Tips for Troubleshooting SSL Issues

This is supplementary troubleshooting ideas in case of running into errors after following the steps found in the following Knowledge Base Article: Encrypting Yellowfin Traffic via HTTPS

For troubleshooting, the startup log is your best friend. Specifically the catalina.log. If there are startup issues, there's likely an issue with the web.xml or server.xml configuration.

Here's an example:

These log entries indicate that the Keystore isn't found, meaning either the wrong directory is being pointed to, or the Keystore has not been generated.

If experiencing an issue where the Keystore itself isn’t working and it’s a .crt or .p12 file type, it is recommended to simply go into openssl and export the file to a pkcs12 file. As far as signed certs go, pkcs12 is preferable, because you can just point to it directly, instead of a Keystore.

If there's an issue in the web.xml configurations, 9 out of 10 times, down to the line and column in the web.xml, you'll see where the error is in that file, which subsequently needs to be addressed there.

HTTPS issues will also show up in this file.

If the log is showing something along the lines of "this is not a trusted certificate", always look on the padlock in the browser. The Browser itself is good for digging around for trying to figure out why something is not trusted if it shows up that way:

Here you can look up the info on the certificate itself.

You can click for more information and view the Certificate, check connection encryption, etc.. The View Certificate option is is probably most useful. If it’s saying untrusted, you want to look at authorities and root CA’s.

You can also see all trusted authorities that come stock in your browser:

An unsigned certificate will throw an error in browser, most likely because the cert is not being recognized as coming from  a signature authority, and thus we can’t verify the identity and say it’s safe.

One example of this is that you aren't using a standard cert authority that comes shipped with the browser. At this point, you should go to your provider and obtain the cert authority, then import it and trust the issuer.

Errors with signed vs. un-signed certificates won't happen when configuring, but upon connecting, which is when Java will validate a certificate.

If you require a certificate authority, there are free options such as let’s encrypt.

The other component to consider is the server.xml connector port, making sure that’s formatted properly, which can be formatted in many ways, but the Encrypting Yellowfin Traffic via HTPS can be used as a reference.

Is article helpful?