SSL cert not being read by uPortal for internal communication?

3 views
Skip to first unread message

Stephen

unread,
Jul 24, 2019, 10:06:23 AM7/24/19
to uPortal Community
Hi All,

So this is how best I can describe the situation:

Versions:
  • Ubuntu 18.04.2 LTS
  • Apache2.2
  • Tomcat 8.5.30
  • uPortal 4.3.1
  • java 1.8.0_212
Conf
  • Apache redirects everything to uPortal on tomcat on localhost:8443 (eg. example.com/uPortal
  • SSL File set on apache conf
  • SSL p12 keystore set in tomcat conf
  • Certificates are wildcard certs for our domain (eg. *.example.com)
Apache conf
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key

Alias /content/ /path/to/content/
<Location /content/>
Require all granted
</Location>
<Location />
Require all granted
</Location>
SSLProxyEngine on
ProxyPreserveHost on
ProxyPass /content !
ProxyPass /uPortal https://localhost:8443/uPortal
ProxyPassReverse /uPortal https://localhost:8443/uPortal
ProxyPassReverse / https://localhost:8443

Tomcat Conf
<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/cert.p12" keystorePass="redacted"
           clientAuth="false" sslProtocol="TLS"/>

Cert for ldaps connection obtained from ldap server and saved to cacert keystore
openssl s_client -connect ldap.server.url:636 -showcerts

openssl x509 -in ldap.crt -out ldap.pem -outform PEM

keytool -import -alias ldap -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file /path/to/ldap.pem

Portlet with an import of a /content page
environment.build.ldap.url=ldaps://ldap.server.url:636



Behavior:
  • Redirection works as expected. All queries go to uPortal except for anything on the /contents/ alias
  • SSL certificates are valid when visiting anything hosted on the server be it /uPortal or /content
Issues:
  • ldaps connection for authentication does not work and throws a javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ldap.server.url found
  • portlet fails to display the content page with the same error (url of server on exception)
Testing
  • Changing the import url on the portlet to some page hosted somewhere else (eg. https://www.google.com/) works by displaying it without issues
  • Changing the import url on the portlet to some other https page hosted in our domain on some other server using the same wildcard certificate works by displaying it without issues
  • Changing the import url to another subdomain and adding the subdomain to hostfile to point back to itself yields same exception
  • Changing the the ldaps conf to use ldap (port 389) lets you log in succesfully
  • Converted the p12 file used in the tomcat conf to a jks and added java_opts to the tomcat startup script to add it as arguments
    • -Djavax.net.ssl.keyStore=/path/to/cert.jks -Djavax.net.ssl.keyStorePassword=redacted -Djavax.net.ssl.trustStore=/path/to/cert.jks -Djavax.net.ssl.trustStorePassword=redacted
    • This only caused tomcat to start without publishing 8443 as a connector essentially breaking its functionality.

At this point im faced with hosting the /content/ content somewhere else and using ldap instead of ldaps for authentication

Ideas?

-Stephen




Reply all
Reply to author
Forward
0 new messages