OK I will try to find, download and try that version.
Thanks!
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: Mark Thomas [mailto:[email protected]]
Sent: Friday, September 22, 2017 9:17 AM
To: Tomcat Users List <[email protected]>
Subject: Re: tomcat ssl setup
On 22/09/17 15:05, John Ellis wrote:
> Andre I saw where you asked Mark Thomas, on another thread, if the
> issue on that thread might be causing the SSL issue that I am having.
> On the server that I have been using for the testing of Tomcat 9
> version 8 was already installed on it. It's just that my boss said to
> download, install and work with version 9. I wonder if it might work on with
> version 8?
Try with 9.0.0.M27. You'll need to follow the browse link on the download page
and then up a directory to find it. (It has been released but CVE-2017-12617
happened and we decided not to announce it as the next 9.0.x release will be
following shortly.)
Note there is still a regression in the keystore handling but it affects fewer
configurations (just FIPS as far as I know).
Mark
>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:[email protected]]
> Sent: Thursday, September 21, 2017 4:40 PM
> To: [email protected]
> Subject: Re: tomcat ssl setup
>
> Hi.
>
> I just downloaded tomcat 9 myself (the windows zip version, but it
> should be the same), to look at the standard server.xml.
>
> There is something which does not quite fit in all of this.
> I can also not see, in the snippets of server.xml that you pasted, any
> obvious XML errors or imbricated comments.
> Yet the logfile points to these lines..
> Somehow the logfile which you uploaded to drop-box, does not seem to
> match the server.xml lines that you pasted here.
>
> Ooooh, wait.
> I know why it did not fit.
>
> After looking again, more carefully, at the logfile that you posted, I
> see what was confusing : that logfile shows several starts and stops of
> tomcat.
> It just accumulates. I was looking just at the beginning, the first
> error that I found.
> You have for example this :
>
> 08-Sep-2017 11:10:32.131 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8080"]
> 08-Sep-2017 11:10:32.136 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["ajp-nio-8009"]
> 08-Sep-2017 11:10:32.137 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 18916 ms
>
> Just before the error message that I was mentioning, which was :
> 08-Sep-2017 11:31:21.952 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must
> consist of well-formed character data or markup.
> org.xml.sax.SAXParseException; systemId:
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml;
> lineNumber: 87;
> columnNumber:
> 6; The content of elements must consist of well-formed character data
> or markup.
>
> But that was like 21 minutes later, after tomcat had been running for
> 21 minutes.
>
> Then after that there are a few more starts and stops, and a the
> lastest attempt, the problem is different :
>
> 08-Sep-2017 15:24:35.920 INFO [main]
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> to initialize component [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> java.security.KeyStoreException: Cannot store non-PrivateKeys
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJss
> eEndpoint.java:113)
>
>
> So, here is what happened :
>
> - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807),
> it started fine, ending in the line
> 08-Sep-2017 10:05:03.371 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 482 ms
>
> but then, you did not have the connector for port 8443 enabled yet.
>
> - then you stopped tomcat, and you started it again at
> 08-Sep-2017 11:10:13.141 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log
> Server version: Apache Tomcat/9.0.0.M26
>
> - and then you had this :
> 08-Sep-2017 11:31:21.952 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must
> consist of well-formed character data or markup.
>
> so my guess is that you modified the server.xml, while tomcat was
> still running, and then you did a "shutdown.sh", to prepare to restart tomcat.
>
> - And then there was that parse error.
>
> And the reason is that the shutdown command, in fact starts another
> (small) instance of tomcat, to issue the shutdown command to the running
> instance.
> But that shutdown instance also reads server.xml, and at that time you
> /did/ have a syntax error in it. So that is where this syntax error came from.
