Can you please double check if you did these three steps: From doc: 1. Push latest SSL httpd key and cert in /etc/certs. 2. Rename them to httpd.key and httpd.crt respectively. 4. Restart your Gluu-server from outside the chroot container.

Push latest SSL httpd key and cert in /etc/certs. **I used the httpd.key and httpd.csr that was created when I installed Gluu to obtain a signed certificate from the CA. Should I have just made new ones?** Rename them to httpd.key and httpd.crt respectively. **I copied and pasted the new crt directly into httpd.crt** Restart your Gluu-server from outside the chroot container. **I rebooted the server** My MD5 sum match on the crt and key. I am not sure what I did wrong. I don't see erros in Apche log, it is in the tomcat logs. GLUU.root@wyo-sm:/etc/certs# openssl x509 -noout -modulus -in httpd.crt | openssl md5 (stdin)= 2ccfdbfa01d6958007d4eabbaf81bf38 GLUU.root@wyo-sm:/etc/certs# openssl rsa -noout -modulus -in httpd.key | openssl md5 (stdin)= 2ccfdbfa01d6958007d4eabbaf81bf38 GLUU.root@wyo-sm:/etc/certs# ls -ltr total 88 -r-------- 1 tomcat tomcat 1743 Sep 28 21:17 httpd.key.orig -r-------- 1 tomcat tomcat 1675 Sep 28 21:17 httpd.key -r-------- 1 tomcat tomcat 985 Sep 28 21:17 httpd.csr -r-------- 1 tomcat tomcat 1743 Sep 28 21:17 shibIDP.key.orig -r-------- 1 tomcat tomcat 1675 Sep 28 21:17 shibIDP.key -r-------- 1 tomcat tomcat 985 Sep 28 21:17 shibIDP.csr -r-------- 1 tomcat tomcat 1159 Sep 28 21:17 shibIDP.crt -r-------- 1 tomcat tomcat 1743 Sep 28 21:17 asimba.key.orig -r-------- 1 tomcat tomcat 1675 Sep 28 21:17 asimba.key -r-------- 1 tomcat tomcat 985 Sep 28 21:17 asimba.csr -r-------- 1 tomcat tomcat 1159 Sep 28 21:17 asimba.crt -r-------- 1 tomcat tomcat 2522 Sep 28 21:17 shibIDP.pkcs12 -r-------- 1 tomcat tomcat 2180 Sep 28 21:17 shibIDP.jks -r-------- 1 tomcat tomcat 2522 Sep 28 21:17 asimba.pkcs12 -r-------- 1 tomcat tomcat 2180 Sep 28 21:17 asimbaIDP.jks -r-------- 1 tomcat tomcat 11934 Sep 28 21:18 oxauth-web-keys.json -r-------- 1 tomcat tomcat 731 Sep 28 21:21 opendj.crt -r-------- 1 tomcat tomcat 311 Sep 28 21:21 gplus_client_secrets.json -r-------- 1 tomcat tomcat 67 Sep 28 21:21 duo_creds.json -r-------- 1 tomcat tomcat 1840 Sep 28 21:59 httpd.crt

>> I used the httpd.key and httpd.csr that was created when I installed Gluu to obtain a signed certificate from the CA. Should I have just made new ones? Personally I never used / touched the CSR which comes with default installation. I did have brand new / different key, CSR and generated Cert from that different CSR.

