org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
Hi, we are using tomcat version 8.5.20 and we encounter the following exceptions 24-Jul-2019 23:24:45.398 SEVERE [https-jsse-nio-8443-exec-104] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.IllegalArgumentException at java.nio.Buffer.position(Buffer.java:244) at org.apache.tomcat.util.net.TLSClientHelloExtractor.skipBytes(TLSClientHelloExtractor.java:221) at org.apache.tomcat.util.net.TLSClientHelloExtractor.(TLSClientHelloExtractor.java:118) at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:276) at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:174) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) and it happened a lot of times in a day everyday. However, when upgrade tomcat to version 8.5.43 (current latest), the exception no longer happened. We would like to understand better which patch that fix the problem above. Can anyone give links to the fixes? Thank you and apache tomcat is a great product! Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cluster: Secondary Server's Farm War Deployer fails to move war to deploy directory on
Chris-
Thanks for you help. The different file systems was the issue. I moved both the
tempDir and watchDirs under /opt and all wars were deployed successfully.
Thanks again for your quick response and help in this matter.
- Musomi
- Original Message -
From: "Christopher Schultz"
To: users@tomcat.apache.org
Sent: Tuesday, August 6, 2019 3:49:08 PM
Subject: Re: Cluster: Secondary Server's Farm War Deployer fails to move war to
deploy directory on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Musomi,
> Musomi,
>
> On 8/6/19 11:04, Musomi Motilewa wrote:
>> Hi-
>
>> I'm currently running a two node cluster of Tomcat servers. I'm
>> trying to implment Farm War Deployer
>> (org.apache.catalina.ha.deploy.FarmWarDeployer) to deploy my war
>> files to the cluster. The deployer is successfully deploying
>> wars on the primary node when placed in the watch directory. On
>> the secondary node the war file makes it to the tmp directory but
>> is not deployed. The secondary node returns the following error:
>
>> 06-Aug-2019 09:56:31.082 SEVERE
>> [Tribes-Task-Receiver[localhost-Channel]-3]
>> org.apache.catalina.ha.deploy.FarmWarDeployer.messageReceived
>> Failed to rename [/var/tmp/war-tmp/ServerHealth.war] to
>> [/opt/tomcat/latest/webapps/ServerHealth.war]
>
>> Server Configuration
>
>> - Apache Tomcat/9.0.22, - openjdk 12.0.2 2019-07-16 OpenJDK
>> Runtime Environment 19.3 (build 12.0.2+9) OpenJDK 64-Bit Server
>> VM 19.3 (build 12.0.2+9, mixed mode, sharing)
>
>> The tag is placed in the tag on both machines.
>> The deployer tag is setup as follows with watchEnabled set to
>> true on the primary server and false on the secondary. "{{
>> tomcat_McastAddress }}" is replaced by Ansible.
>
>> > channelSendOptions="8">
>
>> > expireSessionsOnShutdown="false"
>> notifyListenersOnReplication="true"/>
>
>> > className="org.apache.catalina.tribes.group.GroupChannel">
>> > className="org.apache.catalina.tribes.membership.McastService"
>> address="{{ tomcat_McastAddress }}" port="45564" frequency="500"
>> dropTime="3000"/>
>
>> > className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>> address="auto" port="4000" autoBind="100" selectorTimeout="5000"
>> maxThreads="6"/>
>
>> > className="org.apache.catalina.tribes.transport.ReplicationTransmitte
r
>
>>
">
>
>
> className="org.apache.catalina.tribes.transport.nio.PooledParallelSend
er
>
>
"/>
>>
>
>> > className="org.apache.catalina.tribes.group.interceptors.TcpFailureDe
t
>
>>
ector"/>
>
>
> className="org.apache.catalina.tribes.group.interceptors.MessageDispat
ch
>
>
Interceptor"/>
>>
>
>> > filter=".*\.gif|.*\.js|.*\.jpg|.*\.jpeg|.*\.png|.*\.htm|.*\.html|.*\.
c
>
>>
ss|.*\.txt"/>
>
>> > className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
>
>> > className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>> tempDir="/var/tmp/war-tmp/"
>> deployDir="/opt/tomcat/latest/webapps/"
>> watchDir="/var/tmp/war-watch/" watchEnabled="{{
>> tomcat_deployerWatchEnabled|default('false', true) }}"
>> processDeployFrequency="2" />
>
>> > className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>
>>
>
>
>
>> The tempDir, deployDir and watchDir have the following owner and
>> group permissions set.
