java - TLS with self-signed cert with tomcat server - could not load PEM client certificate -

-



i want use tls rest api i'm planning create self-signed cert , provide public key clients of restapi.

my restapi deployed on tomcat catalina container (tomcat version 8.0.42).

and test steps below,

server side

1) created self signed cert using openssl

openssl genrsa -out restapi.key 2048                                                                     openssl req -new -key restapi.key -out restapi.csr                                                       openssl x509 -req -days 24855 -in restapi.csr -signkey restapi.key -out restapi.cert

2) created pkcs#12 bundle

openssl pkcs12 -export -in restapi.cert -inkey restapi.key -out restapi.p12 -name restapi

3) configured tomcat have tls enabled (with keystoretype "pkcs12"), , started tomcat 

<connector port="8443" protocol="org.apache.coyote.http11.http11nioprotocol"                                maxthreads="150"          sslenabled="true"          scheme="https"          secure="true"                                     keystorefile="/users/prayagupd/restapi.p12"          keystoretype="pkcs12"         keystorepass="prayagupd"                                   clientauth="true"          sslprotocol="tls" />

client side

4) sent https request

i have same pkcs#12 file client. i saw openssl x509 -pubkey -noout -in restapi.cert > pubkey.pem not sure if 1 need.

this .p12 permission like

21765315 -rw-r--r--  1 prayagupd  nord\domain users  2596 aug 24 01:34 restapi.p12

when send https request fails following error (with curl 7.55.1)

curl -v --cert restapi.p12 https://localhost:8443/restapi/health *   trying ::1... * tcp_nodelay set * connected localhost (::1) port 8443 (#0) * alpn, offering http/1.1 * not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?) * closing connection 0 curl: (58) not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)  $ curl --cert restapi.p12:restapi https://localhost:8443/restapi/health curl: (58) not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)

its working if bypass tls, 

$ curl --insecure https://localhost:8443/restapi/health {"id":3,"eventid":"config_sucks","status":"sky green"}

openssl s_client throws ssl handshake failure, 

$ openssl s_client -connect localhost:8443 -showcerts connected(00000003) 59281:error:140790e5:ssl routines:ssl23_write:ssl handshake failure:/buildroot/library/caches/com.apple.xbs/sources/openssl098/openssl098-59.60.1/src/ssl/s23_lib.c:185:

note

i found resource - mutual authentication tomcat 7 explains establishing tls communication. having same issue could not load pem client certificate. here's code - tlsv1.2

keytool -import -alias root -keystore restapi.jks -trustcacerts -file -trustcacerts -file restapi.cert

the problem here. accomplished importing signed certificate. need import private key well. should have used nothing keytool here:

keytool -genkey ... keytool -selfcert

using same alias throughout. can throw away existing keystore, of no use man or beast.

this documented. see jsse reference guide.

you have done openssl well, have needed end pkcs#12 keystore file, can use directly in java. no reason unless you're dealing openssl-based system, such apache httpd, mysql, openldap, etc.





wiki

Comments

Post a Comment

Popular posts from this blog

Asterisk AGI Python Script to Dialplan does not work -

-
i'm stuck project have check database of sip extension incoming caller id , dial sip extension. below receive when run script on asterisk cli. -- registered sip '9125' @ 192.168.1.102:50142 > saved useragent "zoiper rv2.8.40" peer 9125 [2017-08-22 13:53:33] notice[5095]: chan_sip.c:24558 handle_response_peerpoke: peer '9125' reachable. (17ms / 2000ms) == using sip rtp tos bits 184 == using sip rtp cos mark 5 -- executing [0112617769@from-trunk:1] answer("sip/obitrunk1-0000000d", "") in new stack > 0x1ca50d0 -- probation passed - setting rtp source address 192.168.1.98:16834 -- executing [0112617769@from-trunk:2] agi("sip/obitrunk1-0000000d", "test.py") in new stack -- launched agi script /var/lib/asterisk/agi-bin/test.py args: ['/var/lib/asterisk/agi-bin/test.py'] env line: agi_request: test.py env line: agi_channel: sip/obitrunk1-0000000d env line: agi_language: en env line: a
Read more

python - Read npy file directly from S3 StreamingBody -

-
i have many .npy (numpy) , .json files saved in s3, need download , load these files. for json files downloading files , loading dictionary using following code: obj = s3.object(bucket, key) response = obj.get() body = response['body'].read().decode('utf-8') data = json.loads(body) that way avoid writing .json file disk , reading it. now want same .npy files, equivalent? currently downloading file, saving temp file on disk , loading np.load avoid if possible. following https://stackoverflow.com/a/28196540/3509999 : obj = s3.object(bucket, key) io.bytesio(obj.get()["body"].read()) f: # rewind file f.seek(0) arr = np.load(f) wiki
Read more

kotlin - Out-projected type in generic interface prohibits the use of metod with generic parameter -

-
i start using kotlin , defined interface this: interface aadapter<vh : recyclerview.viewholder> { fun oncreateaviewholder(parent: viewgroup): vh fun onbindaviewholder(v: vh, position: int) } and when try use on code: class klasa ( private val adapter: aadapter<*> ) { fun dosth(){ //... val vh = this.adapter.oncreateaviewholder(parent) //on below line error adapter.onbindaviewholder(v, position) //... } } i error out-projected type 'aadapter<*>' prohibits use of 'public abstract fun onbindaviewholder(v: t, position: int): unit i tied add "in" or "out" definition i'm confused. how allow it. replace aadapter<*> aadapter<recyclerview.viewholder> . class klasa ( private val adapter: aadapter<recyclerview.viewholder> ) { // ... because have declared aadapter has type parameter vh type subclass of recyclerview.
Read more