SSL Let's Encrypt + Tomcat 7 - ssl

I have installed an Open Source application called Mifos, but when I try to install the LS certificate in tomcat 7 for some reason the browser doesn't recognize it.
Here is the response from the browser:
Browser
The certificates are located in this directory: /usr/share/tomcat7/conf
root#ubuntu-s-1vcpu-2gb-nyc1-01:~# ls -l /usr/share/tomcat7/conf/
total 236
drwxr-xr-x 3 root root 4096 Feb 11 02:16 Catalina
-rw------- 1 root root 2259 Feb 11 09:30 OrgServ.xml
-rw------- 1 root root 13186 Feb 8 2018 catalina.policy
-rw------- 1 root root 6496 Feb 8 2018 catalina.properties
-rwxrwxrwx 1 root root 1846 Feb 11 21:44 cert.pem
-rwxrwxrwx 1 root root 3749 Feb 11 21:44 chain.pem
-rw------- 1 root root 1394 Feb 8 2018 context.xml
-rwxrwxrwx 1 root root 5595 Feb 11 21:44 fullchain.pem
-rw------- 1 root root 3288 Feb 8 2018 logging.properties
-rwxrwxrwx 1 root root 1704 Feb 11 21:44 privkey.pem
-rw------- 1 root root 2773 Feb 11 23:11 server.xml
-rw------- 1 root root 1950 Feb 8 2018 tomcat-users.xml
-rw------- 1 root root 168844 Feb 8 2018 web.xml
I am using the following configuration file for tomcat 7:
XML Tomcat 7
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource type="javax.sql.DataSource"
name="jdbc/mifosplatform-tenants"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
driverClassName="org.drizzle.jdbc.DrizzleDriver"
url="jdbc:mysql:thin://localhost:3306/mifosplatform-tenants"
username="us"
password="ps"
initialSize="3"
maxActive="10"
maxIdle="6"
minIdle="3"
validationQuery="SELECT 1"
testOnBorrow="true"
testOnReturn="true"
testWhileIdle="true"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
logAbandoned="true"
suspectTimeout="60"
/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" maxThreads="150" scheme="https"
secure="true" SSLEnabled="true"
keystoreFile="/usr/share/tomcat.keystore"
keystorePass=""
clientAuth="false" sslProtocol="TLS"
URIEncoding="UTF-8"
compression="force"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css">
<SSLHostConfig>
<Certificate certificateFile="/usr/share/tomcat7/conf/cert.pem" certificateKeyFile="/usr/share/tomcat7/conf/privkey.pem" certificateChainFile="/usr/share/tomcat7/conf/chain.pem" />
</SSLHostConfig>
<!-- <SSLHostConfig>
<certificate certificateKeyFile="/etc/letsencrypt/live/mifosx.initone.io/privkey.pem" certificateFile="/etc/letsencrypt/live/mifosx.initone.io/cert.pem" certificateChainFile="/etc/letsencrypt/live/mifosx.initone.io/chain.pem" type="RSA" />
</SSLHostConfig> -->
</Connector>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Can you help me and tell me what mistake I am making?

Related

Apache can't reach Tomcat: AH00957, AH00959 & AH00896

I have Tomcat 7.0.105 installed with ords.war deployed in it.
In my browser, I use the URL http://rtp, where rtp is the name of my server as defined in /etc/hosts. This uses port 80 and reaches Apache on the server. There I have a conf file in my /etc/httpd/conf.d folder with these contents:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName rtp
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/ords
ProxyPassReverse / ajp://localhost:8009/ords
</VirtualHost>
But the browser says "Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
And /etc/httpd/logs/error_log shows this:
[Tue Aug 18 13:13:55.799950 2020] [proxy:error] [pid 8508] (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed
[Tue Aug 18 13:13:55.800133 2020] [proxy:error] [pid 8508] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 60s
[Tue Aug 18 13:13:55.800220 2020] [proxy_ajp:error] [pid 8508] [client 1.2.3.4:50900] AH00896: failed to make connection to backend: localhost
The Tomcat7 server.xml file is left default like this:
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
What could be the reason for "AJP: attempt to connect to localhost failed". All suggestions are welcome.
[Tue Aug 18 13:13:55.799950 2020] [proxy:error] [pid 8508] (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed
You are using localhost in ProxyPass. Is your Apache and tomcat on same server?
Check AJP port running or not using netstat -tunlp | grep 127.0.0.1:8009 command. Also please change ProxyPass configuration.
From:
ProxyPass / ajp://localhost:8009/ords
ProxyPassReverse / ajp://localhost:8009/ords
To:
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
Update address value to accept connections from hosts.
Remove 1 from address="::1" in AJP connection section.
Below works:
address="::"