>
> Later you apparently corrected the syntax, and restarted tomcat :
>
> 08-Sep-2017 15:24:34.889 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log
> Server version: Apache Tomcat/9.0.0.M26
>
> and this time, there was no syntax error anymore in server.xml, but
> then there is this other problem :
>
> 08-Sep-2017 15:24:35.920 INFO [main]
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> to initialize component [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> java.security.KeyStoreException: Cannot store non-PrivateKeys
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJss
> eEndpoint.java:113)
>
> but that seems to only prevent the SSL connector to start, and the
> logfile shows that tomcat continues to initialise anyway, with only
> the other connectors.
>
> So that's why you can connect normally to port 8080.
>
> I did not know that tomcat starts anyway, even if it encounters a
> severe problem with one of its connectors.
>
> (And I must say that, as a sysadmin myself, I find this behaviour a
> bit questionable)(unless it is optional)
>
> So anyway, your problem now is not the syntax of server.xml anymore,
> it is something to do with your SSL keystore.
> And for that I am not competent to help, and I'll have to ask someone
> else to follow-up.
>
>
> And now I've been top-posting myself all of this, contrary to the rules.
> Apologies.
>
> But John, for the rest, I suggest that before you restart tomcat,
> delete or rename that old logfile, so that when you restart it will be
> "fresh" and contain only the result of the last attempt. It will be
> clearer for everyone.
>
>
> On 21.09.2017 21:47, John Ellis wrote:
>> One more thing Andre. I don't know if it matters or not but when I
>> try to access Tomcat 9 on the secure port of 8443
>> I see it saying down in the bottom left hand corner of my browser-
>> "Performing a TLS handshake to 10.22.8.70..." but it never gives the
>> webpage. However once I change the IP address to 10.22.8.70:8080 it
>> immediately goes to the Tomcat 9 webpage.
>>
>> John Ellis
>>
>> 405.285.2500 office
>>
>>
>>
>>
>> http://biz-e.io
>>
>>
>> -----Original Message-----
>> From: André Warnier (tomcat) [mailto:[email protected]]
>> Sent: Thursday, September 21, 2017 11:34 AM
>> To: [email protected]
>> Subject: Re: tomcat ssl setup
>>
>> On 21.09.2017 17:17, John Ellis wrote:
>>> OK. As I said there is nothing on line 87 but here is line 114-
>>>
>>> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"
>>
>> I think you need to provide a bit more context then.
>>
>> Can you paste here, say, that same line, but with 10 lines before and
>> 10 lines after, and tell at which line number this starts in
>> server.xml (so that we can compare with the log) ?
>>
>> The error messages in the log were apparently about comments (between
>> <!-- and -->), so if these lines are (or contain) comments, copy them anyway.
>>
>>
>>>
>>>
>>>
>>> John Ellis
>>>
>>> 405.285.2500 office
>>>
>>>
>>>
>>>
>>> http://biz-e.io
>>>
>>> -----Original Message-----
>>> From: André Warnier (tomcat) [mailto:[email protected]]
>>> Sent: Thursday, September 21, 2017 10:15 AM
>>> To: [email protected]
>>> Subject: Re: tomcat ssl setup
>>>
>>>
>>>
>>> On 21.09.2017 16:43, John Ellis wrote:
>>>> Thanks so much for the quick reply Andre. There doesn't appear to
>>>> be anything on line 87 but there is on line 114. See the screenshot
>>>> I took of the server.xml file below-
>>>>
>>>
>>> Unfortunately, this list strips most attachments, and in fact asks
>>> for text-only messages.
>>> (and to avoid top-posting)
>>>
>>> See : http://tomcat.apache.org/lists.html#tomcat-users -->
>>> Important
>>>
>>> Please paste the corresponding lines directly, as text, in your next
>>> message.
