I hope someone can help.I have exhausted all my troubleshooting skills and
all of my newbie Linux knowledge and I am at the end of my rope.
All documentation from around the web always seem to tell me to try
everything I have already tried. I am sure that there must be a caveat that
I am missing.
I have an AWS Linux instance with Tomcat 7.0.73 and cannot for the life of
me get the SSL working.
I set up the AWS instance with nothing else on the server and using a fresh
installation of Tomcat with basic config settings. I am able to connect
http://mysite.com:8080 but cannot connect with https://mysite.com:8443.
I am able to SSH as that is the only way I communicate with the server.
I only have forwarders for port 80 and 443 in the iptables and nothing else
and have security groups in AWS setup to allow all traffic from everywhere
for ports 80, 8080, 443, and 8443.
I have ensured the ports needed are open and listening using netstat
I have checked to ensure connectivity to the ports from other machines
using netcat
I checked that the certs were installed properly and that the tomcat
connectors were pointed the proper location
I am attaching my configuration from start to where I hit the wall.
Thanks in advance for any assistance.
--
George Chanady
Systems Engineer
Cloud Solutions Architect
Webhouse Inc
[ec2-user@ip-172-31-25-103 ~]$ sudo yum update
[ec2-user@ip-172-31-25-103 ~]$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)
[ec2-user@ip-172-31-25-103 ~]$ cd /tmp
[ec2-user@ip-172-31-25-103 tmp]$ sudo wget
http://download.nextag.com/apache/tomcat/tomcat-7/v7.0.73/bin/apache-tomcat-
7.0.73.tar.gz
[ec2-user@ip-172-31-25-103 tmp]$ tar xzf apache-tomcat-7.0.73.tar.gz
[ec2-user@ip-172-31-25-103 tmp]$ sudo mv apache-tomcat-7.0.73 /usr/share/tomcat7
[ec2-user@ip-172-31-25-103 tmp]$ cd /usr/share/tomcat7
[ec2-user@ip-172-31-25-103 tomcat7]$ ls
bin conf lib LICENSE logs NOTICE RELEASE-NOTES RUNNING.txt temp
webapps work
[ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/startup.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
Tomcat started.
[ec2-user@ip-172-31-25-103 conf]$ cd conf
[ec2-user@ip-172-31-25-103 conf]$ sudo nano tomcat-users.xml
and add the following roles before the closing arguement
<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="admin" roles="admin-gui,manager-gui"/>
[ec2-user@ip-172-31-25-103 conf]$ cd ..
[ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/shutdown.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
[ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/startup.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
Tomcat started.
[ec2-user@ip-172-31-25-103 tomcat7]$ ./bin/shutdown.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
[ec2-user@ip-172-31-25-103 tomcat7]$ cd /home
[ec2-user@ip-172-31-25-103 home]$ sudo keytool -keysize 2048 -genkey -alias
bageoconsultants -keyalg RSA -keystore bageoconsultants.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: bageoconsultants.com
What is the name of your organizational unit?
[Unknown]: bageoconsultants.com
What is the name of your organization?
[Unknown]: bageoconsultants.com
What is the name of your City or Locality?
[Unknown]: Centereach
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=bageoconsultants.com, OU=bageoconsultants.com, O=bageoconsultants.com,
L=Centereach, ST=New York, C=US correct?