Ok, I regenerated httpd.key and httpd.csr, made a new httpd.crt, copied all files into /etc/certs. The UI loads fine, the cert is verified. I get to the login screen type the admin password, and this is what the UI presents, System Error. Please try again or contact a Gluu administrator for help. Welcome to your Gluu Identity Appliance! Your federation service is live! Here are some of the features this appliance provides: This is the error in the Tomcat log getting accessToken INFO | jvm 1 | 2015/09/29 16:12:56 | 2015-09-29 16:12:56,077 INFO [org.gluu.oxtrust.action.Authenticator] tokenURL : https://wyo-sm.wyoming.gov/oxauth/seam/resource/restv1/oxauth/t oken INFO | jvm 1 | 2015/09/29 16:12:56 | 2015-09-29 16:12:56,092 INFO [org.gluu.oxtrust.action.Authenticator] Sending request to token endpoint INFO | jvm 1 | 2015/09/29 16:12:56 | 2015-09-29 16:12:56,093 INFO [org.gluu.oxtrust.action.Authenticator] redirectURI : https://wyo-sm.wyoming.gov/identity/authentication/authcode INFO | jvm 1 | 2015/09/29 16:12:56 | 2015-09-29 16:12:56,300 ERROR [org.xdi.oxauth.client.TokenClient] peer not authenticated INFO | jvm 1 | 2015/09/29 16:12:56 | javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated INFO | jvm 1 | 2015/09/29 16:12:56 | at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) INFO | jvm 1 | 2015/09/29 16:12:56 | at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)

You need to import this cert in Java keystore and need to restart your Gluu Server container as well. #3 and #4 points of the doc.

What is the file name of the java keystore or do I need to create it?

Is this the command to import to the keystore, keytool -import -alias wyo -file httpd.crt -keystore cacert

I still get the errors, 2015-09-29 17:03:39,237 INFO [org.gluu.oxtrust.action.Authenticator] redirectURI : https://wyo-sm.wyoming.gov/identity/authentication/authcode INFO | jvm 1 | 2015/09/29 17:03:39 | 2015-09-29 17:03:39,247 ERROR [org.xdi.oxauth.client.TokenClient] peer not authenticated INFO | jvm 1 | 2015/09/29 17:03:39 | javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2015-09-29 17:03:39,251 INFO [org.gluu.oxtrust.action.Authenticator] tokenResponse : null INFO | jvm 1 | 2015/09/29 17:03:39 | 2015-09-29 17:03:39,254 ERROR [org.jboss.seam.exception.Exceptions] handled and logged exception INFO | jvm 1 | 2015/09/29 17:03:39 | javax.el.ELException: java.lang.NullPointerException INFO | jvm 1 | 2015/09/29 17:03:39 | at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:339) 2015-09-29 17:03:39,251 INFO [org.gluu.oxtrust.action.Authenticator] tokenResponse : null INFO | jvm 1 | 2015/09/29 17:03:39 | 2015-09-29 17:03:39,254 ERROR [org.jboss.seam.exception.Exceptions] handled and logged exception INFO | jvm 1 | 2015/09/29 17:03:39 | javax.el.ELException: java.lang.NullPointerException INFO | jvm 1 | 2015/09/29 17:03:39 | at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:339)

I think I'll give a shot by myself in one test Gluu Server and send you all commands. You are missing something somewhere.

Ok, I figure, I did something wrong, I am on the newest version og Gluu using Ubuntu 14.04, thank you for your help.

OK, I got it working. I had to import the chain into the keystore keytool -import -alias chain -keystore cacert -trustcacerts -file chain.cer keytool -import -alias wyo1 -file httpd.crt -keystore cacert I added the intermidiate certificate The directions say to name cacert in /etc/ssl/certs/java/ but it is working with cacerts I just don't know what step made it work at this point though.

Now I can login with admin but it isn't working properly to login with Google plus and it is giving another SSL error INFO | jvm 1 | 2015/09/29 20:51:31 | Google Authenticate for step 1. Attempting to gets tokens 2015-09-29 20:41:58,687 ERROR [org.xdi.oxauth.client.TokenClient] peer not authenticated INFO | jvm 1 | 2015/09/29 20:41:58 | javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated INFO | jvm 1 | 2015/09/29 20:41:58 | at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) INFO | jvm 1 | 2015/09/29 20:41:58 | at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:109)

We will test and get back to you.

I still haven't had any luck with this. Apache seems to be working fine for the login with admin. I really need the Google Plus custom script working and that is what is failing. Any luck on your end? Here is the link to our Gluu server if that might help, https://wyo-sm.wyoming.gov

OK, I found my issue, I created a new java keystore, cacerts instead of just importing to the the one that was created. It all seems to be working now. Thanks for your help.

Yeah.. it should be a straight forward work. I was testing this in my own environment and it worked well here as well. Thanks for confirmation.