>
>> /var/tmp/ drwxrwxr-x. 2 tomcat tomcat 30 Aug 6 09:56 war-tmp
>> drwxrwxr-x. 2 tomcat tomcat 6 Aug 6 08:18 war-watch
>
>> /opt/tomcat/lastest/ drwxr-x---. 7 tomcat tomcat81 Aug 6
>> 09:45 webapps
>
>> A checksum of the war file on both servers match so the file is
>> being transfered to the secondary server's tempDir correctly. It
>> just doesnt seem to be getting transered from the tempdir to the
>> deployDir successfully.
>
>> Any help in this matter would be greatly appreciated. Thanks.
>
> What do you get when you run these commands on the "secondary
> node"?
>
> $ id tomcat
>
> $ ps aux | grep catalina.base
>
> $ mount
>
> My guess is that your server is running as "tomcat" and your file
> permissions are correct. I'm guessing that /var/tmp and
> /opt/tomcat are on different filesystems and that File.rename
> doesn't work across filesystems in your environment.
Confirmed on Linux with ext4 and tmpfs, Java 1.8 File.renameTo will
return false and perform no action across those two filesystems.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1J2bQACgkQHPApP6U8
pFjcAw/8DdF1bIoPgEaf3wgP9HEbHLhRA6pHEcW5tQZA/RIE/dwmCGTq/6hLu7Q/
brbyEWz0df1RCngCW/Wdls/39E2BOuQAliLiYj3OdApCG4UuUKe6K90PofSxHCte
YhQcejq17jEtA9K359QV0bVfIhX3Kksziv1A7ymRC4YFd8NbZSruHbv1TmKQU9ws
IYZKxCGqoiqVymDN2EjRyOe/XeDo5RSxZixMBEhAlx8vg33Je/GFQy9xlR1Y3G0O
SEfFrGOM3jhUVePL+4kyEMaN/COTLqUjyTQn+mcA+jbTJfm7wWJlc3XqaxWT2tUr
AzuIqSLDz6SOwGKWotZB9yzlVLLreNA2GHcWcpb1aC5p79XtaZ2jhOX6tkZcNZmg
QZr4MEQVKM02A4Ls9zPCPVzygIbfpaaIhkaetM7E7oc5q4uCy8Cmso4stgAJ4Uc6
Re: Cluster: Secondary Server's Farm War Deployer fails to move war to deploy directory on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Musomi,
> Musomi,
>
> On 8/6/19 11:04, Musomi Motilewa wrote:
>> Hi-
>
>> I'm currently running a two node cluster of Tomcat servers. I'm
>> trying to implment Farm War Deployer
>> (org.apache.catalina.ha.deploy.FarmWarDeployer) to deploy my war
>> files to the cluster. The deployer is successfully deploying
>> wars on the primary node when placed in the watch directory. On
>> the secondary node the war file makes it to the tmp directory but
>> is not deployed. The secondary node returns the following error:
>
>> 06-Aug-2019 09:56:31.082 SEVERE
>> [Tribes-Task-Receiver[localhost-Channel]-3]
>> org.apache.catalina.ha.deploy.FarmWarDeployer.messageReceived
>> Failed to rename [/var/tmp/war-tmp/ServerHealth.war] to
>> [/opt/tomcat/latest/webapps/ServerHealth.war]
>
>> Server Configuration
>
>> - Apache Tomcat/9.0.22, - openjdk 12.0.2 2019-07-16 OpenJDK
>> Runtime Environment 19.3 (build 12.0.2+9) OpenJDK 64-Bit Server
>> VM 19.3 (build 12.0.2+9, mixed mode, sharing)
>
>> The tag is placed in the tag on both machines.
