Which cacerts is in use?

dlegate · March 23, 2023, 8:57pm

Hi all,

There is a cacerts file in:

/lucee/tomcat/lucee-server/context/security/cacerts

and

/lucee/jre/lib/security/cacerts

How can we tell which one is “in use”? Or are they both being loaded somehow?

Also, I’m not sure what the “install” button does on the “SSL certificates” panel. It just seemed to reload the list page when clicking?

I believe I need to install some certs for a particular hosted MySQL instance we need to connect to, so I’m curious how best to do that. keytool?

If so, which ‘cacerts’ file should I install them into?

Any advice is appreciated.

Thanks!

Dan

bdw429s · March 23, 2023, 9:04pm

In Lucee 5.x, the /lucee/tomcat/lucee-server/context/security/cacerts trust store is used. When you click the install button, it downloads the certificate change from the remote host and adds them to the Lucee trust store.

In Lucee 6.x this default has been changed and the JRE’s trust store will be used by default and the install button will do nothing.

dlegate · March 23, 2023, 9:21pm

Thanks!

Does it make sense that I would need to somehow install 3 PEM files for connecting to a remote MySQL instance?

The vendor sent:

client-key.pem
client-crt.pem
ca-cert.pem

along with the MySQL connection info.

Before installing them, I believe I’m already getting a response FROM the MySQL server:

Access denied for user ‘user’@‘host’ (and it’s obvious they entered the wrong host info in their CREATE USER statement)

So I think I’m already connecting to the MySQL instance just fine because that message IS a response from MySQL? No?

I think I would get “connection refused” if I wasn’t already successfully connecting to the MySQL instance?

I’m not sure these PEM files they sent are required?

Curious if others have had to do this for MySQL? Or if my assumptions are totally off base.

Thanks!

Dan

bdw429s · March 23, 2023, 9:36pm

The only pem you’d ever put in the trust store would be the ca-cert. Now, that said, it appears you’re attempting to do some sort of client cert auth and I have no idea how that works with JDBC drivers as I’ve never done it. Client certs go into your key store, which is not the same as your trust store.

It depends. Connection refused usually means the host or port is incorrect. Authentication is a process that happens once the underlying TCP connection is established. But again I’m unclear if you’re trying to use some sort of client cert auth, and it sounds like you don’t know either

Glancing at these docs
https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html
it appears your client cert and private key would go in the key store which neither Lucee nor Java seem to define by default. I believe you’d need to use the Java system properties shown in the link above to point to a keystore containing your crt and key.