Tomcat refusing connections on port 443

Question

I have a Tomcat7 installation on CentOS 6.7 that should only allow connections on port 443. The /etc/tomcat/server.xml file is configured as such:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLCertificateFile="./GoDaddy/Tomcat/combined.crt"
               SSLCertificateKeyFile="./GoDaddy/Tomcat/privateKey.key"
               SSLVerifyClient="optional" SSLProtocol="TLS"
         />

Furthermore, the /usr/share/tomcat/conf/server.xml is configured as such:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLCertificateFile="./GoDaddy/Tomcat/combined.crt"
               SSLCertificateKeyFile="./GoDaddy/Tomcat/privateKey.key"
               SSLVerifyClient="optional" SSLProtocol="TLS"
         />

IPtables is configured so:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP

Tomcat is running:

sudo service tomcat status
tomcat (pid 2687) is running...                            [  OK  ]

But when I try to browse to my web application, I get the following:

This webpage is not available

ERR_CONNECTION_REFUSED

I believe that I have followed Apache's instructions on the matter, but it's obvious something is wrong.

What do I need to do to resolve this?

Possible duplicate of [What causes the 'Connection Refused' message?](http://serverfault.com/questions/725262/what-causes-the-connection-refused-message) — user9517, Feb 20 '16 at 15:14
I've just read through some of your recent questions. It's clear that you don't have the faintest clue about the technologies you are working with. You are stumbling from one problem to another and you are not attempting to learn about the issue and help yourself. This makes you a help vampire - that doesn't go down well here. You have jumped in at the deep end, that takes real skills that you don't have. Please take some time to actually learn about the stuff you are using. — user9517, Feb 20 '16 at 15:29
@Iain I am not convinced that this should be closed as a duplicate. It is however not a great question. I see no attempts at even the most rudimentary troubleshooting. At least the question could have mentioned if there is anything listening on the port. — kasperd, Feb 20 '16 at 19:02
@kasperd When I v -t-c to that duplicate I am in effect giving the OP diagnostics to follow as it contains information that will help them. At the time I cast my vote that was the best I could do and hope that they returned educated. Unfortunately, as you say we don't know if anything was listening or not because the op is not interested in education. It would have been good to know because it may have lead to us improving the dupe target if there is some other reason for the connection refused message. I think I will let my vote stand as I think this needs to be closed one way or another. — user9517, Feb 20 '16 at 19:34

score 2 · Accepted Answer · answered Feb 20 '16 at 15:14

First of all you should check a log file - /var/log/tomcat/catalina.out.

You can't use SSLCertificateKeyFile option with JSEE (BIO/NIO) connectors only with APR. If you want to use APR you must compile and install Tomcat Native. When you will start Tomcat you should see the following lines in the log

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=384m; support was removed in 8.0
Jul 03, 2015 6:43:47 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.34 using APR version 1.3.9.

Actually, the issue was an extra `SSLProtocol="TLS"` declaration. Thank you so much for your help - despite what others might say or think!!! :^) — Roy Hinkley, Feb 20 '16 at 15:41

score 2 · Answer 2 · answered Feb 10 '17 at 21:20

2

If you want to use existing SSL certificate in tomcat, then you need to create a keystore and then import certificates in the keystore. Here is a post explaining how to do it step by step.

answered Feb 10 '17 at 21:20

Ajeet Khan

163
1
8

Tomcat refusing connections on port 443

2 Answers2