AnsweredAssumed Answered

Alfresco and HTTPS (solved)

Question asked by thilker on Feb 3, 2014
Hi!

It costs me 2 days to solve this problem, but at least it works.

Problem:
- Alfresco communicates internally via self-certified certificates.
- To run a trustful site, you have to buy a certificate (Verisign, Geotrust, etc.) because the self-certified certificates are not trustful.
- Alfresco is somehow not able to communicate internally via trustful certificates. (Exception: "bad certificate")
  (Maybe it has something to do with the chaining or the CN (Common Name) which might not fit.

After playing around hours and hours with the cacerts-file, trust stores, keystores, etc, I had the idea:

Why not using 2 ssl ports in Tomcat?
One for internal communication, one for the external.

Here the config:

    <Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/opt/alfresco-4.2.e/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="/opt/alfresco-4.2.e/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" />


    <Connector port="443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/opt/alfresco-4.2.e/alf_data/keystore/tomcat.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="/opt/alfresco-4.2.e/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" />


Port 8443 is the one the installation process created und it points to the self-certified certificates.
Port 443 is the one I added. It points to my trusted certificate (tomcat.keystore).

Now you can browse Alfresco via "https://www.yourcompany.com/share" using a "valid" certificate.
The 8443 and 8080 port can be hidden behind a firewall.

I surfed around for a while, no warnings or errors yet.
Tested WebDAV successfully. (e.g. https://www.mycompany.com/alfresco/webdav/Sites/swsdp/documentLibrary/Meeting%20Notes)

What a nice tool!

Hope that helps!

Regards,

Thorsten

Outcomes