Andre I saw where you asked Mark Thomas, on another thread, if the issue on that thread might be causing the SSL issue that I am having. On the server that I have been using for the testing of Tomcat 9 version 8 was already installed on it. It's just that my boss said to download, install and work with version 9. I wonder if it might work on with version 8?
John Ellis 405.285.2500 office http://biz-e.io -----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 4:40 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup Hi. I just downloaded tomcat 9 myself (the windows zip version, but it should be the same), to look at the standard server.xml. There is something which does not quite fit in all of this. I can also not see, in the snippets of server.xml that you pasted, any obvious XML errors or imbricated comments. Yet the logfile points to these lines.. Somehow the logfile which you uploaded to drop-box, does not seem to match the server.xml lines that you pasted here. Ooooh, wait. I know why it did not fit. After looking again, more carefully, at the logfile that you posted, I see what was confusing : that logfile shows several starts and stops of tomcat. It just accumulates. I was looking just at the beginning, the first error that I found. You have for example this : 08-Sep-2017 11:10:32.131 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 08-Sep-2017 11:10:32.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 08-Sep-2017 11:10:32.137 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18916 ms Just before the error message that I was mentioning, which was : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. But that was like 21 minutes later, after tomcat had been running for 21 minutes. Then after that there are a few more starts and stops, and a the lastest attempt, the problem is different : 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"] 08-Sep-2017 15:24:36.300 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed ... Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss eEndpoint.java:113) So, here is what happened : - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it started fine, ending in the line 08-Sep-2017 10:05:03.371 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 482 ms but then, you did not have the connector for port 8443 enabled yet. - then you stopped tomcat, and you started it again at 08-Sep-2017 11:10:13.141 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/9.0.0.M26 - and then you had this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. so my guess is that you modified the server.xml, while tomcat was still running, and then you did a "shutdown.sh", to prepare to restart tomcat. - And then there was that parse error. And the reason is that the shutdown command, in fact starts another (small) instance of tomcat, to issue the shutdown command to the running instance. But that shutdown instance also reads server.xml, and at that time you /did/ have a syntax error in it. So that is where this syntax error came from. Later you apparently corrected the syntax, and restarted tomcat : 08-Sep-2017 15:24:34.889 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/9.0.0.M26 and this time, there was no syntax error anymore in server.xml, but then there is this other problem : 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"] 08-Sep-2017 15:24:36.300 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed ... Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss eEndpoint.java:113) but that seems to only prevent the SSL connector to start, and the logfile shows that tomcat continues to initialise anyway, with only the other connectors. So that's why you can connect normally to port 8080. I did not know that tomcat starts anyway, even if it encounters a severe problem with one of its connectors. (And I must say that, as a sysadmin myself, I find this behaviour a bit questionable)(unless it is optional) So anyway, your problem now is not the syntax of server.xml anymore, it is something to do with your SSL keystore. And for that I am not competent to help, and I'll have to ask someone else to follow-up. And now I've been top-posting myself all of this, contrary to the rules. Apologies. But John, for the rest, I suggest that before you restart tomcat, delete or rename that old logfile, so that when you restart it will be "fresh" and contain only the result of the last attempt. It will be clearer for everyone. On 21.09.2017 21:47, John Ellis wrote: > One more thing Andre. I don't know if it matters or not but when I try to > access Tomcat 9 on the secure port of 8443 > I see it saying down in the bottom left hand corner of my browser- > "Performing a TLS handshake to 10.22.8.70..." but it never > gives the webpage. However once I change the IP address to 10.22.8.70:8080 > it immediately goes to the Tomcat 9 webpage. > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -----Original Message----- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 11:34 AM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > On 21.09.2017 17:17, John Ellis wrote: >> OK. As I said there is nothing on line 87 but here is line 114- >> >> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" > > I think you need to provide a bit more context then. > > Can you paste here, say, that same line, but with 10 lines before and 10 > lines after, and tell at which line number this starts in server.xml (so > that we can compare with the log) ? > > The error messages in the log were apparently about comments (between <!