'No valid SSL certificate shown on browser for download attachment response type

I have deployed a Spring boot web application with REST API endpoint like /download/{pathparam1}/{pathparam2} in tomcat with server.xml configuration as this -

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="/opt/production/app/tomcat/ssl/someorgname.pfx"
    keystoreType="PKCS12"
    keystorePass="someencryptedpassword"/>

The application is working fine but I cannot see a valid certificate for it in the browser for the entire API endpoint https://hostname.com:8443/download/{pathparam1}/{pathparam2}.

The browser however, shows a valid certificate till https://hostname.com:8443/download/{pathparam1} and as soon I append the second path parameter in the URL, no valid certificate can be seen.

If I try to hit https://hostname.com:8443/downloadxyz/{pathparam1}/{pathparam2}, the browser shows a valid certificate for it.

Do I need to make some changes at application configuration or tomcat server settings to fix this?

The .pfx file is shared by my organization for a trusted certificate signed by Entrust.

Edit:

Changed the connector port to 8443 in tomcat

Update:

After some hit and trial I have found that this isn't the issue with tomcat or any SSL configurations. But it has something to do with the API itself.

Through my REST API, I am trying to download a .cab file saved in my local server path. And I believe, this is what is causing the issue.

When I try to download a .txt file, then the SSL cert comes as valid, but when I try downloading .cab/.zip/.csv/.xls file, SSL cert appears to be invalid in the browser.

Final Observation:

  1. I could conclude that for any endpoint which serves a response that the browser can present inline, the browser shows a valid SSL certificate. But when an endpoint returns a downloadable attachment, the SSL certificate is shown as invalid.

  2. Content-Disposition played no role in it. In both the cases, my APIs Content-Disposition was set as attachment.

  3. However, apparently this hasn't caused an issue with the application. I can access the endpoint via API gateway and clients are able to consume it without any issues.

springspring-bootssltomcatssl-certificate


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Problem with configuring ssl certificates in asp .net core API

Problem with configuring ssl certificates in asp .net core API

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Turn off or bypass SSL Certificate Verification in Swift iOS

ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working

Install SSL certificates in my AWS canary puppeteer script

Getting this error while installing DFX on my mac "curl: (60) SSL certificate problem: certificate has expired"

How to install a custom certificate in Symfony server?

ssl ,urllib3,requests .exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548)

How to fix javax.net.ssl.SSLHandshakeException even though i have already added the certificate

Renew kubernetes pki after expired

Error: unable to verify the first certificate in nodejs

How does wildcard ssl certificate match domains

How to create a self signed cerficate using command prompt?

SSLHandshakeException in Eclipse Temurin JRE8 Alpine container for self-signed certificate