Let's encrypt SSL config

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Let's encrypt SSL config

ivan
Hi,

It drives me nuts now.

I have created sym links to the PEM files. I made the PEM files readable for
the tomcat user. I set the server.xml to use SSL. And the connector fails to
start.

    <Connector port="8443"

               protocol="org.apache.coyote.http11.Http11NioProtocol"

               maxThreads="200"

               scheme="https"

               secure="true"

               SSLEnabled="true"

               clientAuth="false"

               sslProtocol="TLS"

 
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
ion"

               defaultSSLHostConfigName="mydomain.com"

    >

        <SSLHostConfig hostName="mydomain.com"
protocols="+TLSv1,+TLSv1.1,+TLSv1.2">

            <Certificate

                certificateKeyFile="conf/privkey.pem"

                certificateFile="conf/cert.pem"

                certificateChainFile="conf/chain.pem"

                type="UNDEFINED"

            />

        </SSLHostConfig>

    </Connector>

 

I did try to change the type to RSA, to no avail. All I see in the log is:

02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-nio-8443"]

02-Jan-2021 17:40:54.466 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8443]]

        org.apache.catalina.LifecycleException: Protocol handler
initialization failed

                at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)

                ... some lines removed

                at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)

        Caused by: java.lang.IllegalArgumentException

                at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
eEndpoint.java:99)

                ... some lines are removed

                at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)

                ... 13 more

        Caused by: java.io.IOException

                at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)

                at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.ja
va:98)

                at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
)

                at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
eEndpoint.java:97)

                ... 20 more

 

I've checked the SSLUtilBase.java code (tomcat 9.0.33):

            if (certificate.getCertificateFile() == null) {

                throw new IOException(sm.getString("jsse.noCertFile"));

            }

 

I did try to copy the files instead of using sym links. No avail. Removed
the comments from the cert files. No avail. It seems tomcat cannot find the
files I've specified in the server.xml.

What do I miss?

 

Best Regards,

Ivan

Reply | Threaded
Open this post in threaded view
|

Re: Let's encrypt SSL config

logo
Hi Ivan,



> Am 07.01.2021 um 20:42 schrieb [hidden email]:
>
> Hi,
>
> It drives me nuts now.
>
> I have created sym links to the PEM files. I made the PEM files readable for
> the tomcat user. I set the server.xml to use SSL. And the connector fails to
> start.
>
>   <Connector port="8443"
>
>              protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>              maxThreads="200"
>
>              scheme="https"
>
>              secure="true"
>
>              SSLEnabled="true"
>
>              clientAuth="false"
>
>              sslProtocol="TLS"
>
>
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
> ion"
>
>              defaultSSLHostConfigName="mydomain.com"
>
>>
>
>       <SSLHostConfig hostName="mydomain.com"
> protocols="+TLSv1,+TLSv1.1,+TLSv1.2">
>
>           <Certificate
>
>               certificateKeyFile="conf/privkey.pem"
>
>               certificateFile="conf/cert.pem"
>
>               certificateChainFile="conf/chain.pem"
>
>               type="UNDEFINED"
>
>           />
>
>       </SSLHostConfig>
>
>   </Connector>
>
>

Maybe want to try an absolute path like so: ${catalina.base}/conf/ or ${catalina.home}/conf/ ?

Peter

>
> I did try to change the type to RSA, to no avail. All I see in the log is:
>
> 02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-openssl-nio-8443"]
>
> 02-Jan-2021 17:40:54.466 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[HTTP/1.1-8443]]
>
>       org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
>
>               at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
>
>               ... some lines removed
>
>               at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>
>       Caused by: java.lang.IllegalArgumentException
>
>               at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
> eEndpoint.java:99)
>
>               ... some lines are removed
>
>               at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
>
>               ... 13 more
>
>       Caused by: java.io.IOException
>
>               at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
>
>               at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.ja
> va:98)
>
>               at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
> )
>
>               at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
> eEndpoint.java:97)
>
>               ... 20 more
>
>
>
> I've checked the SSLUtilBase.java code (tomcat 9.0.33):
>
>           if (certificate.getCertificateFile() == null) {
>
>               throw new IOException(sm.getString("jsse.noCertFile"));
>
>           }
>
>
>
> I did try to copy the files instead of using sym links. No avail. Removed
> the comments from the cert files. No avail. It seems tomcat cannot find the
> files I've specified in the server.xml.
>
> What do I miss?
>
>
>
> Best Regards,
>
> Ivan