I have a VPS running tomcat9, and I cannot manage to install the certificate.
I got a certificate using certbot (let's encrypt entity), now I have the files:
/etc/letsencrypt/live/mydomain.org/fullchain.pem
/etc/letsencrypt/live/mydomain.org/privkey.pem
I don't know what to do with them. I followed a lot of different tutorials, blogs, documentation pages including this one https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and it never works.
Currently, I created a JKS keystore and imported my certificate
keytool -importcert -alias root -file /etc/letsencrypt/live/mydomain.org/fullchain.pem -keystore mydomain.jks
In server.xml I have
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" >
<SSLHostConfig>
<Certificate certificateKeystoreFile="/home/tomcat/files/mydomain.jks"
keystoreType="JKS"
keystorePass="mypassword"/>
</SSLHostConfig>
</Connector>
But when I restart my tomcat9 service I have the following in the logs:
SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
... 31 more
I changed the password and I still have the issue, so I think the error comes from somewhere else. Could anyone give me a step by step procedure to install this certificate?
Thanks
The correct key for the password is
certificateKeystorePassword
(Credits to Marquinio.)
Hello I am trying to deploy my app on a remote tomcat server (8.5.30). In order for my app to run I need to add these lines on /conf/server.xml
<Connector SSLEnabled="true"
clientAuth="false" keystoreFile="blc-example.keystore" keystorePass="xx"
keyPass="xx" maxThreads="150"
scheme="https" secure="true" sslProtocol="TLS" />
This works perfectly fine on my local machine. However on the remote server for some reason I am getting this error on the startup
02-Jan-2019 16:19:37.783 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[HTTP/1.1-auto-1]]
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-auto-1]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:793)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:681)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:493)
Caused by: org.apache.catalina.LifecycleException: The connector cannot start since the specified port value of [-1] is invalid
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1011)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more
I am pretty sure that tomcat can see the keystoreFile because otherwise I am getting a file not found error.
All the settings are the same with my local machine so it is highly confusing to me why this is happening. Any tips?
Set a port on your connector, it does say in the error it is defaulting to an invalid port with none present:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
clientAuth="false" keystoreFile="blc-example.keystore" keystorePass="xx"
keyPass="xx" maxThreads="150"
scheme="https" secure="true" sslProtocol="TLS" />
That's because of the missing port in your connector configuration.
When you don't set a port in Connector, tomcat will choose a random port from available free ports in the system.
As in your case, there might be a restriction (due to security reasons) on your remote server for the tomcat to use a random available port, that's why it's automatically defaulting to -1, which is an invalid port. And it's working locally because there are no restrictions regarding random ports on your local machine.
So, in your config, you should explicitly set the port permitted by your server platform.
Problem summary:
I am trying to run symmetric ds on tomcat with ssl. Setup details
1). MasterNode M1: running on tomcat.
2). Cleint node C1: running on tomcat.
I am able to run symmetricds on tomcat without ssl. This setup works fine all sync happens.
Now when I am trying to run tomcat with following setting for ssl, it gives bad_certificate error on client node:
connection setting on Master node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
connector setting on Client node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
Note: If I run Master node tomcat with clientAuth=false then everything works fine. On further debugging I found that client is not providing its certificate during TLS handshake. Following is error: Experts please help what config I need to do so that client provide certificate:
Error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Upgrade to SymmetricDS 3.8.31. There was an issue that was fixed that allows for client TLS authentication now:
http://www.symmetricds.org/issues/view.php?id=2886
I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.
Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.
Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.
You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.
For example:
<Connector
port="8443" maxThreads="200" address="10.0.0.1"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore1.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
<Connector
port="8443" maxThreads="200" address="10.0.0.2"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore2.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
You may also be able to use the same keystore, if you need, and use the keyAlias attribute (in Connector) to tell the connector which key/certificate to use (based on the alias name in the keystore).
I am not sure, here if "SNI" is really relevant.
But in your case, the typical solution would be so called ssloffloading or ssl Termination:
i.e. put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.
There is a step by step guide for this topic here:
http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html
I am using tomcat 8.5 and now it is possible to configure tomcat with multiple SSL/ multi domain. Here is my config.
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="localhost" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="localhost">
<Certificate certificateKeyFile="/$path/privkey.pem"
certificateFile="/$path/certificate.pem"
certificateChainFile="/$path/chain.pem"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="domainname.com">
<Certificate certificateKeyFile="/$path/privkey.pem"
certificateFile="/$path/certificate.pem"
certificateChainFile="/$path/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I have just got this to work on a server with multiple SSL's and IP's.
Added IP's this way:
http://www.loadtestingtool.com/help/how-setup-ip.shtml
Added code to make the server use maximum possible security with the "ciphers" (when having a 2048bit key).
Tested first that this will work with self-signed keys this way:
http://community.jboss.org/wiki/GeneratingSelfSignedCertificateWithKeytool
Note that the test in this page has erroneous characters in the beginning of the "-keystore" text (on multiple places).
Here is the code:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5"
enableLookups="true" acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key"
keystorePass="password1" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5"
enableLookups="true" acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key"
keystorePass="password2" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
You could just make life easier and get an EV SAN (also know as UCC) and add each domain as an entry in the subject alternative name field. And if want to use several ip addresses, just export the certificate and reimport it onto each ip address (http://www.ssltools.com/manager is great for that if you are running windows). A good example of an EV SAN certificate is the certificate found at https://www.ssl.com, just examine it.
I've tried to setup .keystore on Jboss 4.2. due to this documentation from jboss community
http://community.jboss.org/wiki/sslsetup
but Jboss console generate this error
LifecycleException: service.getName(): "jboss.web"; Protocol handler start failed:
java.io.FileNotFoundException: C:\Documents and Settings\mebada\.keystore (The system cannot find the file specified)
even I specify location of keystore in server.xml
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
address="${jboss.bind.address}" port = "8443" protocol="HTTP/1.1" SSLEnabled="true" scheme = "https"
secure = "true">
<Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="D:/Projects/Demo/jboss-4.2.3.GA/jboss-4.2.3.GA/server/default/conf/server.keystore"
keystorePass="tc-ssl"
protocol = "TLS"></Factory>
Any Help ?
Thanks in advance
The above tag was invalid.
I used this tag:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="tc-ssl" sslProtocol="TLS"
truststorePass="tc-ssl"
acceptAnyCert="true" clientAuth="want" />