I've been trying to configure SSL for Tomcat 8.5 server on the school I work to use HTTPS protocol. Since we haven't buy a certificate with a CA, I used certbot to get a free one. I did some configuration and my Tomcat is serving on HTTP but not yet on HTTPS, and there are no errors on the logs. Here is what I did.
-The Tomcat 8.5 is installed on Windows server 2012. It has worked perfectly for 2 years serving applications on regular HTTP.
-Certbot does not support Windows, therefore, I had to install Ubuntu 16.04 on a VM.
-I installed certboot successfully on Ubuntu.
-I used the folowing command to get my certbot certificates:
sudo certbot certonly --preferred-challenges http --manual -d theDomainOfMySchool.com
-After succeeding the ACME challenge, I got these 4 .pem files: cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem.
-All 4 files are clear text in base64 like this extract I’m pasting here:
-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgISAwyxKh7NQWpNnH6w2enPbOlxMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-After fighting a while with permissions to copy the 4 files from /etc/letsencrypt/archive, I placed them in the folder of my Tomcat server in Windows.
-I configured Tomcat with the following nodes on server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/cert/certbot_gallery/privkey1.pem"
certificateFile="conf/cert/certbot_gallery/cert1.pem"
certificateChainFile="conf/cert/certbot_gallery/chain1.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-When I start my Tomcat, there are no errors on the logs.
-The server starts fine and serves on HTTP with no problem.
-When I try to access the applications through HTTPS I get ERR_CONNECTION_RESET on the browser.
What am I doing wrong. Are this kind of certificates not suitable for this Tomcat connector? Am I missing any configuration?
Thank you all.
Solved! As it turns out, I'm an as$. The configuration on my server.xml is wrong. The connector for Http11NioProtocol should use the port 443 (which is the default for HTTPS), instead of 8443.
The rest of the configuration and the request of the certs on certboot is OK.
I think the use of 8443 is in case that your Tomcat is behind Apache or something else. Since I'm using directly, and only, Tomcat, the connector port should be 443.
Also, make sure that your firewall allows 443 port.
Related
I am trying to verify if the client certificate (self-signed) which I generated with openssl is valid. I have created client certificate, client private key, client keystore, and server certificate, server private key, server keystore and server truststore.
I am trying to use the generated server key and certificate in Tomcat by putting the following in server.xml:
<Connector port="8443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
truststoreFile="C:\New keys\Server\truststore.jks"
truststorePass="......"
keystoreFile="C:\New keys\Server\keystore_server"
keystorePass="......."
clientAuth="true"
keyAlias="......."
sslProtocol="TLS"/>
I have also added client certificate in Google Chrome.
But when I try to visit http://localhost:8443/ I get the error localhost refused to connect.
I added an inbound rule windows firewall to allow port 8443, yet, after doing this, when I test whether the port is open or closed with online tools, it shows that port 8443 is closed.
How do I open this port? Or is there anything else I can do to solve this?
I have a tomcat server with microservice wars, one WAR that connects with another system, another system requires client authentication, and i have the certificate how to load the certificate with the communication with that system, i tried to use this certificate in the HTTPS encription but failed,
kindly advice i want to load a certififcate if the tomcat will connect with a certain URL,
i mean that the tomcat will be the client not the server,
i know how to make tomcat require client authentication as a server but if there is another system and the tomcat here is the client, how to insert the certificate in tomcat,
the application is java, and the os is linus redhat 7
i tried to inst the certificate to OS level and cacert but same
I'm at a loss since I'm not a Tomcat person. I use tomcat as a webserver for our Java application and now we are trying to integrate with one of our customers and they require Client Authentication via SSL, so they generated and issued me an SSL certificate to use it in tomcat during the communicating with their system. Unfortunately, this is as far as they support it and cannot give me any direction on how to actually use it.
So what I have is a Java application, a Tomcat app server running 8 on rehat 7, and the .p12 cert from the local CA from customer side.
now i have 2 certificates one for SSL and another as client authentication, how to define the client authentication and attache it with my communication dealing with another system, I tried to use SSLCACertificateFile attribute but no luck,
Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8446" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="fileto.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreType="PKCS12" SSLCACertificateFile="CAfileto_T.p12" SSLCACertificatePass="changeit"
Realm className="org.apache.catalina.realm.LockOutRealm"
Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"
I have followed some guides on the internet but I am stuck now as none of what they told me to do works from this point on.
I have Ubuntu 16.04 with a Tomcat8. I have deployed an application in Tomcat's webapps and it works fine on http. Then I used letsencrypt to get a certificate and after validating my Tomcat's settings, it gave me 4 .pem files.
chain.pem
fullchain.pem
cert.pem
privkey.pem
Now I don't understand how to link/use them in my Tomcat/conf/server.xml in order to be able to access the application on port 443/8443. I have already put in a portforwarding for 443 to 8443 as I installed the Tomcat-service with a non-root user. I put the .pem files into the conf-folder of my Tomcat, so server.xml is right next to them.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
This is my current setting in my server.xml file but it is not working. The presetting had no place for the "fullchain.pem" either and I don't know whether I need to change the lines with "org.apache" in them as I got no clue what those actually do.
Thanks in advance. I managed to do a self-signed certificate on Windows and Ubuntu, but you always get this insecure-warning then. I was told this doesn't happen with letsencrypt.
I will write how I managed to install it:
Download certbot:
$ wget https://dl.eff.org/certbot-auto<br/>
$ chmod a+x certbot-auto
Fetch the certificates:
$ sudo /path/to/certbot-auto certonly --webroot -w /path/to/apache-tomcat-8.5/webapps/ROOT -d example.com
Your certificates will be downloaded into this folder: "/etc/letsencrypt/live/YOUR_WEBSITE_HERE/"
Edit the HTTPS connector in the server.xml like this
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate
certificateKeyFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem"
certificateFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem" certificateChainFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Let’s Encrypt certificates are usually valid for 90 days, hence you need to renew them periodically. Add the following line to crontab to do so:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew
I've also written a blog post about it which you can find here: https://www.gasimof.com/blog/enable-https-for-free-for-tomcat/
I want to hide server information "Apache-Coyote/1.1" when I execute curl -i ip:port command in my tomcat 5.0.28.
I tried to add <Connector port="8080" protocol="HTTP/1.1" server="Apache"> to server.xml file. but it doesn't work.
I tested it on tomcat 5.5, 6 and 7. in this case, It's works all find. But it doesn't work my tomcat(5.0.28 ver).
How can I hide this in my tomcat 5.0.28.
Thanks.
I thinsk it's not possible below 5.0. It's possible above 5.5.
I have developed a Rest service and deployed it in tomcat 8 server. It is working fine with http URL. I have a requirement to install SSL certificate for the server.
But there is already a service running on this server which has SSL certificate.
Now my questions are
1) do I need to install another SSL certificate for the same server ?
2) How do i find that previously installed certificate belongs to server or service ?
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
Kindly help me techies.
1) do I need to install another SSL certificate for the same server ?
Probably not, depending of the kind of the SSL service running. You need to stablish a connector from the SSL service to Tomcat to forward SSL requests in a path. Usually in Tomcat is done using the AJP connector and is not needed extra configuration. Check the documentation of the SSL Service
2) How do i find that previously installed certificate belongs to server or service ?
An SSL certificate is issued to a host name (Or infrequently to an IP), so it will be valid for the entire server
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
If the previous SSL service is running in the standard port 443, you will need a new port. Configure a new connector in server.xml with the port, ssl activated and the keystore with the certificate chain. See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>