Hello I am trying to deploy my app on a remote tomcat server (8.5.30). In order for my app to run I need to add these lines on /conf/server.xml
<Connector SSLEnabled="true"
clientAuth="false" keystoreFile="blc-example.keystore" keystorePass="xx"
keyPass="xx" maxThreads="150"
scheme="https" secure="true" sslProtocol="TLS" />
This works perfectly fine on my local machine. However on the remote server for some reason I am getting this error on the startup
02-Jan-2019 16:19:37.783 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[HTTP/1.1-auto-1]]
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-auto-1]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:793)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:681)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:493)
Caused by: org.apache.catalina.LifecycleException: The connector cannot start since the specified port value of [-1] is invalid
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1011)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more
I am pretty sure that tomcat can see the keystoreFile because otherwise I am getting a file not found error.
All the settings are the same with my local machine so it is highly confusing to me why this is happening. Any tips?
Set a port on your connector, it does say in the error it is defaulting to an invalid port with none present:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
clientAuth="false" keystoreFile="blc-example.keystore" keystorePass="xx"
keyPass="xx" maxThreads="150"
scheme="https" secure="true" sslProtocol="TLS" />
That's because of the missing port in your connector configuration.
When you don't set a port in Connector, tomcat will choose a random port from available free ports in the system.
As in your case, there might be a restriction (due to security reasons) on your remote server for the tomcat to use a random available port, that's why it's automatically defaulting to -1, which is an invalid port. And it's working locally because there are no restrictions regarding random ports on your local machine.
So, in your config, you should explicitly set the port permitted by your server platform.
Related
I am trying to configure ssl into my web app. Generated the .jks file from .cer file using java keytool and configured it in server.xml
But Tomcat refuses to start in port 443 or port 8443 after this configuration.
server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
and
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
URL used in browser:
https://10.111.77.66/MY-APP
and https://10.111.77.66:8443/MY-APP
Both URL not working.
Error message in Browser:
This site can’t provide a secure connection
10.111.77.66 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Before SSL configuration, Application was running fine in port 8082. ( http://10.111.77.66:8082/MY-APP )
What is wrong here? Stuck up badly. Please help.
Server is Linux.
Tomcat Logs:
java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
I have a VPS running tomcat9, and I cannot manage to install the certificate.
I got a certificate using certbot (let's encrypt entity), now I have the files:
/etc/letsencrypt/live/mydomain.org/fullchain.pem
/etc/letsencrypt/live/mydomain.org/privkey.pem
I don't know what to do with them. I followed a lot of different tutorials, blogs, documentation pages including this one https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and it never works.
Currently, I created a JKS keystore and imported my certificate
keytool -importcert -alias root -file /etc/letsencrypt/live/mydomain.org/fullchain.pem -keystore mydomain.jks
In server.xml I have
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" >
<SSLHostConfig>
<Certificate certificateKeystoreFile="/home/tomcat/files/mydomain.jks"
keystoreType="JKS"
keystorePass="mypassword"/>
</SSLHostConfig>
</Connector>
But when I restart my tomcat9 service I have the following in the logs:
SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
... 31 more
I changed the password and I still have the issue, so I think the error comes from somewhere else. Could anyone give me a step by step procedure to install this certificate?
Thanks
The correct key for the password is
certificateKeystorePassword
(Credits to Marquinio.)
I am trying to get HTTPS/TLS enabled for Tomacat (8.x) preferring the OpenSSL alternative because the cert/key configuration is simpler (compared to the usual JSSE with keystore).
Followed the offical documentation and enabled the connector section like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
NOTE that I am still using Http11NioProtocol and not APR Http11AprProtocol connector.
However, startup fails with this configuration as this combination of configuration seems to require Tomcat native libraries to be built and configured:
14-Jun-2019 10:38:46.363 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.create(J)J
at org.apache.tomcat.jni.Pool.create(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:70)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:61)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:53)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:41)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:104)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1082)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:267)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
I did build and install Tomcat native + APR library and configured in Tomcat env class path which fixed the issue, but that is besides the point. Point is, shouldn't APR/native libraries be only required if I am using Http11AprProtocol which I am not using? What am I missing? Any pointers/help will be much appreciated. Thanks!
The mistake I made was that I had explicitly configured sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" in the Connector configuration. This is what causes dependency on native libraries and the error on startup.
Not specifying sslImplementationName leaves it to default which is org.apache.tomcat.util.net.jsse.JSSEImplementation and works fine with OpenSSL style certificate and key configuration. Final config:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
So the answer to the main question: yes it is possible to use pure Java/JSSE style configuration with OpenSSL style SSLHostConfig.
(APR/OpenSSL impl with native libraries are relatively more perform ant, however.)
Problem summary:
I am trying to run symmetric ds on tomcat with ssl. Setup details
1). MasterNode M1: running on tomcat.
2). Cleint node C1: running on tomcat.
I am able to run symmetricds on tomcat without ssl. This setup works fine all sync happens.
Now when I am trying to run tomcat with following setting for ssl, it gives bad_certificate error on client node:
connection setting on Master node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
connector setting on Client node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
Note: If I run Master node tomcat with clientAuth=false then everything works fine. On further debugging I found that client is not providing its certificate during TLS handshake. Following is error: Experts please help what config I need to do so that client provide certificate:
Error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Upgrade to SymmetricDS 3.8.31. There was an issue that was fixed that allows for client TLS authentication now:
http://www.symmetricds.org/issues/view.php?id=2886
I recently got a ssl certificate from godaddy. I created the keystore properly and put the following into my server.xml:
<Connector port="8443" protocol="org.apache.coyote.Http11Protocol" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true" keystoreFile="C:\SSLCerts\mykeystore.keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS" />
I originally had protocol="HTTP/1.1" but I was receiving an error stating that the keystoreFile and the keystorePass didn't have a matching value. Which caused a binding error on port 8443. I ran netstat and made sure nothing is running on 8443; did some googling and found to fix that issue to change the protocol as it is above.
After adding that change I'm receiving the following error:
SEVERE: Failed to start connector [Connector[org.apache.coyote.Http11Protocol-84
43]]
LifecycleException: service.getName(): "Catalina"; Protocol handler start fail
ed: java.lang.NullPointerException
at org.apache.catalina.connector.Connector.start(Connector.java:1102)
at org.apache.catalina.core.StandardService.start(StandardService.java:5
40)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754
)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Jun 21, 2012 1:23:57 PM org.apache.coyote.ajp.AjpAprProtocol start
Does anyone have any idea what needs to be done in order to fix this?
protocol="org.apache.coyote.Http11Protocol" is not a valid protocol. You want protocol="org.apache.coyote.http11.Http11Protocol". Note the extra http11 package you are missing.
That will probably bring you back to the problem with your key store.