1

I have a Tomcat application which is front ended by an Apache web server - end users connect to the Apache web server (never directly to Tomcat) and Apache has a valid, externally issued SSL etc

The Apache web forces HTTPS so I have to connect to Tomcat over HTTPS otherwise it causes mixed mode messages etc and stops functionality as some JS files don't load etc so I need to implement SSL on the Tomcat.

Rather than buying a domain and SSL for Tomcat I was thinking of using a self signed certificate but I have gotten confused about the definition of "client" in the above scenario.

I have read that "clients" will get a message that the server certificate is not trusted (What are the risks of self signing a certificate for SSL) but, in this example, is the client the user connecting via their browser or is the client actually Apache in which case I can add the certificate to Apache to stop this message? Ultimately I don't want the end user to see anything which makes them lose any trust but I also don't want to buy a domain and an SSL if I don't need to

Community
  • 1
bhttoan
  • 173
  • 1
  • 7
  • 1
    Mixed mode messages - you mean in the user's browser? But you said that the user never connects directly to Tomcat, so the presence or absence of a cert (or, for that matter, self-signed vs CA-issued) on the Tomcat instance should be entirely hidden from the user – Colin Phipps Jul 26 '14 at 15:20
  • Hi Colin - correct they do not but the Apache server loads JS from the Tomcat server. If I use http then I get mixed mode errors and https to stop the errors wont work as https is not currently in use on Tomcat – bhttoan Jul 26 '14 at 15:23
  • 1
    @bhttoan — so, your users' browsers do actually connect directly to Tomcat to load JS files? – Joel L Jul 26 '14 at 15:29
  • 1
    I guess so now you put it like that :/ Think I know the answer now!! – bhttoan Jul 26 '14 at 15:30

0 Answers0