>> The deployer tag is setup as follows with watchEnabled set to
>> true on the primary server and false on the secondary. "{{
>> tomcat_McastAddress }}" is replaced by Ansible.
>
>> > channelSendOptions="8">
>
>> > expireSessionsOnShutdown="false"
>> notifyListenersOnReplication="true"/>
>
>> > className="org.apache.catalina.tribes.group.GroupChannel">
>> > className="org.apache.catalina.tribes.membership.McastService"
>> address="{{ tomcat_McastAddress }}" port="45564" frequency="500"
>> dropTime="3000"/>
>
>> > className="org.apache.catalina.tribes.transport.nio.NioReceiver"
>> address="auto" port="4000" autoBind="100" selectorTimeout="5000"
>> maxThreads="6"/>
>
>> > className="org.apache.catalina.tribes.transport.ReplicationTransmitte
r
>
>>
">
>
>
> className="org.apache.catalina.tribes.transport.nio.PooledParallelSend
er
>
>
"/>
>>
>
>> > className="org.apache.catalina.tribes.group.interceptors.TcpFailureDe
t
>
>>
ector"/>
>
>
> className="org.apache.catalina.tribes.group.interceptors.MessageDispat
ch
>
>
Interceptor"/>
>>
>
>> > filter=".*\.gif|.*\.js|.*\.jpg|.*\.jpeg|.*\.png|.*\.htm|.*\.html|.*\.
c
>
>>
ss|.*\.txt"/>
>
>> > className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
>
>> > className="org.apache.catalina.ha.deploy.FarmWarDeployer"
>> tempDir="/var/tmp/war-tmp/"
>> deployDir="/opt/tomcat/latest/webapps/"
>> watchDir="/var/tmp/war-watch/" watchEnabled="{{
>> tomcat_deployerWatchEnabled|default('false', true) }}"
>> processDeployFrequency="2" />
>
>> > className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>
>>
>
>
>
>> The tempDir, deployDir and watchDir have the following owner and
>> group permissions set.
>
>> /var/tmp/ drwxrwxr-x. 2 tomcat tomcat 30 Aug 6 09:56 war-tmp
>> drwxrwxr-x. 2 tomcat tomcat 6 Aug 6 08:18 war-watch
>
>> /opt/tomcat/lastest/ drwxr-x---. 7 tomcat tomcat81 Aug 6
>> 09:45 webapps
>
>> A checksum of the war file on both servers match so the file is
>> being transfered to the secondary server's tempDir correctly. It
>> just doesnt seem to be getting transered from the tempdir to the
>> deployDir successfully.
>
>> Any help in this matter would be greatly appreciated. Thanks.
>
> What do you get when you run these commands on the "secondary
> node"?
>
> $ id tomcat
>
> $ ps aux | grep catalina.base
>
> $ mount
>
> My guess is that your server is running as "tomcat" and your file
> permissions are correct. I'm guessing that /var/tmp and
> /opt/tomcat are on different filesystems and that File.rename
> doesn't work across filesystems in your environment.
