https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264145#M217275 <HTML><HEAD></HEAD><BODY><SPAN>Hi all,</SPAN><BR /><BR /><SPAN>This week we received our digicert certificates and made the move to installing them. Yesterday, when I left work, the certificates were working great. All I had done was to follow the steps in </SPAN><A href="http://wiki.alfresco.com/wiki/Deploying_To_Server" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Deploying_To_Server</A><SPAN>, half of which seemed to have been done already by the binary installer. To run through, I checked the ajp connector on :8009 in server.xml (already done), checked the workers.properties file in /etc/apache2/ (already done), checked the mod_jk config (already done in conf.d) and checked the virtualhost config (mostly done already, I just put in the path for the certs).</SPAN><BR /><BR /><SPAN>The one and only thing I have changed since the point yesterday when I logged in and was verified by the correct certificate is to up the permissions on the folder holding the certs. Once I thought I was done working with them I did: </SPAN><BR /><PRE class="language-none line-numbers"><CODE>sudo chown -R root:root digicert/<BR />sudo chmod -R 755 digicert/<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>Today, my boss informed me that the certificates are not working. I checked and, lo and behold, I get a message about an untrusted certificate. I assumed this would be our self signed certificate still showing up, but it is a new one: Alfresco CA. The error as shown to me in Firefox is:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>The certificate is not trusted because the issuer certificate is not trusted.<BR />The certificate is only valid for Alfresco Repository<BR /><BR />(Error code: sec_error_untrusted_issuer)<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>I know this sounds just like something I hear from end users all day, but I did not touch it in between. I finally got it working yesterday arvo just before finish time and left almost immediately. Tomcat would have been restarted automatically during the night but I don't see that affecting things (I was restarting the server to check the results of my changes anyway). Does anyone know what would be causing this?</SPAN><BR /><BR /><SPAN>My setup is: alfresco community 4.0.d on Ubuntu 10.04. Alfresco.log and Catalina.out have nothing but INFO logging in them, so I won't include them, however my server.xml (/opt/alfresco-4.0.d/tomcat/conf/server.xml) is:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;?xml version='1.0' encoding='utf-8'?&gt;<BR />&lt;!–<BR />&nbsp; Licensed to the Apache Software Foundation (ASF) under one or more<BR />&nbsp; contributor license agreements.&nbsp; See the NOTICE file distributed with<BR />&nbsp; this work for additional information regarding copyright ownership.<BR />&nbsp; The ASF licenses this file to You under the Apache License, Version 2.0<BR />&nbsp; (the "License"); you may not use this file except in compliance with<BR />&nbsp; the License.&nbsp; You may obtain a copy of the License at<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.apache.org/licenses/LICENSE-2.0" rel="nofollow noopener noreferrer">http://www.apache.org/licenses/LICENSE-2.0</A><BR /><BR />&nbsp; Unless required by applicable law or agreed to in writing, software<BR />&nbsp; distributed under the License is distributed on an "AS IS" BASIS,<BR />&nbsp; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.<BR />&nbsp; See the License for the specific language governing permissions and<BR />&nbsp; limitations under the License.<BR />–&gt;<BR />&lt;!– Note:&nbsp; A "Server" is not itself a "Container", so you may not<BR />&nbsp;&nbsp;&nbsp;&nbsp; define subcomponents such as "Valves" at this level.<BR />&nbsp;&nbsp;&nbsp;&nbsp; Documentation at /docs/config/server.html<BR /> –&gt;<BR />&lt;Server port="8005" shutdown="SHUTDOWN"&gt;<BR /><BR />&nbsp; &lt;!–APR library loader. Documentation at /docs/apr.html –&gt;<BR />&nbsp; &lt;Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /&gt;<BR />&nbsp; &lt;!–Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html –&gt;<BR />&nbsp; &lt;Listener className="org.apache.catalina.core.JasperListener" /&gt;<BR />&nbsp; &lt;!– Prevent memory leaks due to use of particular java/javax APIs–&gt;<BR />&nbsp; &lt;Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /&gt;<BR />&nbsp; &lt;!– JMX Support for the Tomcat server. Documentation at /docs/non-existent.html –&gt;<BR />&nbsp; &lt;Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /&gt;<BR />&nbsp; &lt;Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /&gt;<BR /><BR />&nbsp; &lt;!