[SGD-Users] RHEL5u4, SGD4.5, and wildcard SSL certs

Mon Sep 28 03:29:30 EEST 2009

Richard Butland wrote:
> I haven't tried a wildcard cert myself in some time, so can't swear it 
> works (but it certainly used to.)
> 
> Anyway, are you seeing this error before or after the login form?  
> Remember that up until the point that you've entered your login 
> credentials that you're just talking to Apache / Tomcat - so if you're 
> erroring before that, then the problem lies in your webserver 
> configuration, or in the firewall traversal part.
> 
> So, you may want to check your Apache and Tomcat logs to see if there's 
> something obvious there.
> Did you use the "tarantella security enable" command to secure your system?
> Do you have a custom CA certificate / intermediate cert?  The 
> webservices endpoint keystore needs these installed,see: 
> http://docs.sun.com/source/820-6689/chapter7.html#Z40000061527178
> 
> As a quick test, check: 
> /opt/tarantella/webserver/tomcat/6.0.18_axis1.4/shared/classes/com/tarantella/tta/webservices/client/apis/Resources.properties 
> 
> 
> to see if all the endpoints are bound to https://servername:443/etc?
> 
> If so, a quick test might be to just restore the endpoints to 
> http://servername:80, retart everything, and see if that "fixes" the 
> problem.  If so, the problem is in your keystore certificate trust chain.
> Rick
> 
> 
> Adam Allred wrote:
>> Hello,
>>
>> I see in the SGD 4.5 admin guide that wildcard certs are supported for
>> the first domain of an SSL cert, e.g. *.domain.com:
>>
>> (page 26)
>> ---snip---
>> SGD supports the use of the wildcard for the first part of the domain 
>> name, for
>> example .indigo-insurance.com.
>> ---snip---
>>
>> I've obtained a commercial certificate for my SGD server for
>> *.my.domain.com, and successfully installed it. After rebooting the
>> server, when I go to https://server.my.domain.com/sgd, I get this
>> error:
>>
>> Error Page
>> The following exception was thrown:
>>
>> I previously had this problem with RHEL5, and an earlier post pointed
>> me to my /etc/hosts file. I have ensured that my /etc/hosts file is
>> currently correct, and that my domain name is set.
>>
>> I see no errors in any logs.
>>
>> The admin console works, and I can perform all my tasks through it
>> with no problem over https.
>>
>> I ensured that the wildcard cert I installed was the cert in use via
>> my web browsers certificate store.
>>
>> Any thoughts?
>>
>> Thanks,
>>
>> Adam
>> _______________________________________________
>> SGD-Users mailing list
>> SGD-Users at filibeto.org
>> http://www.filibeto.org/mailman/listinfo/sgd-users
>>   
> _______________________________________________
> SGD-Users mailing list
> SGD-Users at filibeto.org
> http://www.filibeto.org/mailman/listinfo/sgd-users
Hello,

The server logs show many client login failed errors for the webserver, 
but they don't appear to be consistent w/ the timestamps of my testing. 
That's a bit confusing...

I tried flipping back over to port 80 via the Resources.properties file, 
and was redirected to https, and was presented the self signed cert from 
the "security enable" command, and it did work.

So, I reissued the cert, and very very VERY slowly followed the admin 
guide again. I came across this warning when I went to add a custom ca, 
since digicert is an intermediate CA:

error 2 at 1 depth lookup:unable to get issuer certificate
WARNING: The custom CA certificate you are installing is not the one used to
sign the server certificate you have installed.

Are you SURE you want to install this CA certificate? [no]

I got this after splitting the intermediate ca and root ca (entrust) 
certs into two separate files, and importing one by one. Previously, I 
had combined the intermediate and root ca into one, and added with no 
problem. Attempting to add the combined certs does not result in this 
warning.

Aside from that bit (which I think was due to the split), I still can't 
see any indication of a problem.

Any thoughts?

Thanks,

Adam