I've worked on this for three days and at this point am not sure where to begin debugging.
I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a Tomcat Connector issue or a Tomcat import of the SSL Cert issue. Any feedback is much appreciated. Thank you in advance, Ted S. Server version: Apache Tomcat/7.0.68 Server built: Feb 8 2016 20:25:54 UTC Server number: 7.0.68.0 OS Name: Linux OS Version: 3.10.0-327.3.1.el7.x86_64 Architecture: amd64 JVM Version: 1.8.0_91-b14 JVM Vendor: Oracle Corporation Important Points: 1. Apache was unable to be restarted without reboot. 2. After reboot requests to https://example.com/somecontext receive "502 Proxy Error" 3. I rekeyed SSL Certs and re-imported into Tomcat (command below) 4. Requests to https://example.com/somecontext still receive "502 Proxy Error" 4. I suspect one problem may be with contents of the <VirtualHost _default_:443> element After a recent reboot I encountered the following issue. Issue: Requests via browser client to https://example.com/somecontext return - -- begin browser page Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /. Reason: Error reading from remote server -- end browser page Unexpected Observed Behavior: Requests via browser client to https://www.example.com/ return the default index.html for the server. Requests via command line client curl https://www.example.com/ return "502 Proxy Error" This server has been in production for seven months correctly responding to requests on ports 80 & 443 (with secure content). I updated content and wanted to change to redirecting incoming requests from port 80 to port 443. When I attempted to restart Apache, Apache failed to kill the running process. I issued 'kill'. Then tried to start. Apache failed to start. I restored the <VirtualHost *:80> container to the state listed below, then tried to start Apache. Apache failed to start. I rebooted the server, then started Apache. Then any request via browser behaved as above. I then rekeyed the SSL Cert and re-imported the cert into Tomcat with: $ openssl pkcs12 -export -in /etc/pki/tls/certs/example.com.crt -inkey /etc/pki/ tls/private/example.key -out examplecert.p12 -name tomcat -CAfile /etc/pki/tls/certs/ca_bundle.crt -caname root -chain Configuration files content: -- begin virtualhost.conf <VirtualHost *:80> ServerName www.example.com ServerAlias example.com *.example.com ProxyRequests off ProxyPreserveHost on ProxyPass / http://example.com:8081/ ProxyPassReverse / http://example.com:8081/ ProxyPass /somecontext http://example.com:8081/somecontext ProxyPassReverse /somecontext http://example.com:8081/somecontext </VirtualHost> <VirtualHost *:80> ServerName www.exampledefaultdomain.com ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com </VirtualHost> <VirtualHost *:443> ServerName www.example.com ServerAlias example.com *.example.com ProxyRequests off ProxyPreserveHost on CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b" ErrorLog "/etc/httpd/logs/examplessl_error.log" SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/certs/example.com.crt SSLCertificateKeyFile /path/to/keys/example.key SSLCertificateChainFile /path/to/certs/ca_bundle.crt ProxyPass / http://example.com:8443/ ProxyPassReverse / http://example.com:8443/ ProxyPass /somecontext http://example.com:8443/somecontext ProxyPassReverse /somecontext http://example.com:8443/somecontext </VirtualHost> -- end virtualhost.conf -- begin ssl.conf - <VirtualHost _default_:443> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /path/to/certs/example.com.crt SSLCertificateKeyFile /path/to/keys/example.key SSLCACertificateFile /path/to/certs/ca_bundle.crt </VirtualHost> -- end ssl.conf - -- begin Tomcat server.xml Connector: <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" proxyName="www.example.com" proxyPort="443" keystoreFile="conf/.keystore" clientAuth="false" sslProtocol="TLS" xpoweredBy="false" server="Apache TomEE" /> -- end Tomcat server.xml Connector: $ openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -subject subject= /OU=Domain Control Validated/CN=example.com $ apachectl -S VirtualHost configuration: *:443 is a NameVirtualHost default server www.example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost www.example.com (/etc/httpd/conf.d/virtualhosts.conf:35) alias example.com wild alias *.example.com *:80 is a NameVirtualHost default server www.example.com (/etc/httpd/conf.d/virtualhosts.conf:13) port 80 namevhost www.example.com (/etc/httpd/conf.d/virtualhosts.conf:13) alias example.com wild alias *.example.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