– Global JNDI resources<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at /docs/jndi-resources-howto.html<BR />&nbsp; –&gt;<BR />&nbsp; &lt;GlobalNamingResources&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!– Editable user database that can also be used by<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UserDatabaseRealm to authenticate users<BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;Resource name="UserDatabase" auth="Container"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type="org.apache.catalina.UserDatabase"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description="User database that can be updated and saved"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; factory="org.apache.catalina.users.MemoryUserDatabaseFactory"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pathname="conf/tomcat-users.xml" /&gt;<BR />&nbsp; &lt;/GlobalNamingResources&gt;<BR /><BR />&nbsp; &lt;!– A "Service" is a collection of one or more "Connectors" that share<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; a single "Container" Note:&nbsp; A "Service" is not itself a "Container",<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; so you may not define subcomponents such as "Valves" at this level.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at /docs/config/service.html<BR />&nbsp;&nbsp; –&gt;<BR />&nbsp; &lt;Service name="Catalina"&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; &lt;!–The connectors can use a shared executor, you can define one or more named thread pools–&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp; &lt;Executor name="tomcatThreadPool" namePrefix="catalina-exec-"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxThreads="150" minSpareThreads="4"/&gt;<BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!– A "Connector" represents an endpoint by which requests are received<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and responses are returned. Documentation at :<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Java HTTP Connector: /docs/config/http.html (blocking &amp; non-blocking)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Java AJP&nbsp; Connector: /docs/config/ajp.html<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; APR (HTTP/AJP) Connector: /docs/apr.html<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Define a non-SSL HTTP/1.1 Connector on port 8080<BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;Connector port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; connectionTimeout="20000"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; redirectPort="8443" /&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!– A "Connector" using the shared thread pool–&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp; &lt;Connector executor="tomcatThreadPool"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port="8080" protocol="HTTP/1.1"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; connectionTimeout="20000"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; redirectPort="8443" /&gt;<BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!– Define a SSL HTTP/1.1 Connector on port 8443<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This connector uses the JSSE configuration, when using APR, the<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; connector should be using the OpenSSL style configuration<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; described in the APR documentation –&gt;<BR />&lt;!–<BR />&nbsp;&nbsp;&nbsp; &lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxThreads="150" scheme="https" secure="true"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clientAuth="false" sslProtocol="TLS" /&gt;<BR />–&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;!– Define an AJP 1.3 Connector on port 8009 –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; &lt;Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxThreads="150" scheme="https" keystoreFile="/opt/alfresco-4.0.d/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"<BR /> secure="true" connectionTimeout="240000" truststoreFile="/opt/alfresco-4.0.d/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" /&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; &lt;!– An Engine represents the entry point (within Catalina) that processes<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; every request.&nbsp; The Engine implementation for Tomcat stand alone<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; analyzes the HTTP headers included with the request, and passes them<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; on to the appropriate Host (virtual host).