I hope someone can help.I have exhausted all my troubleshooting skills and all of my newbie Linux knowledge and I am at the end of my rope.
All documentation from around the web always seem to tell me to try everything I have already tried. I am sure that there must be a caveat that I am missing. I have an AWS Linux instance with Tomcat 7.0.73 and cannot for the life of me get the SSL working. I set up the AWS instance with nothing else on the server and using a fresh installation of Tomcat with basic config settings. I am able to connect http://mysite.com:8080 but cannot connect with https://mysite.com:8443. I am able to SSH as that is the only way I communicate with the server. I only have forwarders for port 80 and 443 in the iptables and nothing else and have security groups in AWS setup to allow all traffic from everywhere for ports 80, 8080, 443, and 8443. I have ensured the ports needed are open and listening using netstat I have checked to ensure connectivity to the ports from other machines using netcat I checked that the certs were installed properly and that the tomcat connectors were pointed the proper location I am attaching my configuration from start to where I hit the wall. Thanks in advance for any assistance. -- George Chanady Systems Engineer Cloud Solutions Architect Webhouse Inc
[ec2-user@ip-172-31-25-103 ~]$ sudo yum update [ec2-user@ip-172-31-25-103 ~]$ java -version java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-x86_64 u111-b01) OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode) [ec2-user@ip-172-31-25-103 ~]$ cd /tmp [ec2-user@ip-172-31-25-103 tmp]$ sudo wget http://download.nextag.com/apache/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat- 7.0.73.tar.gz [ec2-user@ip-172-31-25-103 tmp]$ tar xzf apache-tomcat-7.0.73.tar.gz [ec2-user@ip-172-31-25-103 tmp]$ sudo mv apache-tomcat-7.0.73 /usr/share/tomcat7 [ec2-user@ip-172-31-25-103 tmp]$ cd /usr/share/tomcat7 [ec2-user@ip-172-31-25-103 tomcat7]$ ls bin conf lib LICENSE logs NOTICE RELEASE-NOTES RUNNING.txt temp webapps work [ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/startup.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr/lib/jvm/jre Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar Tomcat started. [ec2-user@ip-172-31-25-103 conf]$ cd conf [ec2-user@ip-172-31-25-103 conf]$ sudo nano tomcat-users.xml and add the following roles before the closing arguement <role rolename="manager-gui"/> <user username="admin" password="admin" roles="manager-gui"/> <role rolename="admin-gui"/> <user username="admin" password="admin" roles="admin-gui,manager-gui"/> [ec2-user@ip-172-31-25-103 conf]$ cd .. [ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/shutdown.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr/lib/jvm/jre Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar [ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/startup.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr/lib/jvm/jre Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar Tomcat started. [ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/shutdown.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr/lib/jvm/jre Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar [ec2-user@ip-172-31-25-103 tomcat7]$ cd /home [ec2-user@ip-172-31-25-103 home]$ sudo keytool -keysize 2048 -genkey -alias bageoconsultants -keyalg RSA -keystore bageoconsultants.keystore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bageoconsultants.com What is the name of your organizational unit? [Unknown]: bageoconsultants.com What is the name of your organization? [Unknown]: bageoconsultants.com What is the name of your City or Locality? [Unknown]: Centereach What is the name of your State or Province? [Unknown]: New York What is the two-letter country code for this unit? [Unknown]: US Is CN=bageoconsultants.com, OU=bageoconsultants.com, O=bageoconsultants.com, L=Centereach, ST=New York, C=US correct? [no]: y [ec2-user@ip-172-31-25-103 home]$ sudo keytool -certreq -alias bageoconsultants -file csr.txt -keystore bageoconsultants.keystore [ec2-user@ip-172-31-25-103 home]$ cat csr.txt ### Copy and Paste text for new SSL certificate ### ### Transfer the RooT, Intermediate, and Domain cert to the new server and place them in the same directory as the keystore ### ### Import new certs; ### [ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias root -keystore bageoconsultants.keystore -trustcacerts -file gdroot-g2.crt Enter keystore password: ### You may encounter the following error if you had to redo a certificate on a server -- select yes to install it to this keystore ### Certificate already exists in system-wide CA keystore under alias <godaddyrootcertificateauthority-g2> Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore [ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias intermed -keystore bageoconsultants.keystore -trustcacerts -file gdig2.crt Enter keystore password: Certificate was added to keystore [ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias bageoconsultants -keystore bageoconsultants.keystore -trustcacerts -file 65e782bfa45f4e83.crt Enter keystore password: Certificate reply was installed in keystore ### Check to ensure all certs are present### use -v switch also if you want to see entire cert ### [ec2-user@ip-172-31-52-159 home]$ sudo keytool -list -keystore bageoconsultants.keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries root, Nov 16, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B bageoconsultants, Nov 16, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): AB:84:7F:89:25:0F:22:6E:6A:FD:0D:80:3C:67:5E:DB:0B:75:04:E4 intermed, Nov 16, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 ### Navigate to your tomcat7/conf directory to alter the server.xml file ### [ec2-user@ip-172-31-52-159 home]$ cd /usr/share/tomcat7 [ec2-user@ip-172-31-52-159 tomcat7]$ cd conf [ec2-user@ip-172-31-52-159 conf]$ sudo nano server.xml <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> ### Uncomment this section and edit according to cert provider ### <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> TO <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="200" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/your/domain.keystore" keystorePass="your_passwd" clientAuth="false" sslProtocol="TLS" /> ### Save changes ### ### restart tomcat ### ### Navigate to tomcat/bin folder ### [ec2-user@ip-172-31-52-159 ~]$ cd /usr/share/tomcat7/bin [ec2-user@ip-172-31-52-159 bin]$ sudo ./shutdown.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar [ec2-user@ip-172-31-52-159 bin]$ sudo ./startup.sh Using CATALINA_BASE: /usr/share/tomcat7 Using CATALINA_HOME: /usr/share/tomcat7 Using CATALINA_TMPDIR: /usr/share/tomcat7/temp Using JRE_HOME: /usr Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar Tomcat started. ### Test Connectivity ### [ec2-user@ip-172-31-52-159 bin]$ sudo nc -v 52.54.85.95 8080 Connection to 52.54.85.95 8080 port [tcp/webcache] succeeded! [ec2-user@ip-172-31-52-159 bin]$ sudo nc -v 52.54.85.95 8443 Connection to 52.54.85.95 8443 port [tcp/pcsync-https] succeeded! [ec2-user@ip-172-31-52-159 bin]$ curl -vk http://bageoconsultants.com:8080 * Rebuilt URL to: http://bageoconsultants.com:8080/ * Trying 52.54.85.95... * Connected to bageoconsultants.com (52.54.85.95) port 8080 (#0) > GET / HTTP/1.1 > Host: bageoconsultants.com:8080 > User-Agent: curl/7.47.1 > Accept: */* > < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=ISO-8859-1 < Transfer-Encoding: chunked < Date: Wed, 16 Nov 2016 04:10:39 GMT < Transfer Encoding - chunked <!DOCTYPE html> </html> * Connection #0 to host bageoconsultants.com left intact [ec2-user@ip-172-31-52-159 bin]$ curl -vk https://bageoconsultants.com:8443 * Rebuilt URL to: https://bageoconsultants.com:8443/ * Trying 52.54.85.95... * Connected to bageoconsultants.com (52.54.85.95) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) * Cannot communicate securely with peer: no common encryption algorithm(s). * Closing connection 0 curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s). [ec2-user@ip-172-31-52-159 bin]$ sudo wget http://bageoconsultants.com:8080 --2016-11-16 04:36:56-- http://bageoconsultants.com:8080/ Resolving bageoconsultants.com (bageoconsultants.com)... 52.54.85.95 Connecting to bageoconsultants.com (bageoconsultants.com)|52.54.85.95|:8080... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ <=> ] 10.93K --.-KB/s in 0s 2016-11-16 04:36:56 (182 MB/s) - ‘index.html’ saved [11197] [ec2-user@ip-172-31-52-159 bin]$ sudo wget https://bageoconsultants.com:8443 --2016-11-16 04:37:05-- https://bageoconsultants.com:8443/ Resolving bageoconsultants.com (bageoconsultants.com)... 52.54.85.95 Connecting to bageoconsultants.com (bageoconsultants.com)|52.54.85.95|:8443... connected. OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Unable to establish SSL connection. [ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 [ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080 [ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables-save # Generated by iptables-save v1.4.18 on Wed Nov 16 05:51:47 2016 *nat :PREROUTING ACCEPT [2:104] :INPUT ACCEPT [2:104] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 COMMIT # Completed on Wed Nov 16 05:51:47 2016 [ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables-save # Generated by iptables-save v1.4.18 on Wed Nov 16 05:56:39 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 COMMIT # Completed on Wed Nov 16 05:56:39 2016
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org