Confirmed on Linux with ext4 and tmpfs, Java 1.8 File.renameTo will
return false and perform no action across those two filesystems.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1J2bQACgkQHPApP6U8
pFjcAw/8DdF1bIoPgEaf3wgP9HEbHLhRA6pHEcW5tQZA/RIE/dwmCGTq/6hLu7Q/
brbyEWz0df1RCngCW/Wdls/39E2BOuQAliLiYj3OdApCG4UuUKe6K90PofSxHCte
YhQcejq17jEtA9K359QV0bVfIhX3Kksziv1A7ymRC4YFd8NbZSruHbv1TmKQU9ws
IYZKxCGqoiqVymDN2EjRyOe/XeDo5RSxZixMBEhAlx8vg33Je/GFQy9xlR1Y3G0O
SEfFrGOM3jhUVePL+4kyEMaN/COTLqUjyTQn+mcA+jbTJfm7wWJlc3XqaxWT2tUr
AzuIqSLDz6SOwGKWotZB9yzlVLLreNA2GHcWcpb1aC5p79XtaZ2jhOX6tkZcNZmg
QZr4MEQVKM02A4Ls9zPCPVzygIbfpaaIhkaetM7E7oc5q4uCy8Cmso4stgAJ4Uc6
i964Dnn77Shn5p7H0AETWWJGgNG+S0FxP3gzaN4kxKevtzDjWCFmt5g6P39E/QyM
UQwvjKIUpLJs1tx+0ZhamCRfZy0N9KHypR8WbQUKZvQ3hUVOv9StvYJ0R5PENcjO
kqJtAWUAaDBV/Na4VhGTun/haDUcJ6p78+FRVr0gTiv3OGgYHSiJFxS04OWYzp+r
AwmMTGIDBt934B1osyMhvnrzET6pJsQigqTl48YnRz2D/b3Xkzs=
=4t+l
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cluster: Secondary Server's Farm War Deployer fails to move war to deploy directory on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Musomi,
On 8/6/19 11:04, Musomi Motilewa wrote:
> Hi-
>
> I'm currently running a two node cluster of Tomcat servers. I'm
> trying to implment Farm War Deployer
> (org.apache.catalina.ha.deploy.FarmWarDeployer) to deploy my war
> files to the cluster. The deployer is successfully deploying wars
> on the primary node when placed in the watch directory. On the
> secondary node the war file makes it to the tmp directory but is
> not deployed. The secondary node returns the following error:
>
> 06-Aug-2019 09:56:31.082 SEVERE
> [Tribes-Task-Receiver[localhost-Channel]-3]
> org.apache.catalina.ha.deploy.FarmWarDeployer.messageReceived
> Failed to rename [/var/tmp/war-tmp/ServerHealth.war] to
> [/opt/tomcat/latest/webapps/ServerHealth.war]
>
> Server Configuration
>
> - Apache Tomcat/9.0.22, - openjdk 12.0.2 2019-07-16 OpenJDK Runtime
> Environment 19.3 (build 12.0.2+9) OpenJDK 64-Bit Server VM 19.3
> (build 12.0.2+9, mixed mode, sharing)
>
> The tag is placed in the tag on both machines. The
> deployer tag is setup as follows with watchEnabled set to true on
> the primary server and false on the secondary. "{{
> tomcat_McastAddress }}" is replaced by Ansible.
>
> channelSendOptions="8">
>
> expireSessionsOnShutdown="false"
> notifyListenersOnReplication="true"/>
>
> className="org.apache.catalina.tribes.group.GroupChannel">
> className="org.apache.catalina.tribes.membership.McastService"
> address="{{ tomcat_McastAddress }}" port="45564" frequency="500"
> dropTime="3000"/>
>
> className="org.apache.catalina.tribes.transport.nio.NioReceiver"
> address="auto" port="4000" autoBind="100" selectorTimeout="5000"
> maxThreads="6"/>
>
> className="org.apache.catalina.tribes.transport.ReplicationTransmitter
">
>
>
>
>
> className="org.apache.catalina.tribes.group.interceptors.TcpFailureDet
ector"/>
>
>
>
>
> filter=".*\.gif|.*\.js|.*\.jpg|.*\.jpeg|.*\.png|.*\.htm|.*\.html|.*\.c
ss|.*\.txt"/>
>
> className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
>
> tempDir="/var/tmp/war-tmp/"
> deployDir="/opt/tomcat/latest/webapps/"
> watchDir="/var/tmp/war-watch/" watchEnabled="{{
> tomcat_deployerWatchEnabled|default('false', true) }}"
> processDeployFrequency="2" />
>
> className="org.apache.catalina.ha.session.ClusterSessionListener"/>
>
>
>
> The tempDir, deployDir and watchDir have the following owner and
> group permissions set.