<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at /docs/config/engine.html –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; &lt;!– You should set jvmRoute to support load-balancing via AJP ie :<BR />&nbsp;&nbsp;&nbsp; &lt;Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"&gt;<BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;Engine name="Catalina" defaultHost="localhost"&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–For clustering, please take a look at documentation at:<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /docs/cluster-howto.html&nbsp; (simple how to)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /docs/config/cluster.html (reference documentation) –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– The request dumper valve dumps useful debugging information about<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; the request and response data received and sent by Tomcat.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at: /docs/config/valve.html –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Valve className="org.apache.catalina.valves.RequestDumperValve"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– This Realm uses the UserDatabase configured in the global JNDI<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; resources under the key "UserDatabase".&nbsp; Any edits<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; that are performed against this UserDatabase are immediately<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; available for use by the Realm.&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Realm className="org.apache.catalina.realm.UserDatabaseRealm"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; resourceName="UserDatabase"/&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Define the default virtual host<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Note: XML Schema validation will not work with Xerces 2.2.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Host name="localhost"&nbsp; appBase="webapps"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unpackWARs="true" autoDeploy="true"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xmlValidation="false" xmlNamespaceAware="false"&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– SingleSignOn valve, share authentication between web applications<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at: /docs/config/valve.html –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Valve className="org.apache.catalina.authenticator.SingleSignOn" /&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Access log processes all example.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Documentation at: /docs/config/valve.html –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Host&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;/Engine&gt;<BR />&nbsp; &lt;/Service&gt;<BR />&lt;/Server&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>My apache2.conf:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>#<BR /># Based upon the NCSA server configuration files originally by Rob McCool.<BR />#<BR /># This is the main Apache server configuration file.&nbsp; It contains the<BR /># configuration directives that give the server its instructions.<BR /># See <A href="http://httpd.apache.org/docs/2.2/" rel="nofollow noopener noreferrer">http://httpd.apache.org/docs/2.2/</A> for detailed information about<BR /># the directives.<BR />#<BR /># Do NOT simply read the instructions in here without understanding<BR /># what they do.&nbsp; They're here only as hints or reminders.&nbsp; If you are unsure<BR /># consult the online docs. You have been warned.<BR />#<BR /># The configuration directives are grouped into three basic sections:<BR />#&nbsp; 1. Directives that control the operation of the Apache server process as a<BR />#&nbsp;&nbsp;&nbsp;&nbsp; whole (the 'global environment').<BR />#&nbsp; 2. Directives that define the parameters of the 'main' or 'default' server,<BR />#&nbsp;&nbsp;&nbsp;&nbsp; which responds to requests that aren't handled by a virtual host.<BR />#&nbsp;&nbsp;&nbsp;&nbsp; These directives also provide default values for the settings<BR />#&nbsp;&nbsp;&nbsp;&nbsp; of all virtual hosts.<BR />#&nbsp; 3. Settings for virtual hosts, which allow Web requests to be sent to<BR />#&nbsp;&nbsp;&nbsp;&nbsp; different IP addresses or hostnames and have them handled by the<BR />#&nbsp;&nbsp;&nbsp;&nbsp; same Apache server process.<BR />#<BR /># Configuration and logfile names: If the filenames you specify for many<BR /># of the server's control files begin with "/" (or "drive:/" for Win32), the<BR /># server will use that explicit path.