[no]: y
[ec2-user@ip-172-31-25-103 home]$ sudo keytool -certreq -alias bageoconsultants
-file csr.txt -keystore bageoconsultants.keystore
[ec2-user@ip-172-31-25-103 home]$ cat csr.txt
### Copy and Paste text for new SSL certificate ###
### Transfer the RooT, Intermediate, and Domain cert to the new server and
place them in the same directory as the keystore ###
### Import new certs; ###
[ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias root -keystore
bageoconsultants.keystore -trustcacerts -file gdroot-g2.crt
Enter keystore password:
### You may encounter the following error if you had to redo a certificate on a
server -- select yes to install it to this keystore ###
Certificate already exists in system-wide CA keystore under alias
<godaddyrootcertificateauthority-g2>
Do you still want to add it to your own keystore? [no]: y
Certificate was added to keystore
[ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias intermed
-keystore bageoconsultants.keystore -trustcacerts -file gdig2.crt
Enter keystore password:
Certificate was added to keystore
[ec2-user@ip-172-31-52-159 home]$ sudo keytool -import -alias bageoconsultants
-keystore bageoconsultants.keystore -trustcacerts -file 65e782bfa45f4e83.crt
Enter keystore password:
Certificate reply was installed in keystore
### Check to ensure all certs are present### use -v switch also if you want to
see entire cert ###
[ec2-user@ip-172-31-52-159 home]$ sudo keytool -list -keystore
bageoconsultants.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Nov 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
bageoconsultants, Nov 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
AB:84:7F:89:25:0F:22:6E:6A:FD:0D:80:3C:67:5E:DB:0B:75:04:E4
intermed, Nov 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
### Navigate to your tomcat7/conf directory to alter the server.xml file ###
[ec2-user@ip-172-31-52-159 home]$ cd /usr/share/tomcat7
[ec2-user@ip-172-31-52-159 tomcat7]$ cd conf
[ec2-user@ip-172-31-52-159 conf]$ sudo nano server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
### Uncomment this section and edit according to cert provider ###
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
TO
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/your/domain.keystore" keystorePass="your_passwd"
clientAuth="false" sslProtocol="TLS" />
### Save changes ###
### restart tomcat ###
### Navigate to tomcat/bin folder ###
[ec2-user@ip-172-31-52-159 ~]$ cd /usr/share/tomcat7/bin
[ec2-user@ip-172-31-52-159 bin]$ sudo ./shutdown.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
[ec2-user@ip-172-31-52-159 bin]$ sudo ./startup.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr
Using CLASSPATH:
/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
Tomcat started.
### Test Connectivity ###
[ec2-user@ip-172-31-52-159 bin]$ sudo nc -v 52.54.85.95 8080
Connection to 52.54.85.95 8080 port [tcp/webcache] succeeded!
[ec2-user@ip-172-31-52-159 bin]$ sudo nc -v 52.54.85.95 8443
Connection to 52.54.85.95 8443 port [tcp/pcsync-https] succeeded!
[ec2-user@ip-172-31-52-159 bin]$ curl -vk http://bageoconsultants.com:8080
* Rebuilt URL to: http://bageoconsultants.com:8080/
* Trying 52.54.85.95...
* Connected to bageoconsultants.com (52.54.85.95) port 8080 (#0)
> GET / HTTP/1.1
> Host: bageoconsultants.com:8080
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=ISO-8859-1
< Transfer-Encoding: chunked
< Date: Wed, 16 Nov 2016 04:10:39 GMT
< Transfer Encoding - chunked
<!DOCTYPE html>
</html>
* Connection #0 to host bageoconsultants.com left intact
[ec2-user@ip-172-31-52-159 bin]$ curl -vk https://bageoconsultants.com:8443
* Rebuilt URL to: https://bageoconsultants.com:8443/
* Trying 52.54.85.95...
* Connected to bageoconsultants.com (52.54.85.95) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption
algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption
algorithm(s).
[ec2-user@ip-172-31-52-159 bin]$ sudo wget http://bageoconsultants.com:8080
--2016-11-16 04:36:56-- http://bageoconsultants.com:8080/
Resolving bageoconsultants.com (bageoconsultants.com)... 52.54.85.95
Connecting to bageoconsultants.com (bageoconsultants.com)|52.54.85.95|:8080...
connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=>
] 10.93K --.-KB/s in 0s
2016-11-16 04:36:56 (182 MB/s) - ‘index.html’ saved [11197]
[ec2-user@ip-172-31-52-159 bin]$ sudo wget https://bageoconsultants.com:8443
--2016-11-16 04:37:05-- https://bageoconsultants.com:8443/
Resolving bageoconsultants.com (bageoconsultants.com)... 52.54.85.95
Connecting to bageoconsultants.com (bageoconsultants.com)|52.54.85.95|:8443...
connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure
Unable to establish SSL connection.
[ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables -t nat -I PREROUTING -p tcp
--dport 80 -j REDIRECT --to-ports 8080
[ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables -t nat -I OUTPUT -p tcp
--dport 80 -j REDIRECT --to-ports 8080
[ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables-save
# Generated by iptables-save v1.4.18 on Wed Nov 16 05:51:47 2016
*nat
:PREROUTING ACCEPT [2:104]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Wed Nov 16 05:51:47 2016
[ec2-user@ip-172-31-52-159 tomcat7]$ sudo iptables-save
# Generated by iptables-save v1.4.18 on Wed Nov 16 05:56:39 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Wed Nov 16 05:56:39 2016
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