>
> /var/tmp/ drwxrwxr-x. 2 tomcat tomcat 30 Aug 6 09:56 war-tmp
> drwxrwxr-x. 2 tomcat tomcat 6 Aug 6 08:18 war-watch
>
> /opt/tomcat/lastest/ drwxr-x---. 7 tomcat tomcat81 Aug 6 09:45
> webapps
>
> A checksum of the war file on both servers match so the file is
> being transfered to the secondary server's tempDir correctly. It
> just doesnt seem to be getting transered from the tempdir to the
> deployDir successfully.
>
> Any help in this matter would be greatly appreciated. Thanks.
What do you get when you run these commands on the "secondary node"?
$ id tomcat
$ ps aux | grep catalina.base
$ mount
My guess is that your server is running as "tomcat" and your file
permissions are correct. I'm guessing that /var/tmp and /opt/tomcat
are on different filesystems and that File.rename doesn't work across
filesystems in your environment.
The only ways around this problem would be to either change the watch
directory to be on the same filesystem or to patch the Tomcat code.
IMHO Tomcat should try harder to re-name the file by copying/removing
if the File.renameTo doesn't work. But you'd have to either patch it
locally and re-build or wait for another release of Tomcat in order to
get that running.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1J1UQACgkQHPApP6U8
pFiHxQ//faSXWXCXfRKfLpMFCw1VaMBcc9X9W+gyCWElkTJQkCQiq9LZEUDHXLo4
tNSgQAjHXshz5LyoGLouUueQsxyurlzLMkoUOnRPtEjWqpyGFx4DUXU4kf1jBs9F
UT0RwtspNzUH7KBEQmRJw3YpyXR3ld0yUrAndzZzzbzqYxx0Z9exNC/3AUKAa52F
KmVt8NXHDF4QG7mdEw5hFvl60vOh5aw8L9s/r1WTSXkl8tGEQ3j2esZMOZ1kh2aw
SrJk510WbtSLQ7Qx9iAC97wBYqA1FFzrNSrFnAlsDl7T98+xOxkF/n5BibGTk49j
dJWmGOX47kwCzLl0hBGs0rjtmwBPuIKC/3Dwstuuahp8HP+DP0niZQmopZgyCRXa
587AHZt6kzxXdnO2grssvy1Y3oNoXqcQuhM3B54ixvT2XeUoZpWfMFuhC8gaUDrg
NTJLRG5wviAqcPsHD9/mN9unhb/nAUW0AXO5EQVjhRL7bruofynI61pFNaQ601VY
/qjchGEskEOtHOOIrcl9/zYbzKpvIVqAKaRHhGMQtLg1iA8fVd+33zUcaGEeJV6V
4n2f4A6ctU8c/z9RV83SJ+biFJWCWC2Yot6MsI++x6bGgBmxRQWJ0auE+kZMmFnl
N3e/fo3FOnMTR2z2FoxEgZ2pOvSQm53vzBDRWO9/HO1fekVSYd0=
=GNUy
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Support Request for problem with problem running SSL certificate on tomcat 8
Hi Peter I dont have the private key file. That is created when I create the keystore. I dont know if it can be extracted. Munzer On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser wrote: Hi, > Am 06.08.2019 um 02:42 schrieb Munzer Khatib : > > Hi > Can you help me with this problem. > Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails > I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran > same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed > other than moving the virtual machine from old server to new hardware this > year. Windows Server 2008 is still the same Operating system. > I created a keystore and extracted CSR, generated certificate using godaddy > for Apache server and imported to server. I keep getting an SSL handshake > errors and I think it is because the certificate entrytype is > "trustedcertEntry" and not "privateKey Entry' > Here are the steps I used to create the keystore and import certificate to it. > 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin > keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keypass secret19 -keystore tomcat10.keystore > 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keystore tomcat10.keystore -file file10.csr > > 3) Generate certificates on godaddy site for "Apache" server (not tomcat) > 4) Install root, intermediate and user certificate > keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file > c:\cert_2022\gd-class2-root.crt > > keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts > -file c:\cert_2022\gd_bundle-g2-g1.crt > keytool -import -alias tomcat -keystore tomcat10.keystore -file > c:\cert_2019\508c844632c0145.crt > I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format Care to try the following command? openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore Peter > I am not sure why but it seems the new one is not linking all certificates > into the private key. > I tried many different imports and it would never import the server > certificate as a "privateKeyentry" as the one running now.C:\Program > Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore > password: > Keystore type: JKSKeystore provider: SUN > Your keystore contains 3 entries > root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, > 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, > trustedCertEntry,Certificate fingerprint (SHA1): > B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E > > I also tried creating a PEM text file