&nbsp; If the filenames do *not* begin<BR /># with "/", the value of ServerRoot is prepended – so "/var/log/apache2/foo.log"<BR /># with ServerRoot set to "" will be interpreted by the<BR /># server as "//var/log/apache2/foo.log".<BR />#<BR /><BR />### Section 1: Global Environment<BR />#<BR /># The directives in this section affect the overall operation of Apache,<BR /># such as the number of concurrent requests it can handle or where it<BR /># can find its configuration files.<BR />#<BR /><BR />#<BR /># ServerRoot: The top of the directory tree under which the server's<BR /># configuration, error, and log files are kept.<BR />#<BR /># NOTE!&nbsp; If you intend to place this on an NFS (or otherwise network)<BR /># mounted filesystem then please read the LockFile documentation (available<BR /># at &lt;URL:<A href="http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile" rel="nofollow noopener noreferrer">http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile</A>&gt;);<BR /># you will save yourself a lot of trouble.<BR />#<BR /># Do NOT add a slash at the end of the directory path.<BR />#<BR />ServerRoot "/etc/apache2"<BR /><BR />#<BR /># The accept serialization lock file MUST BE STORED ON A LOCAL DISK.<BR />#<BR />#&lt;IfModule !mpm_winnt.c&gt;<BR />#&lt;IfModule !mpm_netware.c&gt;<BR />LockFile /var/lock/apache2/accept.lock<BR />#&lt;/IfModule&gt;<BR />#&lt;/IfModule&gt;<BR /><BR />#<BR /># PidFile: The file in which the server should record its process<BR /># identification number when it starts.<BR /># This needs to be set in /etc/apache2/envvars<BR />#<BR />PidFile ${APACHE_PID_FILE}<BR /><BR />#<BR /># Timeout: The number of seconds before receives and sends time out.<BR />#<BR />Timeout 300<BR /><BR />#<BR /># KeepAlive: Whether or not to allow persistent connections (more than<BR /># one request per connection). Set to "Off" to deactivate.<BR />#<BR />KeepAlive On<BR /><BR />#<BR /># MaxKeepAliveRequests: The maximum number of requests to allow<BR /># during a persistent connection. Set to 0 to allow an unlimited amount.<BR /># We recommend you leave this number high, for maximum performance.<BR />#<BR />MaxKeepAliveRequests 100<BR /><BR />#<BR /># KeepAliveTimeout: Number of seconds to wait for the next request from the<BR /># same client on the same connection.<BR />#<BR />KeepAliveTimeout 15<BR /><BR />##<BR />## Server-Pool Size Regulation (MPM specific)<BR />##<BR /><BR /># prefork MPM<BR /># StartServers: number of server processes to start<BR /># MinSpareServers: minimum number of server processes which are kept spare<BR /># MaxSpareServers: maximum number of server processes which are kept spare<BR /># MaxClients: maximum number of server processes allowed to start<BR /># MaxRequestsPerChild: maximum number of requests a server process serves<BR />&lt;IfModule mpm_prefork_module&gt;<BR />&nbsp;&nbsp;&nbsp; StartServers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5<BR />&nbsp;&nbsp;&nbsp; MinSpareServers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5<BR />&nbsp;&nbsp;&nbsp; MaxSpareServers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR />&nbsp;&nbsp;&nbsp; MaxClients&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150<BR />&nbsp;&nbsp;&nbsp; MaxRequestsPerChild&nbsp;&nbsp; 0<BR />&lt;/IfModule&gt;<BR /><BR /># worker MPM<BR /># StartServers: initial number of server processes to start<BR /># MaxClients: maximum number of simultaneous client connections<BR /># MinSpareThreads: minimum number of worker threads which are kept spare<BR /># MaxSpareThreads: maximum number of worker threads which are kept spare<BR /># ThreadsPerChild: constant number of worker threads in each server process<BR /># MaxRequestsPerChild: maximum number of requests a server process serves<BR />&lt;IfModule mpm_worker_module&gt;<BR />&nbsp;&nbsp;&nbsp; StartServers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />&nbsp;&nbsp;&nbsp; MinSpareThreads&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 25<BR />&nbsp;&nbsp;&nbsp; MaxSpareThreads&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 75<BR />&nbsp;&nbsp;&nbsp; ThreadLimit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 64<BR />&nbsp;&nbsp;&nbsp; ThreadsPerChild&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 25<BR />&nbsp;&nbsp;&nbsp; MaxClients&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150<BR />&nbsp;&nbsp;&nbsp; MaxRequestsPerChild&nbsp;&nbsp; 0<BR />&lt;/IfModule&gt;<BR /># event MPM<BR /># StartServers: initial number of server processes to start<BR /># MaxClients: maximum number of simultaneous client connections<BR /># MinSpareThreads: minimum number of worker threads which are kept spare<BR /># MaxSpareThreads: maximum number of worker threads which are