tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Need some SSL Config help.
Date Wed, 12 Aug 2009 02:35:53 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Josh,

On 8/11/2009 4:47 PM, Josh Gooding wrote:
> ok back to the topic at hand here.  I have removed httpd from my server,
> installed APR, and have gotten my cert file from my hosting company.  it is
> in pfx format.  Now I found some information on the net:
> 
> http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html
> 
> It was saying that I can just use the pfx file with tomcat 5.5, so I put the
> file in my $CATALINA_HOME directory just as a test, modified my server.xml
> file to accept SSL:
>
> *<Connector protocol="HTTP/1.1"
>             port="443" maxThreads="200"
>             scheme="https" secure="true" SSLEnabled="true"
>             keystoreFile="C:/Program
> Files/[*****]/apache-tomcat-6.0.18/[*****].com.pfx"
>             keystorePass="[*************]" keystoreType="pkcs12"
> clientAuth="false" sslProtocol="TLS" />*
>
> *and.... blamo I get these exceptions:*

Not surprising. Read the documentation for the APR connector:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html

Specifically, search for the term "certificate".

First of all, your SSL configuration is completely wrong for use with
APR. You don't use keystoreFile, keystorePass, and keystoreType. Even if
you did, telling Java that the keystore is actually a PKCS12 keystore
while providing it is a PFX-encoded SSL certificate should have tipped
you off that something was amiss.

If you were previously following the standard SSL documentation
(http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html), you should
have seen this note at the top of the file:

"
IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR,
Tomcat will use OpenSSL, which uses a different configuration.
"

What you want is SSLCertificateFile and friends. SSLCertificateFile is
documented to only accept certificates in PEM format. Check out this
page for some tricks to converting your certificate files using openssl:
http://eoc.eu-eela.eu/doku.php?id=manipulate_your_certificate

There is also a Java tool that can do thing like this called Portecle
(http://portecle.sourceforge.net/) if you don't have openssl handy.

> *and these to boot.... says it cannot bind to port 443 (or 8443 either)*
> 
> *Aug 11, 2009 4:13:51 PM org.apache.coyote.http11.Http11AprProtocol start
> SEVERE: Error starting endpoint
> java.lang.Exception: Socket bind failed: [730048] Only one usage of each
> socket address (protocol/network address/port) is normally permitted.

Do you have multiple <Connector> elements specified? If so, check all
the port numbers. If not, make sure that Tomcat isn't already running.
If it's not, make sure Apache httpd isn't running :) Finally, make sure
IIS isn't running or using those ports.

> So it looks like I cannot use a pfx file with tomcat 6.0.18.

You should be able to, just not with the APR connector because openssl
doesn't grok PKCS12/PFX.

> Am I able to use the pfx file with tomcat 6?

Yes, just not with the APR connector.

> The socket bind issue I have no clue, it
> looks like something is already running on port 443, but that is
> impossible.

Really? Try running 'netstat' to find out who is bound to port 443 (or
8443).

> I only have the tomcat server running, IIS is disabled and
> httpd has been removed from the system completely.  I also tried port 8443
> but I am getting the same error message.

netstat -a -b -n -o | find "443"

(make sure you're an administrator or you'll get no output)

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqCKokACgkQ9CaO5/Lv0PBBxACgjcVaS2sdKa7COzdKnSbAAHun
gl0AnRaKPC30C+und74r7tFKuN63OOmq
=QIJp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message