for all certificates and importing that > into private key alias tomcat but it only imported the domain certificate as > "trustedcertentry" > My server xml file connector config is like this port="8080" protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > compression="on" URIEncoding="UTF-8" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" SSLEnabled="true" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" > keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> > > > Tried many different options for keytool command. > Followed tomcat 8 documentation and godaddy list for installing certificate. > When I try to access using browser I get this error > This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in > Advanced settings and try connecting to https://psscr.xyz.c > When I use openssl I get handshake failure$openssl s_client -connect > 10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769:---no peer certificate available---No client > certificate CA names sent---SSL handshake has read 7 bytes and written 289 > bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT > supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: > Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: > Master-Key: Key-Arg : None Krb5 Principal: None
RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8
So it seems to work. For whoever is interested to try, the openjsse comes
prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE
command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols":
sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3"
Also not sure if I had to but also added the 1.3 ciphers under ciphers
attribute:
ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,"
I am getting some socket warnings though [1]. Anyone knows if those are benign?
George
[1]
ERROR 2019-08-02 13:25:31,425 [SYSERR] -- []
javax.net.ssl|DEBUG|01|main|2019-08-02 13:24:51.000
MDT|SSLCipher.java:436|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate
2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.228
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}
)
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (13,172)": {
}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (22)": {
}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (49)": {
}
)
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169
MDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by
the underlying providers
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169
MDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by
the underlying providers
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Support Request for problem with problem running SSL certificate on tomcat 8
Hi, > Am 06.08.2019 um 02:42 schrieb Munzer Khatib : > > Hi > Can you help me with this problem. > Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails > I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran > same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed > other than moving the virtual machine from old server to new hardware this > year. Windows Server 2008 is still the same Operating system. > I created a keystore and extracted CSR, generated certificate using godaddy > for Apache server and imported to server. I keep getting an SSL handshake > errors and I think it is because the certificate entrytype is > "trustedcertEntry" and not "privateKey Entry' > Here are the steps I used to create the keystore and import certificate to it. > 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin > keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keypass secret19 -keystore tomcat10.keystore > 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keystore tomcat10.keystore -file file10.csr > > 3) Generate certificates on godaddy site for "Apache" server (not tomcat) > 4) Install root, intermediate and user certificate > keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file > c:\cert_2022\gd-class2-root.crt > > keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts > -file c:\cert_2022\gd_bundle-g2-g1.crt > keytool -import -alias tomcat -keystore tomcat10.keystore -file > c:\cert_2019\508c844632c0145.crt > I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format Care to try the following command? openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore Peter > I am not sure why but it seems the new one is not linking all certificates > into the private key. > I tried many different imports and it would never import the server > certificate as a "privateKeyentry" as the one running now.C:\Program > Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore > password: > Keystore type: JKSKeystore provider: SUN > Your keystore contains 3 entries > root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, > 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, > trustedCertEntry,Certificate fingerprint (SHA1): > B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E > > I also tried creating a PEM text file for all certificates and importing that > into private key alias tomcat but it only imported the domain certificate as > "trustedcertentry" > My server xml file connector config is like this port="8080" protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" > compression="on" URIEncoding="UTF-8" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" SSLEnabled="true" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" > keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> > > > Tried many different options for keytool command. > Followed tomcat 8 documentation and godaddy list for installing certificate. > When I try to access using browser I get this error > This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in > Advanced settings and try connecting to https://psscr.xyz.c > When I use openssl I get handshake failure$openssl s_client -connect > 10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769:---no peer certificate available---No client > certificate CA names sent---SSL handshake has read 7 bytes and written 289 > bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT > supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: > Protocol : TLSv1.2Cipher: Session-ID:Session-ID-ctx: > Master-Key:Key-Arg : NoneKrb5 Principal: NonePSK identity: None >PSK identity hint: NoneStart Time: 1564789174Timeout : 300 (sec) >Verify return code: 0 (ok) > Thanks,
Cluster: Secondary Server's Farm War Deployer fails to move war to deploy directory on
Hi-
I'm currently running a two node cluster of Tomcat servers. I'm trying to
implment Farm War Deployer (org.apache.catalina.ha.deploy.FarmWarDeployer) to
deploy my war files to the cluster. The deployer is successfully deploying wars
on the primary node when placed in the watch directory. On the secondary node
the war file makes it to the tmp directory but is not deployed. The secondary
node returns the following error:
06-Aug-2019 09:56:31.082 SEVERE [Tribes-Task-Receiver[localhost-Channel]-3]
org.apache.catalina.ha.deploy.FarmWarDeployer.messageReceived Failed to rename
[/var/tmp/war-tmp/ServerHealth.war] to
[/opt/tomcat/latest/webapps/ServerHealth.war]
Server Configuration
- Apache Tomcat/9.0.22,
- openjdk 12.0.2 2019-07-16
OpenJDK Runtime Environment 19.3 (build 12.0.2+9)
OpenJDK 64-Bit Server VM 19.3 (build 12.0.2+9, mixed mode, sharing)
The tag is placed in the tag on both machines. The deployer
tag is setup as follows with watchEnabled set to true on the primary server and
false on the secondary. "{{ tomcat_McastAddress }}" is replaced by Ansible.
The tempDir, deployDir and watchDir have the following owner and group
permissions set.
/var/tmp/
drwxrwxr-x. 2 tomcat tomcat 30 Aug 6 09:56 war-tmp
drwxrwxr-x. 2 tomcat tomcat 6 Aug 6 08:18 war-watch
/opt/tomcat/lastest/
drwxr-x---. 7 tomcat tomcat81 Aug 6 09:45 webapps
A checksum of the war file on both servers match so the file is being
transfered to the secondary server's tempDir correctly. It just doesnt seem to
be getting transered from the tempdir to the deployDir successfully.
Any help in this matter would be greatly appreciated. Thanks.
-Musomi
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8
-Original Message- From: Christopher Schultz > "things to look into when I retire and my house is totally clean and > my kids are finally out of the house" so of course, I'll never get around to > it. +1 :-) -- Cris Berneburg CACI Lead Software Engineer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Redirecting a naked domain to sub domain
I usually handle the redirect on the webserver side and set the alias in server.xml to the subdomain. John Larsen On Tue, Aug 6, 2019 at 7:11 AM Simon Funnell wrote: > Hi, > > I was going to do a redirect at my dns provider from the naked domain to > the www subdomain. Unfortunatly this doesn't really work if it is over > https so I am going to have to do the redirect at the host level. My > question is, is this what the rewrite valve is for? I was going to set up > two hosts, one for the naked domain and one for the subdomain with a set up > like the following: > > unpackWARs="true" autoDeploy="true"> > > > > unpackWARs="true" autoDeploy="true"> > > > directory="logs" >prefix="localhost_access_log" suffix=".txt" >pattern="%h %l %u %t %r %s %b" /> > > > > If this is what the rewrite valve is for, how do I configure it to redirect > to the subdomain apart from when it accesses the .well-known folder (which > is needed to get a letsencrypt certificate). > > If the rewrite valve is not the correct way to do this do I just deploy a > catch all servlet or a filter to do the redirect instead? > > Thanks, > > Simon >
