On 1/18/07, Tomo <tom@xxxxxxxx> wrote:
https is on 8444 rather than 8443 because a plesk system is running on 8443. The tomcat certificate has been generated and the server.xml modified. Tomcat is happy serving pages on https://localhost:8444 directly so why would this rewrite rule fail? The mod_rewrite log has the same output (except for the urls used in the rewrite) for both of these rules, so thats no help. the ssl_error log says: RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? the error_log has a similar warning: [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
When you connect to https://localhost:8444/ using a browser you probably get a dialog box saying that the browser can't verify the certificate, asking you if you want to accept the session anyway. And I asume you click on OK then. This is because you have a self signed cert on your tomcat server. The problem is that when your apache server makes a https connection with the tomcat server there is nobody around to click on "ok". So apache, when it encounters errors in the certificate (which it does when it is self signed) will just refuse the connection. In this case I would really reconsider if ssl is really necessary. If the only way the tomcat application is accesses is via the apache server, than you don't need ssl. You can just use http for your tomcat. It is quite common in prodcution environments (e.g. ours) that ssl is terminated on an apache server, and than forwarded over http to the tomcat server. The only solution I can see if you really want https between your apache and tomcat servers, you will need to do the following: - Get a proper certificate. You can get one for free at cacert.org or you can set up your own CA (which is what I did). You then need to integrate the root certificate in to the CA store of your apache server, so it can verify the cert. For this I refer you to the apache documentation. Krist -- krist.vanbesien@xxxxxxxxx Bremgarten b. Bern, Switzerland -- "...what you don't realize is that in the future Google WILL reach sentience, will [have had] invent[ed] a time machine, and will [have had] travel[ed] back in time to prevent Bill Gates... only to become Bill Gates by accident because of a search engine optimization miscalculation." (Comment on the Dilbert Blog) --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx