It drives me nuts now.
I have created sym links to the PEM files. I made the PEM files readable for the tomcat user. I set the server.xml to use SSL. And the connector fails to start.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com"
>
<SSLHostConfig hostName="mydomain.com" protocols="+TLSv1,+TLSv1.1,+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
I did try to change the type to RSA, to no avail. All I see in the log is:
02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
02-Jan-2021 17:40:54.466 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
... some lines removed
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
... some lines are removed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I've checked the SSLUtilBase.java code (tomcat 9.0.33):
if (certificate.getCertificateFile() == null) {
throw new IOException(sm.getString("jsse.noCertFile"));
}
I did try to copy the files instead of using sym links. No avail. Removed the comments from the cert files. No avail. It seems tomcat cannot find the files I've specified in the server.xml.
What do I miss?
Whenever you use one of the deprecated properties on a connector, Tomcat creates an <SSLHostConfig> element with hostName="_default_" and a <Connector> element inside it. The error is caused by the lack of the certificateFile on this particular element.
Remove the deprecated attributes (clientAuth, sslProtocol) from the <Connector> element and everything should work.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com">
<SSLHostConfig hostName="mydomain.com" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
Remark: the sslProtocol attribute is a characteristic of JSSE and should always be left at the default value (TLS).
I had the same issue with Ubuntu 20.04 and Tomcat 9.0.52.
Tomcat - server.xml - certificateKeyFile
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I also tried everything that you described above and I also was not able to make the Tomcat Connector with certificateKeyFile to work.
Note, on RedHat Linux 7/8 it works fine though!!! I only got this issue in Ubuntu 20.04.
The good news is it works fine in Ubuntu 20.04 if you use a keystore instead of the certificateKeyFile.
You will need to create the keystore as the user that runs tomcat, in my case the user named "tomcat", then created the CSR using the keystore, issue the certificate, and imported the certificate into the keystore.
--Create the keystore folder and grant the proper permissions:
su - root
mkdir /rhdata/sslcert
chown -R tomcat:tomcat /rhdata/sslcert
su - tomcat
cd /rhdata/sslcert
--Create the PKCS12 keystore (must do the previous step):
su - tomcat
/usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keystore /rhdata/sslcert/.keystore
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -validity 3600 -keysize 2048 -keystore /rhdata/sslcert/.keystore
Enter keystore password: key$tom#2021
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool --list --keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021'
--Create the CSR:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -certreq -keyalg RSA -alias tomcat -file /rhdata/sslcert/keytool_cert/certreq.csr -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021'
--Create the new certificate from the certificate authority using the CSR
--Import the new certificate into the keystore:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021' -file /rhdata/sslcert/keytool_cert/certnew.p7b
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom#2021' -file /rhdata/sslcert/keytool_cert/certnew.cer
--This is the new Tomcat connector:
Tomcat - server.xml - keystore
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/rhdata/sslcert/.keystore" keystorePass="key$tom#2021"
clientAuth="false" sslProtocol="TLS"/>
--Verify the new Tomcat server.xml file
su - tomcat
cd /usr/local/tomcat9/conf
/usr/local/tomcat9/bin/configtest.sh
--Then, stop/start Tomcat.
su - root
systemctl stop tomcat.service
systemctl start tomcat.service
systemctl status tomcat.service
vi /usr/local/tomcat9/logs/catalina.out <-- shall not have any errors!!!
Related
I have a legacy application that I have no idea what's inside. The app is running on a windows 10 server under http protocol. I need to make it work with https using the keytool and certificates. On this server an API is running such that I dont need a domain name for it. So I want to make the ssl connection without a domain name using the ip address. I am running apache tomcat 9.0.36 with the following server.xml configuration. And ports : 12001, 12002, 8433, 433, 80, 8000, 8080 are open for testing purposes.
<Connector port="12001" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8" maxThreads="1000" acceptCount="1000" minSpareThreads="50"/>
<!-- A "Connector" using the shared thread pool -->
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="D:\apache-tomcat-9.0.36\conf\keystore.jks"
keystorePass="********"
clientAuth="false" acceptCount="100"
/>
Ran the following command to generate the SSL certificate.
keytool -genkey -keyalg RSA -alias tomcat -keystore keystore.jks -validity 365 -keysize 2048
Checked the certificate (ok)
keytool -list -v -keystore keystore.jks
When I go to the https://ip:8433, I cannot connect to the server this site cannot be reached ERR_CONNECTION_RESET
When I go to http://ip:12001, there is no redirect and ERR_CONNECTION_RESET
I'm trying to enable SSL on my wildfly 11 application server, i bought an ssl certificate in godaddy and downloaded a zip file with this inside:
1. 22c8728db3996008.crt
2. 22c8728db3996008.pem
3. gd_bundle-g2-g1.crt
I follow this steps to install, with this commands:
1. keytool -genkey -alias myalias -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file C:\path\to\cert\22c8728db3996008.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file C:\path\to\cert\gd_bundle-g2-g1.crt
Then copy the keystore.jks file on the standalone/configuration directory
And modify standalone.xml file:
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="myalias" key-password="mypassword"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
And
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
Then restart the server but booting appears this error:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SslRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SslRealm.key-manager: Failed to start service
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc//org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
... 3 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0086: The KeyStore can not be found at keystore.jks
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:114)
at org.jboss.as.domain-management//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 7 more
How can i install and use my ssl certificate?
After many tries, I was able to solve it.
First to create a keystore file (.keystore), install KeyStore Explorer and follow this steps.
Second for add the keytore file to Wildfly follow this steps.
To redirect all traffic from the server to HTTPS do with this.
And that's it, the SSL certificate works ok.
Hope this help to someone.
I'm setting up a key for HTTPS in JBoss 6 and it keeps showing me the error
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The certificate is valid.
I created the jks using this command:
keytool -import -trustcacerts -alias root -file certificate.crt -keystore JksName.jks
The server.xml file is like this:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path"
keystorePass="psswd" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
But it keeps showing that error in chrome. Already tried in other browsers and it does not work too.
Although the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error could indicate any SSL version mismatch or no common cipher suites between the browser and the server, this error probably means that the server only supports RC4.
You will need to enable support for additional cipher suites.
I want to configure https on my Tomcat Server. I got FreeSSL certificate. But I don't know steps to proceed.
1. I got an email from FreeSSL provider with the text of the SSL certificate
2. I copied this text into file with extension .p7b
3. I added this certificate to new keystore
4. In server.xml I inserted path to this keystore and the pass as in:
<Connector
SSLEnabled='true'
keystoreFile="/path/to/certificates/keystore"
keystorePass="password"
maxSpareThreads='75'
port='8443'
proxyPort='443'
algorithm='SunX509'
enableLookups='false'
secure='true'
maxThreads='150'
connectionTimeout='20000'
disableUploadTimeout='true'
scheme='https'
minSpareThreads='5'
maxHttpHeaderSize='8192'
sslProtocol='SSL'
acceptCount='200'
clientAuth='false'
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
/>
But after this steps I get next error:
Cannot communicate securely with peer: no common encryption
algorithm(s). (Error code: ssl_error_no_cypher_overlap)
on FireFox and
A secure connection cannot be established because this site uses an
unsupported protocol. Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
on Chrome
EDIT:
When I requested SSLCertificate I created cert.csr and keystore.keystore. But now I don't use them. Can this be the problem?
EDIT2:
As was written in comments I found the initial keystore and I put in it new certificate. After this I got an error on firefox:
Secure Connection Failed
The connection to domain.com:8443 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Here's how I set one way SSL for Tomcat 7
Hope it would be help
$Tomcat\bin>keytool -genkey -v -alias ***your alias***
-keyalg RSA -validity ***how many days***
-keystore ***your keystore file path*** keystore
-dname "CN=***www.yourdomain.com***,
OU=***Your Organizational Unit***, O=***Your Organization***,
L=***Your City***, ST=***Your State***, C=***Your Country correct***"
-storepass ***your keystore password*** -keypass ***your key password***
And in the server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="***your keystore file path***"
keystorePass="***your keystore password***" />
I have a downloaded a free ssl certificae and how can i make it to configure under Apache Tomcat ??
I have issued this below command to import the downloaded file
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
But how this will be associated with the tomcat server ??
You have to change your Connector description in the server.xml file to something like
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
-->
See the SSL documentation for details.