kept spare<BR /># ThreadsPerChild: constant number of worker threads in each server process<BR /># MaxRequestsPerChild: maximum number of requests a server process serves<BR />&lt;IfModule mpm_event_module&gt;<BR />&nbsp;&nbsp;&nbsp; StartServers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2<BR />&nbsp;&nbsp;&nbsp; MaxClients&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 150<BR />&nbsp;&nbsp;&nbsp; MinSpareThreads&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 25<BR />&nbsp;&nbsp;&nbsp; MaxSpareThreads&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 75<BR />&nbsp;&nbsp;&nbsp; ThreadLimit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 64<BR />&nbsp;&nbsp;&nbsp; ThreadsPerChild&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 25<BR />&nbsp;&nbsp;&nbsp; MaxRequestsPerChild&nbsp;&nbsp; 0<BR />&lt;/IfModule&gt;<BR /><BR /># These need to be set in /etc/apache2/envvars<BR />User ${APACHE_RUN_USER}<BR />Group ${APACHE_RUN_GROUP}<BR /><BR />#<BR /># AccessFileName: The name of the file to look for in each directory<BR /># for additional configuration directives.&nbsp; See also the AllowOverride<BR /># directive.<BR />#<BR /><BR />AccessFileName .htaccess<BR /><BR />#<BR /># The following lines prevent .htaccess and .htpasswd files from being<BR /># viewed by Web clients.<BR />#<BR />&lt;Files ~ "^\.ht"&gt;<BR />&nbsp;&nbsp;&nbsp; Order allow,deny<BR />&nbsp;&nbsp;&nbsp; Deny from all<BR />&nbsp;&nbsp;&nbsp; Satisfy all<BR />&lt;/Files&gt;<BR /><BR />#<BR /># DefaultType is the default MIME type the server will use for a document<BR /># if it cannot otherwise determine one, such as from filename extensions.<BR /># If your server contains mostly text or HTML documents, "text/plain" is<BR /># a good value.&nbsp; If most of your content is binary, such as applications<BR /># or images, you may want to use "application/octet-stream" instead to<BR /># keep browsers from trying to display binary files as though they are<BR /># text.<BR />#<BR />DefaultType text/plain<BR /><BR /><BR />#<BR /># HostnameLookups: Log the names of clients or just their IP addresses<BR /># e.g., <A href="http://www.apache.org" rel="nofollow noopener noreferrer">www.apache.org</A> (on) or 204.62.129.132 (off).<BR /># The default is off because it'd be overall better for the net if people<BR /># had to knowingly turn this feature on, since enabling it means that<BR /># each client request will result in AT LEAST one lookup request to the<BR /># nameserver.<BR />#<BR />HostnameLookups Off<BR /># ErrorLog: The location of the error log file.<BR /># If you do not specify an ErrorLog directive within a &lt;VirtualHost&gt;<BR /># container, error messages relating to that virtual host will be<BR /># logged here.&nbsp; If you *do* define an error logfile for a &lt;VirtualHost&gt;<BR /># container, that host's errors will be logged there and not here.<BR />#<BR />ErrorLog /var/log/apache2/error.log<BR /><BR />#<BR /># LogLevel: Control the number of messages logged to the error_log.<BR /># Possible values include: debug, info, notice, warn, error, crit,<BR /># alert, emerg.<BR />#<BR />LogLevel warn<BR /><BR /># Include module configuration:<BR />Include /etc/apache2/mods-enabled/*.load<BR />Include /etc/apache2/mods-enabled/*.conf<BR /><BR /># Include all the user configurations:<BR />Include /etc/apache2/httpd.conf<BR /><BR /># Include ports listing<BR />Include /etc/apache2/ports.conf<BR /><BR />#<BR /># The following directives define some format nicknames for use with<BR /># a CustomLog directive (see below).<BR /># If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i<BR />#<BR />LogFormat "%v:%p %h %l %u %t \"%r\" %&gt;s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined<BR />LogFormat "%h %l %u %t \"%r\" %&gt;s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined<BR />LogFormat "%h %l %u %t \"%r\" %&gt;s %O" common<BR />LogFormat "%{Referer}i -&gt; %U" referer<BR />LogFormat "%{User-agent}i" agent<BR /><BR />#<BR /># Define an access log for VirtualHosts that don't define their own logfile<BR />CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined<BR /><BR /><BR /># Include of directories ignores editors' and dpkg's backup files,<BR /># see README.Debian for details.