Redirecting a naked domain to sub domain
Hi, I was going to do a redirect at my dns provider from the naked domain to the www subdomain. Unfortunatly this doesn't really work if it is over https so I am going to have to do the redirect at the host level. My question is, is this what the rewrite valve is for? I was going to set up two hosts, one for the naked domain and one for the subdomain with a set up like the following: If this is what the rewrite valve is for, how do I configure it to redirect to the subdomain apart from when it accesses the .well-known folder (which is needed to get a letsencrypt certificate). If the rewrite valve is not the correct way to do this do I just deploy a catch all servlet or a filter to do the redirect instead? Thanks, Simon
Re: HTTP2 Connection Timeout
On 05/08/2019 21:49, Chen Levy wrote: > Hello Experts > > Several of my production servers were recently upgraded from Tomcat 9.0.14 to > 9.0.21; immediately after the upgrade the servers started accumulating memory > and open-files (on Linux) in a steady trend that was not observed before. > After a couple of days (without reaching the memory or open-files limit and > without throwing "OutOfMemoryError: Java heap space" or "IOException: Too > many open files") the servers became unresponsive: any HTTPS request > timed-out while HTTP requests continued to work correctly. > Restarting the servers resolved the symptoms but the behavior persists and a > restart is necessary every couple of days. > I loaded a heap dump from an unresponsive server into MAT and received the > following Leak Suspect: > > 105,871 instances of "org.apache.coyote.http2.Stream", loaded by > "java.net.URLClassLoader..." occupy 7,581,549,904 (80.68%) bytes. > These instances are referenced from one instance of > "java.util.concurrent.ConcurrentHashMap$Node[]", loaded by " loader>" > > The HashMap referenced in the report is "connections" inside > ConnectionHandler. > I suspect that these objects accumulate as clients may not close their > connections correctly; regardless, I'd expect Tomcat to close the connections > upon timeout. > With keepAliveTimeout="2" defined on UpgradeProtocol, I tested one simple > HTTP2 connection's persistence on Chrome's net-internals. > With 9.0.14 I can see the following at 20 seconds (as expected): > ... > t=7065701 [st= 64]HTTP2_SESSION_UPDATE_RECV_WINDOW > --> delta = 6894 > --> window_size = 15728640 > t=7085708 [st=20071]HTTP2_SESSION_PING > --> is_ack = false > --> type = "received" > --> unique_id = 2 > t=7085708 [st=20071]HTTP2_SESSION_PING > --> is_ack = true > --> type = "sent" > --> unique_id = 2 > t=7085708 [st=20071]HTTP2_SESSION_CLOSE > --> description = "Connection closed" > --> net_error = -100 (ERR_CONNECTION_CLOSED) > t=7085708 [st=20071]HTTP2_SESSION_POOL_REMOVE_SESSION > t=7085708 [st=20071] -HTTP2_SESSION > > With 9.0.21 the connection does not close, even after several minutes. > I believe the change in behavior stems the following commit: > https://github.com/apache/tomcat/commit/c16d9d810a1f64cd768ff33058936cf8907e3117 > and so I may be doing something wrong. > > Please let me know whether I have misconfigured, misunderstood, misdiagnosed, > misbehaved or mis-something-else, and whether I should provide additional > information You haven't done anything wrong. This is a Tomcat bug. The bug is related to the change you identified above. Based on my understanding at this point, that change made an existing bug more obvious / more likely to occur. I am working on a fix which should be included in the next round of releases which I expect to start in the next day or so. Mark > > Current setup of the production servers: > AdoptOpenJDK (build 11.0.3+7) > Amazon Linux 2 > > maxHttpHeaderSize="16384" >maxThreads="500" minSpareThreads="25" >enableLookups="false" disableUploadTimeout="true" >connectionTimeout="1" >compression="on" >SSLEnabled="true" scheme="https" secure="true"> > keepAliveTimeout="2"/> > > certificateKeyAlias="tomcat" > certificateKeystorePassword="" > certificateKeystoreType="PKCS12"/> > > > > Thanks > Chen > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
