AnsweredAssumed Answered

Installed new SSL Cert - Alfresco CA still used

Question asked by chrisokelly on Jul 10, 2012
Latest reply on Jan 8, 2013 by marcus.svensson
Hi all,

This week we received our digicert certificates and made the move to installing them. Yesterday, when I left work, the certificates were working great. All I had done was to follow the steps in http://wiki.alfresco.com/wiki/Deploying_To_Server, half of which seemed to have been done already by the binary installer. To run through, I checked the ajp connector on :8009 in server.xml (already done), checked the workers.properties file in /etc/apache2/ (already done), checked the mod_jk config (already done in conf.d) and checked the virtualhost config (mostly done already, I just put in the path for the certs).

The one and only thing I have changed since the point yesterday when I logged in and was verified by the correct certificate is to up the permissions on the folder holding the certs. Once I thought I was done working with them I did:
sudo chown -R root:root digicert/
sudo chmod -R 755 digicert/

Today, my boss informed me that the certificates are not working. I checked and, lo and behold, I get a message about an untrusted certificate. I assumed this would be our self signed certificate still showing up, but it is a new one: Alfresco CA. The error as shown to me in Firefox is:
The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for Alfresco Repository

(Error code: sec_error_untrusted_issuer)

I know this sounds just like something I hear from end users all day, but I did not touch it in between. I finally got it working yesterday arvo just before finish time and left almost immediately. Tomcat would have been restarted automatically during the night but I don't see that affecting things (I was restarting the server to check the results of my changes anyway). Does anyone know what would be causing this?

My setup is: alfresco community 4.0.d on Ubuntu 10.04. Alfresco.log and Catalina.out have nothing but INFO logging in them, so I won't include them, however my server.xml (/opt/alfresco-4.0.d/tomcat/conf/server.xml) is:
<?xml version='1.0' encoding='utf-8'?>
<!–
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
–>
<!– Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
–>
<Server port="8005" shutdown="SHUTDOWN">

  <!–APR library loader. Documentation at /docs/apr.html –>
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!–Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html –>
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!– Prevent memory leaks due to use of particular java/javax APIs–>
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <!– JMX Support for the Tomcat server. Documentation at /docs/non-existent.html –>
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

  <!– Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  –>
  <GlobalNamingResources>
    <!– Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    –>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!– A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   –>
  <Service name="Catalina">

    <!–The connectors can use a shared executor, you can define one or more named thread pools–>
    <!–
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    –>
    <!– A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    –>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Connector port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!– A "Connector" using the shared thread pool–>
    <!–
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    –>
    <!– Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation –>
<!–
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
–>
    <!– Define an AJP 1.3 Connector on port 8009 –>

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/opt/alfresco-4.0.d/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="/opt/alfresco-4.0.d/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />

    <!– An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html –>

    <!– You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    –>
    <Engine name="Catalina" defaultHost="localhost">

      <!–For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) –>
      <!–
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      –>

      <!– The request dumper valve dumps useful debugging information about
           the request and response data received and sent by Tomcat.
           Documentation at: /docs/config/valve.html –>
      <!–
      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
      –>
      <!– This Realm uses the UserDatabase configured in the global JNDI
           resources under the key "UserDatabase".  Any edits
           that are performed against this UserDatabase are immediately
           available for use by the Realm.  –>
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

      <!– Define the default virtual host
           Note: XML Schema validation will not work with Xerces 2.2.
       –>
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">

        <!– SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html –>
        <!–
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        –>

        <!– Access log processes all example.
             Documentation at: /docs/config/valve.html –>
        <!–
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
        –>

      </Host>
    </Engine>
  </Service>
</Server>

My apache2.conf:
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended – so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>
# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined


# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

# Load the mod_auth_ntlm_winbind module to allow for moodle SSO - Chris
<IfModule !mod_auth_ntlm_winbind.c>
     LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so
</IfModule>

# Enable NTLM SSO login for Moodle - Chris
<Directory "/var/www/mtp/auth/ldap/">
     <Files ntlmsso_magic.php>
         NTLMAuth on
         AuthType NTLM
         AuthName "Moodle NTLM Authentication"
         NTLMAuthHelper "/usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp"
         NTLMBasicAuthoritative on
         require valid-user
     </Files>
</Directory>
<Directory "/var/www/mtp/auth/ldap2/">
     <Files ntlmsso_magic.php>
         NTLMAuth on
         AuthType NTLM
         AuthName "Moodle NTLM Authentication"
         NTLMAuthHelper "/usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp"
         NTLMBasicAuthoritative on
         require valid-user
     </Files>
</Directory>

in /etc/apache2/conf.d, jk.conf:
<ifmodule mod_jk.c>
        JkWorkersFile /etc/apache2/workers.properties
        JkLogFile /var/log/apache2/mod_jk.log
        JkLogLevel info
</ifmodule>
in /etc/apache2, workers.properties:
worker.list=default
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

And finally, in sites-enabled, 000-default:
<VirtualHost *:80>
        ServerName docs.company.com
        RewriteEngine on
        ReWriteCond %{HTTPS} !=on
        ReWriteRule ^/(.*) https://docs.company.com/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
        ServerName docs.company.com
        DocumentRoot /var/www

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/digicert/certs/star_company_com.crt
        SSLCertificateKeyFile /etc/ssl/certs/digicert/star_company_com.key
        SSLCertificateChainFile /etc/ssl/certs/digicert/certs/DigiCertCA2.crt
        SSLCACertificateFile /etc/ssl/certs/digicert/certs/DigiCertCA2.crt
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    JkMountCopy On
    JkMount /alfresco default
    JkMount /alfresco/* default
    JkMount /share default
    JkMount /share/* default

</VirtualHost>

So can anyone shed any light on why we are now being served the Alfresco CA certificate instead of the one configured in mod_jk?

Oh, final note, I set the log level for mod_jk down to info, and the only thing I see in it's mod_jk.log is
[Tue Jul 10 12:30:13.028 2012] [14770:1957041984] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Tue Jul 10 12:30:13.251 2012] [14771:1957041984] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Tue Jul 10 12:49:49.645 2012] [15524:3171579712] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Tue Jul 10 12:49:50.561 2012] [15525:3171579712] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Tue Jul 10 13:17:38.865 2012] [16777:202385216] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
[Tue Jul 10 13:17:39.279 2012] [16778:202385216] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized
over and over, so I don't think it's a mod_jk problem

I've tried removing the keystore properties from the 8443 connector in server.xml (that was a bad idea, caused errors), tweaking about the mod_jk and apache properties a little (putting the mod_jk properties in apache2.conf, in httpd.conf, originally I had no SSLCACertificateFile  line when it was working, just SSLCertificateChainFile pointing to the same cert, so tried adding this property) but all to no avail. I do restart both tomcat and apache for each change to test.

Outcomes