<BR /><BR /># Include generic snippets of statements<BR />Include /etc/apache2/conf.d/<BR /><BR /># Include the virtual host configurations:<BR />Include /etc/apache2/sites-enabled/<BR /><BR /># Load the mod_auth_ntlm_winbind module to allow for moodle SSO - Chris<BR />&lt;IfModule !mod_auth_ntlm_winbind.c&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp; LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so<BR />&lt;/IfModule&gt;<BR /><BR /># Enable NTLM SSO login for Moodle - Chris<BR /> &lt;Directory "/var/www/mtp/auth/ldap/"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp; &lt;Files ntlmsso_magic.php&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMAuth on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AuthType NTLM<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AuthName "Moodle NTLM Authentication"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMAuthHelper "/usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMBasicAuthoritative on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; require valid-user<BR />&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Files&gt;<BR /> &lt;/Directory&gt;<BR /> &lt;Directory "/var/www/mtp/auth/ldap2/"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp; &lt;Files ntlmsso_magic.php&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMAuth on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AuthType NTLM<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AuthName "Moodle NTLM Authentication"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMAuthHelper "/usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTLMBasicAuthoritative on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; require valid-user<BR />&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Files&gt;<BR /> &lt;/Directory&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>in /etc/apache2/conf.d, jk.conf:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;ifmodule mod_jk.c&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; JkWorkersFile /etc/apache2/workers.properties<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; JkLogFile /var/log/apache2/mod_jk.log<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; JkLogLevel info<BR />&lt;/ifmodule&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>in /etc/apache2, workers.properties:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>worker.list=default<BR />worker.default.port=8009<BR />worker.default.host=localhost<BR />worker.default.type=ajp13<BR />worker.default.lbfactor=1<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>And finally, in sites-enabled, 000-default:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;VirtualHost *:80&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ServerName docs.company.com<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RewriteEngine on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReWriteCond %{HTTPS} !=on<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReWriteRule ^/(.*) <A href="https://docs.company.com/$1" rel="nofollow noopener noreferrer">https://docs.company.com/$1</A> [R=301,L]<BR />&lt;/VirtualHost&gt;<BR />&lt;VirtualHost *:443&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ServerName docs.company.com<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DocumentRoot /var/www<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLEngine On<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLCertificateFile /etc/ssl/certs/digicert/certs/star_company_com.crt<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLCertificateKeyFile /etc/ssl/certs/digicert/star_company_com.key<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLCertificateChainFile /etc/ssl/certs/digicert/certs/DigiCertCA2.crt<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLCACertificateFile /etc/ssl/certs/digicert/certs/DigiCertCA2.crt<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Directory /&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Options FollowSymLinks<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride None<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Directory&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Directory /var/www/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Options Indexes FollowSymLinks MultiViews<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride None<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Order allow,deny<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow from all<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Directory&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Directory "/usr/lib/cgi-bin"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride None<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Order allow,deny<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow from all<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/Directory&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ErrorLog /var/log/apache2/error.log<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Possible values include: debug, info, notice, warn, error, crit,<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # alert, emerg.