Tomcat 8 Session replication - problems

need help in figuring out what`s missing with the configuration that have setup - clustering seems to be work fine,
3 node tomcat cluster on 3 machines
machine A - apache webserver A + Tomcat A
machine B - apache webserver B + Tomcat B
machine C - apache webserver C + Tomcat C
all the tomcat instances are aware of other tomcat nodes and during restart, i see tomcat instances are getting added into cluster and each cluster is being aware of presence of other instances.
but up on accessing a web application (where have enabled ) , session is not being replicated across tomcat instances.
Here is my server.xml configuration
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="8">
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Membership className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.8"
bind="machineA ip"
port="45564"
frequency="500"
dropTime="3000" />
<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="machineA ip"
port="4200"
autoBind="100"
selectorTimeout="5000"
maxThreads="6" />
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.htm;.*\.html;.*\.txt;" />
<Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
tempDir="D:/cluster/temp/war-temp/"
deployDir="D:/cluster/temp/war-deploy/"
watchDir="D:/cluster/temp/war-listen/"
watchEnabled="false" />
<ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
and after going through some online blogs and posts i have moved the contents to global context.xml file
'$catalina_base/conf/context.xml'
<Manager className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true" />
but still the session is not being replicated across the cluster
please provide your inputs/suggestions

Can not access tomcat via port 8443 in AWS Singapore when using Singapore IP

I follow this tutorial to install Mifosx with tomcat7 in a debian EC3 in Singapore region.
Then I follow this to isntall a free startSSL for my server.
Everything is ok for me in Vietnam (already tried to change IP, change PC... still ok)
But other countries (even my friend in Singapore and a Sing windows VPS) can not access to the VPS through both
https://xxx.xxx.xxx.xxx:8443
and
https://mifos.domain.com:8443.
It just stuck at loading.
I've check all the log file under /var/log/* and /var/log/tomcat7/*, everything ok when I access from Vietnam, but nothing even error happen when I try from other countries
Also checked and allow port 8443 in iptables
admin#ip-172-31-1-14:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
this is a server setting:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"
/>
<Resource type="javax.sql.DataSource"
name="jdbc/mifosplatform-tenants"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/mifosplatform-tenants"
username="root"
password="zxcasdqwe123"
initialSize="3"
maxActive="10"
maxIdle="6"
minIdle="3"
validationQuery="SELECT 1"
testOnBorrow="true"
testOnReturn="true"
testWhileIdle="true"
timeBetweenEvictionRunsMillis="30000"
minEvictableIdleTimeMillis="60000"
logAbandoned="true"
suspectTimeout="60"
/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true"
SSLEnabled="true" sslProtocol="TLS"
keystoreFile="/usr/share/mifosx/checkthecrowd.jks"
keystorePass="zxcasdqwe123"
clientAuth="false"
URIEncoding="UTF-8"
compression="force"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".log"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
some extra stuffs I've tried without luck:
change to the default self signed certification
reboot vps
change Elastic IP
change hostname and domain
PS: I've an old server which had an mifos and tomcat installed worked well for all country.
8443 is not a standard HTTPS port. There might be an issue of Singapore ISP blocking outgoing connections to non-standard ports. This is my suggestion. Use the standard HTTPS port. 443 and see if there are still issues.

Wildfly many domains with many ssl certificate

I've got test server and I would like to run many applications on that instance, but there's a problem with SSL certificates. If I'm using single certificate, everything is ok, but if when I add another, there is a problem.
This is my ssl realm configuration :
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="cert_one.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
<keystore path="cert_two.jks" relative-to="jboss.server.config.dir" keystore-password="1234" key-password="1234"/>
</ssl>
</server-identities>
</security-realm>
And this is my undertow server configuration:
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="defaultHttps" socket-binding="https" security-realm="ssl-realm" max-post-size="31457280"/>
<host name="one_app" alias="firstapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
<host name="two_app" alias="secondapp.com">
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
As you can see I have two different certificate keystores, one for firstapp.com and another for secondapp.com.
But only certificate for secondapp.com is working. If I delete one of those keystores everything is OK. How to configure two or more certificates for different domains in Wildfly configuration?

gzip Cannot enable in Wildfly 8?

I want to enable gzip compression in wildfly server. I used the following tutorial. Tutorial
This is the gzip enabling code I included in the standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:1.0">
<buffer-caches>
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10"/>
</buffer-caches>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
**<filter-ref name="gzipFilter" predicate="path-suffix['.css'] or path-suffix['.js']" />**
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>
<gzip name="gzipFilter"/>
</filters>
</subsystem>
But When I used this code in the Ubuntu 14.04.1 LTS, It works perfectly. But when I installed the application in CentOS Linux release 7.0.1406. It doesn't work. I used the same settings. But I could not figure out the problem so far. I'm very grateful someone can provide your valuable idea.
I recommend you to test upgrade to wildfly 8.2
I has the new undertow 1.1.0 interated which has solved a couple of issues around filters.
I assume your issue is also this:
UNDERTOW-331