Connection is not private

Hi,

I am running KNIME server portal 4.9.3. I can connect to the server using the following URLs:

http://server.abc.com:8080/knime
or
https://server.abc.com:8443/knime

If I use the default knime.jks and using the server.xml but I will get “Connection is not private” which is expected.

I have acquire a trusted certificate from Symantec and I installed it in the keystore. When I bring up the Web Portal, I can connect to

http://server.abc.com:8080/knime

When I try to connect to https://server.abc.com:8443/knime, it will time out and cannot connect.

When I check the certificate using:

openssl s_client -showcerts -connect server.abc.com:8443

I will get :
CONNECTED(00000003)

I just wonder what did I do wrong. Why I cannot connect to KNIME server using the public SSL?

Thanks in advance for the response.

Vincent Zao

Hi,

I would like to add one more thing.

After bring up the server with the public SSL, I cannot login to the portal. I will get the error: “Request Timeout”.

Thanks,

Vincent Zao

Hi @vzao,

do you have the error messages from the server log?
E.g. on server start and when the connection times out?
Does the certificate have a password by itself which is different to the jks password?

Thanks for your response.

I just checked the catalina log file and I found this:

org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
… 12 more
Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
… 13 more

I have listed the jks file and it seems fine. I have the alias root and tomcat: There is no error or anything in the localhost.log file.

I am more focus on getting the WebPortal working with the SSL certificate.

Any suggestions?

Thanks,

Vincent Zao

1 Like

Hi,

After checking the internet regarding the error:

java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry

I recreated the keystore file and import the SSL certificate again. Now, I can startup the web server and login to but I am still getting the “Connection not private”.

Any suggestions?

Thanks,

Vincent Zao

1 Like

Hi @vzao ,

This is most likely due to the fact that you are using a Symantec generated certificate. I’m not sure if you are using chrome or not, but all Symantec certificates were are currently not trusted by Chromes Trusted CA Store:

https://support.google.com/chrome/a/answer/7662561?hl=en#zippy=%2Cmy-enterprise-uses-symantec-certificates

There are a few articles online as well describing how to add them to your browsers trusted CA store.

Thanks,
Zack

1 Like

Thanks Zack.

Yes, I am using Chrome. After reading your response, I tried both Firefox and Internet explorer. I got the same problem.

I know it is the tomcat issue but I am not sure anything that I can do.

We need to resolve this issue by using SSL.

Any other suggestions?

Thanks,

Vincent

Hi @vzao,

one question.
Under what alias did you save the key in the jks? I think i should be “tomcat” for the key as well as root for the root.
Also did you import the key in RSA format?

http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Also could you show us your ssl connector configuration in the conf/server.xml (hide password)

*if you add the user @vzao to your reply then he will get a notification :slight_smile:

Thanks for your response.

When I generate the private key using the following command:

keytool -genkey -alias knime -keyalg RSA -keysize 2048 -keystore knime-server.jks

When I import the Symantec certificate, this is what I did:

keytool -import -trustcacerts -keystore knime-server.jks -file symantec.crt -alias root -storepass changeit

keytool -import -trustcacerts -keystore knime-server.jks -file symantec-interminate.crt -alias tomcat -storepass changeit

I hope I did it right. Please feel free to comment.

Thanks,

Vincent Zao

1 Like

Sorry. I should check the documentation before replying.

I think I need to regenerate the public key again.

Will post the result later.

Thanks,

Vincent Zao

1 Like

also try to do it with the same steps as the done in the documentation:

is done without - trustcacerts in the example
keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename>

not even quite sure if that makes a difference - but might reduce error possibilities :slight_smile:

Please do :slight_smile: