3

I had my Tomcat8 running fine in port 8080, but now I'm trying to enable https in 8443 and, even though logs look fine it doesn't work (not even in 8080 without https right now).

My sistem is Ubuntu 17.10 and I'm using Tomcat 8.5.21

What I did:

  1. Get a Let's Encrypt Certificate (it's working fine in my Apache) and created a JKS Keystore.

  2. Updated my server.xml connector with:

    <Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000"
               redirectPort="8443" />
    
    <Connector port="8443" 
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true" 
               clientAuth="false" sslProtocol="TLSv1.2" 
               keyAlias="tomcat"
               keystoreType="JKS" keystoreFile="/etc/letsencrypt/live/sydomain/MyDSKeyStore.jks"
               keystorePass="mypassword" />
    
  3. Installed APR and make sure that <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> was present on my server.xml (warning about APR in logs disapeared)

  4. Fixed an error saying Cannot recover key by making my Keystore and Key password the same.

  5. Restarted the tomcat8 service (also tried rebooting the server).

My catalina.out for a start process shows:

22-Jan-2018 10:32:53.795 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.5.21 (Ubuntu)

22-Jan-2018 10:32:53.801 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Oct 13 2017 11:06:51 UTC

22-Jan-2018 10:32:53.802 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.5.21.0 22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.13.0-25-generic

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_151-8u151-b12-0ubuntu0.17.10.2-b12

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation

22-Jan-2018 10:32:53.807 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /var/lib/tomcat8

22-Jan-2018 10:32:53.808 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/share/tomcat8

22-Jan-2018 10:32:53.810 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties

22-Jan-2018 10:32:53.810 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager

22-Jan-2018 10:32:53.810 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.awt.headless=true

22-Jan-2018 10:32:53.811 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:+UseConcMarkSweepGC

22-Jan-2018 10:32:53.812 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048

22-Jan-2018 10:32:53.812 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources

22-Jan-2018 10:32:53.812 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/var/lib/tomcat8

22-Jan-2018 10:32:53.812 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/share/tomcat8

22-Jan-2018 10:32:53.813 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp

22-Jan-2018 10:32:53.814 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.14] using APR version [1.6.2].

22-Jan-2018 10:32:53.814 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].

22-Jan-2018 10:32:53.815 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]

22-Jan-2018 10:32:53.824 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2g 1 Mar 2016]

22-Jan-2018 10:32:54.087 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]

22-Jan-2018 10:32:54.133 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read

22-Jan-2018 10:32:54.148 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]

I've also tried enabling SSL debug info with -Djavax.net.debug=ssl on JAVA_OPTS and it shows a lot of information but nothing that looks like an error or warning.

Apparently my server is running, If I do netstat -plntu I see:

tcp6   0    0 :::8080       :::*        LISTEN      2843/java
tcp6   0    0 :::8443       :::*        LISTEN      2843/java

But it doesn't respond neither in

Firewall ports are open (8080 was working previously and I've just opened 8443 the same way)

Any clue of what else could I check? I've been searching for hours and trying everything I found without success...

Jordi Nebot
  • 131
  • 1
  • 5
  • 2
    Anything in your access logs? If you disable the redirection from 8080 to 8443 the http connection works? Alias is the same in the keystore? – Lenniey Jan 22 '18 at 11:11
  • 1
    Wow. I've just removed `redirectPort="8443"` from my 8080 connector and it worked! Not only in 8080 but also in 8443 with https! – Jordi Nebot Jan 22 '18 at 11:30
  • Hm. The redirect should work. Especially as no errors are shown in your startup log. I'd check the access logs of tomcat if the redirect happens or not etc. – Lenniey Jan 22 '18 at 12:20
  • Thanks @Lenniey. Access logs were empty before removing the redirection. It was like the requests never really reached the server. But just removing the redirection and restarting tomcat and everything works fine now... It's strange. If I figure out the reason(s) I will post an update/answer on my own question. – Jordi Nebot Jan 22 '18 at 15:06
  • @JordiNebot I had a very similar issue (request hanging on SSL connector only), and your idea of removing the redirection worked. Have you ever figured out the reason why it solved the problem? – Giulio Piancastelli Mar 05 '20 at 10:18
  • Not really, @GiulioPiancastelli, I'm sorry! But I'm glad it worked. – Jordi Nebot Mar 06 '20 at 08:34

0 Answers0