-- > and -->), so if these lines are (or contain) comments, copy them anyway. > > >> >> >> >> John Ellis >> >> 405.285.2500 office >> >> >> >> >> http://biz-e.io >> >> -----Original Message----- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Thursday, September 21, 2017 10:15 AM >> To: users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> >> >> On 21.09.2017 16:43, John Ellis wrote: >>> Thanks so much for the quick reply Andre. There doesn't appear to be >>> anything on line 87 but there is on line 114. See the screenshot I >>> took of the server.xml file below- >>> >> >> Unfortunately, this list strips most attachments, and in fact asks for >> text-only messages. >> (and to avoid top-posting) >> >> See : http://tomcat.apache.org/lists.html#tomcat-users --> Important >> >> Please paste the corresponding lines directly, as text, in your next >> message. >> >> >>> John Ellis >>> >>> 405.285.2500 office >>> >>> http://biz-e.io >>> >>> -----Original Message----- >>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>> Sent: Wednesday, September 20, 2017 10:41 AM >>> To: users@tomcat.apache.org >>> Subject: Re: tomcat ssl setup >>> >>> On 20.09.2017 17:07, John Ellis wrote: >>> >>> > All of what I have done so far has been in Tomcat version 9, which >>> I >>> >>> > downloaded from the Apache Tomcat website. The way I start tomcat >>> is >>> >>> > by running the command ./startup.sh from within the >>> >>> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the >>> >>> > command ./shutdown.sh from the same directory. >>> >>> > >>> >>> Ok, perfect. So there is only one tomcat9 we can be talking about, and >>> one server.xml file. And since this is a "standard tomcat", that >>> server.xml must be in .. let me look at the logfile again) .. >>> >>> 08-Sep-2017 10:05:02.911 INFO [main] >>> >>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web >>> application directory >>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] >>> >>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml >>> >>> and considering this : >>> >>> 08-Sep-2017 11:31:21.952 SEVERE [main] >>> org.apache.tomcat.util.digester.Digester.fatalError >>> >>> Parse Fatal Error at line 87 column 6: The content of elements must >>> consist of well-formed character data or markup. >>> >>> org.xml.sax.SAXParseException; systemId: >>> >>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: >> 87; columnNumber: >>> >>> 6; The content of elements must consist of well-formed character data or >> markup. >>> >>> there is something on line 87, position 6, that he does not like. >>> >>> And further down also : >>> >>> 08-Sep-2017 13:17:36.947 SEVERE [main] >>> org.apache.tomcat.util.digester.Digester.fatalError >>> >>> Parse Fatal Error at line 114 column 6: The string "--" is not permitted >> within comments. >>> >>> org.xml.sax.SAXParseException; systemId: >>> >>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: >> 114; columnNumber: >>> >>> 6; The string "--" is not permitted within comments. >>> >>> but maybe this is not in the server.xml file itself, but in something >>> else that the server.xml references there (like an external "XML entity" >> or something). >>> >>> Why don't you get those 2 lines from your server.xml and paste them here > : >>> >>> ... >>> >>> > John Ellis >>> >>> > >>> >>> > 405.285.2500 office >>> >>> > >>> >>> > >>> >>> > >>> >>> > >>> >>> > http://biz-e.io >>> >>> > >>> >>> > >>> >>> > -----Original Message----- >>> >>> > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>> >>> > Sent: Wednesday, September 20, 2017 10:02 AM >>> >>> > To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>> >>> > Subject: Re: tomcat ssl setup >>> >>> > >>> >>> > On 20.09.2017 15:20, John Ellis wrote: >>> >>> >> Andre can you tell me which log file you are saying tells where >>> the >>> >>> >> problem is? >>> >>> > >>> >>> > That's the one you uploaded to the dropbox : >>> >>> > >> >>> >>> > >>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 >>> >>> > >>> >>> > I have of course no idea at this point, which tomcat or which >>> >>> > server.xml this was related to, but i suppose you do. >>> >>> > >>> >>> > I am not seeing it but I may not be even looking for the right thing. >>> >>> > I >>> >>> >> did open the server.xml file up in an XML file editor program and >>> it >>> >>> >> didn't give any errors. >>> >>> > >>> >>> > Then it must be that this tomcat who wrote the logfile, is not >>> looking >>> >>> > at the same server.xml file than the one you're looking at. >>> >>> > (Or else your XML file editor is not really good) >>> >>> > >>> >>> > How do you start this tomcat, on your server ? >>> >>> > And where did you get this tomcat from ? Is it the one from the >>> tomcat >>> >>> > website ? >>> >>> > >>> >>> >> >>> >>> >> John Ellis >>> >>> >> >>> >>> >> 405.285.2500 office >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> http://biz-e.io >>> >>> >> >>> >>> >> >>> >>> >> -----Original Message----- >>> >>> >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>> >>> >> Sent: Tuesday, September 19, 2017 3:47 PM >>> >>> >> To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>> >>> >> Subject: Re: tomcat ssl setup >>> >>> >> >>> >>> >> On 19.09.2017 20:17, John Ellis wrote: >>> >>> >>> Here are the tomcat 9 log file DropBox links- >>> >>> >>> >>> >>> >>> >>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl >>> >>> >>> = >>> >>> >>> 0 >>> >>> >> >>> >>> >> Well, there you go. It tells you explicitly where you made the >>> >>> >> mistakes, up to the file and line numbers. >>> >>> >> I can't see your server.xml, but I would bet that you have >>> modified >>> >>> >> it, by surrounding some XML comment sections by another comment >>> pair >>> >>> >> <!-- ... --> That crashes because XML does not allow that. >>> >>> >> You cannot have this kind of thing : >>> >>> >> >>> >>> >> <!-- ... <!-- ... --> --> >>> >>> >> >>> >>> >> >>> >>> >>> >>> >>> >>> >>> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017- >>> >>> >>> 0 >>> >>> >>> 9 >>> >>> >>> -19.txt?dl=0 >>> >>> >>> >>> >>> >>> Thanks, >>> >>> >>> >>> >>> >>> John Ellis >>> >>> >>> >>> >>> >>> 405.285.2500 office >>> >>> >>> >>> >>> >>> United States >>> >>> >>> >>> >>> >>> bize-logo-rgb-original_Ryan_Revised_portal >>> >>> >>> sizecid:image002.jpg@01CECFDA.65B42CD0 >>> >>> >>> >>> >>> >>> http://biz-e.io >>> >>> >>> >>> >>> >>> *From:*Alejandro Vargas M. >>> >>> >>> [mailto:alejandro.var...@kymsolutions.com] >>> >>> >>> *Sent:* Tuesday, September 19, 2017 11:10 AM >>> >>> >>> *To:* users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>> >>> >>> *Subject:* Re: tomcat ssl setup >>> >>> >>> >>> >>> >>> Do you see what's on the log files, they can tell you what's the >>> >>> >>> problem in. Maybe you can share those files too. >>> >>> >>> >>> >>> >>> I also saw on line 117 this "| -->|" Looks like there's left > over. >>> >>> >>> >>> >>> >>> On 09/19/2017 09:31 AM, John Ellis wrote: >>> >>> >>> >>> >>> >>> I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL >>> >>> >>> (version >>> >>> >> 6.4) server for >>> >>> >>> testing purposes. I downloaded & installed Tomcat9 fine and I >>> >>> >>> get a >>> >>> >> proper webpage on >>> >>> >>> port 8080 but when I used the keytool commands and created a >>> >>> >> certificate from >>> >>> >>> cacert.org and then edited the server.xml file to setup the >>> >>> >>> ssl >>> >>> >> configuration to run >>> >>> >>> on port 8443 I cannot get a webpage on that port; it defaults >>> >>> >>> back to >>> >>> >> port 8080. If I >>> >>> >>> am not providing all the needed info or asking a wrong >>> >>> >>> question please >>> >>> >> forgive me. I >>> >>> >>> am not a programmer. My background is in computer hardware. I >>> >>> >>> have >>> >>> >> just been forced to >>> >>> >>> learn this to support two products that we use here in our >>> >>> >>> office; >>> >>> >> Jira and >>> >>> >>> Confluence. I have actually been working on setting them up >>> >>> >>> for an SSL >>> >>> >> connection on a >>> >>> >>> different server. I got Confluence working on a secure port >>> >>> >>> but not >>> >>> >> Jira so my boss >>> >>> >>> suggested troubleshooting the issue by trying to first get > SSL >>> >>> >>> setup >>> >>> >> for Tomcat on >>> >>> >>> this other server. >>> >>> >>> >>> >>> >>> I am providing a copy of the Tomcat9 server.sml file here on > a >>> >>> >>> DropBox >>> >>> >> link- >>> >>> >>> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 >>> >>> >>> >>> >>> >>> Thanks in advance! >>> >>> >>> >>> >>> >>> John Ellis >>> >>> >>> >>> >>> >>> 405.285.2500 office >>> >>> >>> >>> >>> >>> United States >>> >>> >>> >>> >>> >>> bize-logo-rgb-original_Ryan_Revised_portal >>> >>> >>> sizecid:image002.jpg@01CECFDA.65B42CD0 >>> >>> >>> >>> >>> >>> http://biz-e.io >>> >>> >>> >>> >>> >>> -- >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Alejandro Vargas Mayorga >>> >>> >>> */Gerente Desarrollo C.A. & C./* >>> >>> >>> *Tel. 506- 7232-3366* >>> >>> >>> *Email:**alejandro.var...@kymsolutions.com* >>> >>> >>> <mailto:%20alejandro.var...@kymsolutions.com>* >>> >>> >>> **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite >>> >>> >>> nuestra aula virtual! * >>> >>> >>> >>> >>> >> >>> >>> >> >>> >>> >> >>> --------------------------------------------------------------------- >>> >>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> >>> >> For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> --------------------------------------------------------------------- >>> >>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> >>> >> For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org> >>> >>> >> >>> >>> > >>> >>> > >>> >>> > >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> >>> > For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org> >>> >>> > >>> >>> > >>> >>> > >>> >>> > >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> >>> > For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org> >>> >>> > >>> >>> --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