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LogLevel warn<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CustomLog /var/log/apache2/access.log combined<BR /><BR />&nbsp;&nbsp;&nbsp; Alias /doc/ "/usr/share/doc/"<BR />&nbsp;&nbsp;&nbsp; &lt;Directory "/usr/share/doc/"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Options Indexes MultiViews FollowSymLinks<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride None<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Order deny,allow<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deny from all<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow from 127.0.0.0/255.0.0.0 ::1/128<BR />&nbsp;&nbsp;&nbsp; &lt;/Directory&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; JkMountCopy On<BR />&nbsp;&nbsp;&nbsp; JkMount /alfresco default<BR />&nbsp;&nbsp;&nbsp; JkMount /alfresco/* default<BR />&nbsp;&nbsp;&nbsp; JkMount /share default<BR />&nbsp;&nbsp;&nbsp; JkMount /share/* default<BR /><BR />&lt;/VirtualHost&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>So can anyone shed any light on why we are now being served the Alfresco CA certificate instead of the one configured in mod_jk?</SPAN><BR /><BR /><SPAN>Oh, final note, I set the log level for mod_jk down to info, and the only thing I see in it's mod_jk.log is </SPAN><BR /><PRE class="language-none line-numbers"><CODE>[Tue Jul 10 12:30:13.028 2012] [14770:1957041984] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR />[Tue Jul 10 12:30:13.251 2012] [14771:1957041984] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR />[Tue Jul 10 12:49:49.645 2012] [15524:3171579712] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR />[Tue Jul 10 12:49:50.561 2012] [15525:3171579712] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR />[Tue Jul 10 13:17:38.865 2012] [16777:202385216] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR />[Tue Jul 10 13:17:39.279 2012] [16778:202385216] [info] init_jk::mod_jk.c (3183): mod_jk/1.2.28 initialized<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>over and over, so I don't think it's a mod_jk problem</SPAN><BR /><BR /><SPAN>I've tried removing the keystore properties from the 8443 connector in server.xml (that was a bad idea, caused errors), tweaking about the mod_jk and apache properties a little (putting the mod_jk properties in apache2.conf, in httpd.conf, originally I had no SSLCACertificateFile&nbsp; line when it was working, just SSLCertificateChainFile pointing to the same cert, so tried adding this property) but all to no avail. I do restart both tomcat and apache for each change to test.</SPAN></BODY></HTML> Tue, 10 Jul 2012 03:45:56 GMT chrisokelly 2012-07-10T03:45:56Z https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264145#M217275 Hi all,This week we received our digicert certificates and made the move to installing them. Yesterday, when I left work, the certificates were working great. All I had done was to follow the steps in http://wiki.alfresco.com/wiki/Deploying_To_Server, half of which seemed to have been done already b Tue, 10 Jul 2012 03:45:56 GMT https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264145#M217275 chrisokelly 2012-07-10T03:45:56Z https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264146#M217276 <HTML><HEAD></HEAD><BODY><SPAN>I have the same problem, using a similar setup as you. When a user goes to the https url which is a tomcat-proxy, a security message will popup containing the Alfresco CA certificate. If I continue past this point the correct certificate will be used however I do not want this popup to show up for every user.</SPAN><BR /><BR /><SPAN>Did you solve your problem?</SPAN></BODY></HTML> Tue, 08 Jan 2013 08:05:23 GMT https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264146#M217276 marcus_svensson 2013-01-08T08:05:23Z https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264147#M217277 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote">I have the same problem, using a similar setup as you. When a user goes to the https url which is a tomcat-proxy, a security message will popup containing the Alfresco CA certificate. If I continue past this point the correct certificate will be used however I do not want this popup to show up for every user.<BR /><BR />Did you solve your problem?</BLOCKQUOTE><BR /><SPAN>My problem was solved by adding SSLCACertificateFile, I had missed to use it in my configuration. So I guess my problem was not the same as yours. Cheers</SPAN></BODY></HTML> Tue, 08 Jan 2013 10:14:03 GMT https://connect.hyland.com/t5/alfresco-archive/installed-new-ssl-cert-alfresco-ca-still-used/m-p/264147#M217277 marcus_svensson 2013-01-08T10:14:03Z