Can somebody help please?
I am now half way through installing the certificate we have purchased from Comodo (Premium SSL). We are using Rhythymyx 6.5.2 on Windows 2003.
I have the connector already set up and can see that the entries for port 9443 and location of keystore file are correctly being written into the server.xml when I make changes (although I am not yet 100% sure I am using the correct syntax for the path to the keystore file, since I am using the fully qualified path and don’t yet know the filename for the keystore file. I find Percussion documentation vague here).
I have also opened up port 9443 on that server and our firewall and checked the server is listening.
Now I have the following 3 files from Comodo:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODOHigh-AssuranceSecureServerCA.crt
Your Comodo PremiumSSL Certificate - <ourdomainname>.crt
and have copied them to D:\Rhythmyx\AppServer\server\rx\conf\ where the <ourdomainname>.csr and <ourdomainname>.jks files were previously created using the tomcat keytool (https://www.digicert.com/easy-csr/keytool.htm).
Now to actually install the certificate I am using this command:
keytool -import -trustcacerts -alias server -file D:\Rhythmyx\AppServer\server\rx\conf\www_iupapupdate_org.crt -keystore D:\Rhythmyx\AppServer\server\rx\conf\www_iupapupdate_org.jks
but I am getting the ‘Failed to escablish chain’ error.
Obviously its not working but any help on the following would be a help for me:
Am I using the correct command? I am not sure if I have the kestore in the correct location and also I don’t know which files I should reference in the command
Should this command write a file with ‘.ketstore’ on the end of the filename? it would appear so because the Rhythmyx documentation implies this for entering into the Rhythmyxserverproperties.exe field.
It would help if I knew what the crt, jks and crt files are exactly. Each Certificate authority seems to have different file endings and refer to the files differently.
Any help would be gratefully received before I go to Percussion technical support.
Thanks</ourdomainname></ourdomainname></ourdomainname>
Thanks Darrel
Actually the problem was that I need to run the Tomcat command on the Root authentication file first before the intermediate and finally our own local certificate. Certificate is now installed properly.
Now I have another problem:
I have set Tomcat to listen on port 9443 using the rhythmyxserverpropretieseditor.exe which wrote the following connector to the server.xml:
However trying to telnet to port 9443 using localhost or the IP of the server fails. For some reason Tomcat is not listening on port 9443. This is even more strange since if I look in console.log I see that there is a line saying that it is listening on port 9443. Any ideas anybody?</connector></connector></ourpassword)"></ourpassword>
Does anybody know how I can verify the Comodo SSL certificates are installed correctly (in the confs folder) other than by using a browser. When I try a browser on port 9443 it fails but Tomcat says in the logs its listening on port 9443 and also the connector has the port correctly defined. I think I need to establish that the certificates are okay before Tech Support can help me debug Rhythmyx.
Okay Comodo tech support showed me how to verify the keystore on the command line
keytool -list -keystore [keystore file + path]
If the certificates are installed correctly you will get 4 entries - 3 for the certificates and 1 for the password.
My certificates are installed correctly
Does anybody know if port 9443 is the correct port for external SSL access to Rhythmyx? Percussion seem themselves unsure about this but seems that maybe it isn’t because its still not working for me.
If there’s a connector defined in server.xml, you should be fine… provided the port is open on the machine’s firewall. I would expect 9443 to be open to localhost by default, and I did read your earlier post implying that the firewall was not the issue, but your post this morning only mentions trying from a client browser (which I assume is not on the same machine as the application server, but you know what they say about assumptions).
Thanks Darrel - I don’t make assumptions. I am too long in IT for that. I tried nestat on the server and port 9443 is not being listened on despite server.xml saying it should be. Also tried 127.0.0.1:9443 in a browser on the server itself and that fails to connect. I just tried 443 also (changed to that in rxserverpropertieseditor which wrote it to server.xml and rebooted) and that also fails. netstat shows that 443 is not opened on the server. So I am pretty sure that for some reason Tomcat is not listening on the ports Rhythmyx tells it to for some reason. I just don’t know why and Tech Support appear to be at a loss too.
I just wanted to throw a quick follow up to this problem and say that we worked with simon over the past couple of weeks on this one and we were able to resolve the problems he was having with some corrections to the way the keystore file was being generated.
One quick way to check if the certificates are being read properly and the content explorer is available at port 9443 is to check the server log, located at
{RhythmyxRoot}/Rhythmyx/AppServer/server/rx/log/server.log
you can expect to see
… INFO [com.percussion.Server] Loading configuration
… [com.percussion.Server] Listening for HTTP requests on port: 9992
… [com.percussion.Server] Listening for HTTPS requests on port: 9443
… [com.percussion.Server] Initializing macros
However if the certificate is not installed properly you will see server.log entries such as
LifecycleException: Protocol handler start failed: java.io.IOException: Keystore was tampered with, or password was incorrect
To check if the port 9443 is being listened on UNIX run
netstat -an | grep 9443
tcp 0 0 0.0.0.0:9443 0.0.0.0:* LISTEN