I have followed some guides on the internet but I am stuck now as none of what they told me to do works from this point on.
I have Ubuntu 16.04 with a Tomcat8. I have deployed an application in Tomcat's webapps and it works fine on http. Then I used letsencrypt to get a certificate and after validating my Tomcat's settings, it gave me 4 .pem files.
chain.pem
fullchain.pem
cert.pem
privkey.pem
Now I don't understand how to link/use them in my Tomcat/conf/server.xml in order to be able to access the application on port 443/8443. I have already put in a portforwarding for 443 to 8443 as I installed the Tomcat-service with a non-root user. I put the .pem files into the conf-folder of my Tomcat, so server.xml is right next to them.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
This is my current setting in my server.xml file but it is not working. The presetting had no place for the "fullchain.pem" either and I don't know whether I need to change the lines with "org.apache" in them as I got no clue what those actually do.
Thanks in advance. I managed to do a self-signed certificate on Windows and Ubuntu, but you always get this insecure-warning then. I was told this doesn't happen with letsencrypt.
I will write how I managed to install it:
Download certbot:
$ wget https://dl.eff.org/certbot-auto<br/>
$ chmod a+x certbot-auto
Fetch the certificates:
$ sudo /path/to/certbot-auto certonly --webroot -w /path/to/apache-tomcat-8.5/webapps/ROOT -d example.com
Your certificates will be downloaded into this folder: "/etc/letsencrypt/live/YOUR_WEBSITE_HERE/"
Edit the HTTPS connector in the server.xml like this
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate
certificateKeyFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem"
certificateFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem" certificateChainFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Let’s Encrypt certificates are usually valid for 90 days, hence you need to renew them periodically. Add the following line to crontab to do so:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew
I've also written a blog post about it which you can find here: https://www.gasimof.com/blog/enable-https-for-free-for-tomcat/
Related
I am trying to verify if the client certificate (self-signed) which I generated with openssl is valid. I have created client certificate, client private key, client keystore, and server certificate, server private key, server keystore and server truststore.
I am trying to use the generated server key and certificate in Tomcat by putting the following in server.xml:
<Connector port="8443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
truststoreFile="C:\New keys\Server\truststore.jks"
truststorePass="......"
keystoreFile="C:\New keys\Server\keystore_server"
keystorePass="......."
clientAuth="true"
keyAlias="......."
sslProtocol="TLS"/>
I have also added client certificate in Google Chrome.
But when I try to visit http://localhost:8443/ I get the error localhost refused to connect.
I added an inbound rule windows firewall to allow port 8443, yet, after doing this, when I test whether the port is open or closed with online tools, it shows that port 8443 is closed.
How do I open this port? Or is there anything else I can do to solve this?
For some reason on one of my servers, SSL with mutual auth is not enforced.
The same server.xml config on another server does end up enforcing it.
So I am reaching out to you guys, do you know why this server.xml configuration allows the user to access the page WITHOUT asking for an SSL client certificate?
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
server="Apache" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="path-to-server-ssl-keystore" keystorePass="hidden"
clientAut="true" sslProtocol="TLS" truststoreFile="path-to-truststore" truststorePass="hidden"/>
My trustore contains only one Certificate (I ensured that to make sure my testing was valid), and my HMTL client is NOT configure with this certificate.
When I reach to https://URL:8444/webappname/foo.html, it works!
As you can see in the wireshark trace below, the server is not asking for the client certificate.
On the other servers, I see the server asking for a Client certificate, as shown here:
At the moment I am simply trying to ensure the mutual auth is enforced so I am expecting to see an SSL error.
Any input would be welcome, thanks in advance.
I've been trying to configure SSL for Tomcat 8.5 server on the school I work to use HTTPS protocol. Since we haven't buy a certificate with a CA, I used certbot to get a free one. I did some configuration and my Tomcat is serving on HTTP but not yet on HTTPS, and there are no errors on the logs. Here is what I did.
-The Tomcat 8.5 is installed on Windows server 2012. It has worked perfectly for 2 years serving applications on regular HTTP.
-Certbot does not support Windows, therefore, I had to install Ubuntu 16.04 on a VM.
-I installed certboot successfully on Ubuntu.
-I used the folowing command to get my certbot certificates:
sudo certbot certonly --preferred-challenges http --manual -d theDomainOfMySchool.com
-After succeeding the ACME challenge, I got these 4 .pem files: cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem.
-All 4 files are clear text in base64 like this extract I’m pasting here:
-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgISAwyxKh7NQWpNnH6w2enPbOlxMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-After fighting a while with permissions to copy the 4 files from /etc/letsencrypt/archive, I placed them in the folder of my Tomcat server in Windows.
-I configured Tomcat with the following nodes on server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/cert/certbot_gallery/privkey1.pem"
certificateFile="conf/cert/certbot_gallery/cert1.pem"
certificateChainFile="conf/cert/certbot_gallery/chain1.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-When I start my Tomcat, there are no errors on the logs.
-The server starts fine and serves on HTTP with no problem.
-When I try to access the applications through HTTPS I get ERR_CONNECTION_RESET on the browser.
What am I doing wrong. Are this kind of certificates not suitable for this Tomcat connector? Am I missing any configuration?
Thank you all.
Solved! As it turns out, I'm an as$. The configuration on my server.xml is wrong. The connector for Http11NioProtocol should use the port 443 (which is the default for HTTPS), instead of 8443.
The rest of the configuration and the request of the certs on certboot is OK.
I think the use of 8443 is in case that your Tomcat is behind Apache or something else. Since I'm using directly, and only, Tomcat, the connector port should be 443.
Also, make sure that your firewall allows 443 port.
I want to hide server information "Apache-Coyote/1.1" when I execute curl -i ip:port command in my tomcat 5.0.28.
I tried to add <Connector port="8080" protocol="HTTP/1.1" server="Apache"> to server.xml file. but it doesn't work.
I tested it on tomcat 5.5, 6 and 7. in this case, It's works all find. But it doesn't work my tomcat(5.0.28 ver).
How can I hide this in my tomcat 5.0.28.
Thanks.
I thinsk it's not possible below 5.0. It's possible above 5.5.
I have developed a Rest service and deployed it in tomcat 8 server. It is working fine with http URL. I have a requirement to install SSL certificate for the server.
But there is already a service running on this server which has SSL certificate.
Now my questions are
1) do I need to install another SSL certificate for the same server ?
2) How do i find that previously installed certificate belongs to server or service ?
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
Kindly help me techies.
1) do I need to install another SSL certificate for the same server ?
Probably not, depending of the kind of the SSL service running. You need to stablish a connector from the SSL service to Tomcat to forward SSL requests in a path. Usually in Tomcat is done using the AJP connector and is not needed extra configuration. Check the documentation of the SSL Service
2) How do i find that previously installed certificate belongs to server or service ?
An SSL certificate is issued to a host name (Or infrequently to an IP), so it will be valid for the entire server
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
If the previous SSL service is running in the standard port 443, you will need a new port. Configure a new connector in server.xml with the port, ssl activated and the keystore with the certificate chain. See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>