  <!--For clustering, please take a look at documentation at:
      /docs/cluster-howto.html  (simple how to)
      /docs/config/cluster.html (reference documentation) -->
  <!--
  <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
  -->

  <!-- Use the LockOutRealm to prevent attempts to guess user passwords
       via a brute-force attack -->
  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

catalina.out:

Gotta pay attention to exceptions when Tomcat starts!

Are you sure you ran the openssl and keytool commands verbatim?

What version is your JDK and OpenSSL?

openssl version
java -version

Yes, I saw that in the stacktrace and attempted to troubleshoot with no success. Yes, I followed your instructions very strictly and entered the commands verbatim aside from changing the password.

OpenSSL 1.0.2k-fips 26 Jan 2017

openjdk version “1.8.0_191”
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

Dunno man.

I just copy-pasted my instructions into a completely blank Ubuntu Xenial server (closest package versions to yours I could find) and they work as expected.

root@3e27207abe20:/# openssl version
OpenSSL 1.0.2g  1 Mar 2016
root@3e27207abe20:/# java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.16.04.1-b03)
OpenJDK 64-Bit Server VM (build 25.212-b03, mixed mode)

apache-tomcat-8.5.43.tar.gz

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.