Enable ssl for geoserver

4,244 views
Skip to first unread message

Michael S

unread,
Aug 15, 2017, 2:45:47 PM8/15/17
to Tethys Platform
Has anyone done this in production? Our tethys portal runs in both http and https, but our geoserver can only use http. I wanted to add https to geoserver because when an app that uses geoserver is opened using https, the features in the map coming from geoserver won't display.

There is a a lot of confusing stuff in the internet, and so I wanted to see if anyone here has done it.

We are using apache2, and geoserver is in tomcat7 inside docker (you can see where the levels of confusion start).

Thanks,
Michael

Zhiyu (Drew) Li

unread,
Aug 15, 2017, 2:57:17 PM8/15/17
to Michael S, Tethys Platform
I know current tethys clustered geoserver has a nginx server inside container as a balancer, maybe you can try to let that nginx do the https stuffs, not tomcat.

Thanks
Drew

--
You received this message because you are subscribed to the Google Groups "Tethys Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tethysplatform+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tethysplatform/ccfd2dc1-0e2f-41d5-838a-ea761ad7fa32%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Michael S

unread,
Aug 15, 2017, 3:06:08 PM8/15/17
to Tethys Platform, masou...@gmail.com
Should have specified it before, but this is for our tethys.byu.edu server, which is still in 1.4.


On Tuesday, August 15, 2017 at 12:57:17 PM UTC-6, zyli2004 wrote:
I know current tethys clustered geoserver has a nginx server inside container as a balancer, maybe you can try to let that nginx do the https stuffs, not tomcat.

Thanks
Drew
On Tue, Aug 15, 2017 at 12:45 PM, Michael S <masou...@gmail.com> wrote:
Has anyone done this in production? Our tethys portal runs in both http and https, but our geoserver can only use http. I wanted to add https to geoserver because when an app that uses geoserver is opened using https, the features in the map coming from geoserver won't display.

There is a a lot of confusing stuff in the internet, and so I wanted to see if anyone here has done it.

We are using apache2, and geoserver is in tomcat7 inside docker (you can see where the levels of confusion start).

Thanks,
Michael

--
You received this message because you are subscribed to the Google Groups "Tethys Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tethysplatfor...@googlegroups.com.

Zhiyu (Drew) Li

unread,
Aug 15, 2017, 4:21:08 PM8/15/17
to Michael S, Tethys Platform

ok in this case all requests to geoserver are handled directly by tomcat inside container, not through apache on host. Should config https on tomcat. I vaguely remember we tried doing this on tomcat with Jiri before. Serveral extra efforts and workarounds are required as tomcat needs a 'keystore' (or something else) instead of a common https certificate file.

I would suggest upgrading geosever to clustered version and configing https on nginx.  It should be easier. Tethys1.4 works with clustered geoserver.

thanks
drew


To view this discussion on the web visit https://groups.google.com/d/msgid/tethysplatform/11d484b7-2cdf-464e-9b20-26d52e3ecdf5%40googlegroups.com.

alansnow21

unread,
Aug 21, 2017, 11:09:34 AM8/21/17
to Tethys Platform

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

https://www.digicert.com/ssl-certificate-installation-tomcat.htm

#TETHYS SETUP

https://github.com/tethysplatform/tethys/issues/137


# STEP 1


$ keytool -genkey -alias tethys_geoserver -keyalg RSA -keystore /usr/share/tomcat/conf/erdc_geo.jks

Enter keystore password: tethys_geoserver 

Re-enter new password: 

What is your first and last name?

  [Unknown]:  geoserver.path.com

What is the name of your organizational unit?

  [Unknown]:  your_org_unit

What is the name of your organization?

  [Unknown]:  your_org

What is the name of your City or Locality?

  [Unknown]:  vicksburg

What is the name of your State or Province?

  [Unknown]:  ms

What is the two-letter country code for this unit?

  [Unknown]:  us

Is CN=geoserver.path.com, OU=chl, O=erdc, L=vicksburg, ST=ms, C=us correct?


# STEP 2


$ keytool -certreq -keyalg RSA -alias tethys_geoserver -file erdc_geo.csr -keystore /usr/share/tomcat/conf/erdc_geo.jks

$ keytool -import -trustcacerts -alias tethys_geoserver -keystore /usr/share/tomcat/conf/erdc_geo.jks -file erdc_geo.crt


# STEP 3

#https://www.jamf.com/jamf-nation/articles/384/configuring-supported-ciphers-for-tomcat-https-connections

$ vim /usr/share/tomcat/conf/server.xml 

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false" 

               sslProtocol="TLSv1.2"

               sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

               ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

                        TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,

                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

                        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,

                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,

                        TLS_RSA_WITH_AES_128_CBC_SHA"

               keyAlias="tethys_geoserver" 

               keystoreFile="/usr/share/tomcat/conf/erdc_geo.jks"

               keystorePass="tethys_geoserver" />



# STEP 4

$ firewall-cmd --zone=public --permanent --add-port=8443/tcp

$ firewall-cmd --reload

$ sysctl -w net.ipv6.conf.all.disable_ipv6=1

$ sysctl -w net.ipv6.conf.default.disable_ipv6=1


#STEP 5

#GET & UPDATE CERTIFICATES ON TETHYS SERVER

$ openssl s_client -showcerts -connect geoserver.path.com:8443/geoserver



alansnow21

unread,
Aug 22, 2017, 11:32:15 AM8/22/17
to Tethys Platform
Also:

#APPEND CERT INFO TO THESE

$ vim /usr/lib/tethys/lib/python2.7/site-packages/httplib2/cacerts.txt

$ vim /usr/lib/tethys/lib/python2.7/site-packages/certifi/cacert.pem

Reply all
Reply to author
Forward
0 new messages