>>>
>>>
>>>> John Ellis
>>>>
>>>> 405.285.2500 office
>>>>
>>>> http://biz-e.io
>>>>
>>>> -----Original Message-----
>>>> From: André Warnier (tomcat) [mailto:[email protected]]
>>>> Sent: Wednesday, September 20, 2017 10:41 AM
>>>> To: [email protected]
>>>> Subject: Re: tomcat ssl setup
>>>>
>>>> On 20.09.2017 17:07, John Ellis wrote:
>>>>
>>>> > All of what I have done so far has been in Tomcat version 9,
>>>> which I
>>>>
>>>> > downloaded from the Apache Tomcat website. The way I start
>>>> tomcat is
>>>>
>>>> > by running the command ./startup.sh from within the
>>>>
>>>> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running
>>>> the
>>>>
>>>> > command ./shutdown.sh from the same directory.
>>>>
>>>> >
>>>>
>>>> Ok, perfect. So there is only one tomcat9 we can be talking about,
>>>> and one server.xml file. And since this is a "standard tomcat",
>>>> that server.xml must be in .. let me look at the logfile again) ..
>>>>
>>>> 08-Sep-2017 10:05:02.911 INFO [main]
>>>>
>>>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying
>>>> web application directory
>>>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>>>>
>>>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>>>>
>>>> and considering this :
>>>>
>>>> 08-Sep-2017 11:31:21.952 SEVERE [main]
>>>> org.apache.tomcat.util.digester.Digester.fatalError
>>>>
>>>> Parse Fatal Error at line 87 column 6: The content of elements must
>>>> consist of well-formed character data or markup.
>>>>
>>>> org.xml.sax.SAXParseException; systemId:
>>>>
>>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
>>> 87; columnNumber:
>>>>
>>>> 6; The content of elements must consist of well-formed character
>>>> data or
>>> markup.
>>>>
>>>> there is something on line 87, position 6, that he does not like.
>>>>
>>>> And further down also :
>>>>
>>>> 08-Sep-2017 13:17:36.947 SEVERE [main]
>>>> org.apache.tomcat.util.digester.Digester.fatalError
>>>>
>>>> Parse Fatal Error at line 114 column 6: The string "--" is not
>>>> permitted
>>> within comments.
>>>>
>>>> org.xml.sax.SAXParseException; systemId:
>>>>
>>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
>>> 114; columnNumber:
>>>>
>>>> 6; The string "--" is not permitted within comments.
>>>>
>>>> but maybe this is not in the server.xml file itself, but in
>>>> something else that the server.xml references there (like an external "XML
>>>> entity"
>>> or something).
>>>>
>>>> Why don't you get those 2 lines from your server.xml and paste them
>>>> here
>> :
>>>>
>>>> ...
>>>>
>>>> > John Ellis
>>>>
>>>> >
>>>>
>>>> > 405.285.2500 office
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> > http://biz-e.io
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> > -----Original Message-----
>>>>
>>>> > From: André Warnier (tomcat) [mailto:[email protected]]
>>>>
>>>> > Sent: Wednesday, September 20, 2017 10:02 AM
>>>>
>>>> > To: [email protected] <mailto:[email protected]>
>>>>
>>>> > Subject: Re: tomcat ssl setup
>>>>
>>>> >
>>>>
>>>> > On 20.09.2017 15:20, John Ellis wrote:
>>>>
>>>> >> Andre can you tell me which log file you are saying tells
>>>> where the
>>>>
>>>> >> problem is?
>>>>
>>>> >
>>>>
>>>> > That's the one you uploaded to the dropbox :
>>>>
>>>> > >>
>>>>
>>>> >
>>>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?d
>>>> l=0
>>>>
>>>> >
>>>>
>>>> > I have of course no idea at this point, which tomcat or which
>>>>
>>>> > server.xml this was related to, but i suppose you do.
>>>>
>>>> >
>>>>
>>>> > I am not seeing it but I may not be even looking for the right
> thing.
>>>>
>>>> > I
>>>>
>>>> >> did open the server.xml file up in an XML file editor program
>>>> and it
>>>>
>>>> >> didn't give any errors.
>>>>
>>>> >
>>>>
>>>> > Then it must be that this tomcat who wrote the logfile, is not
>>>> looking
>>>>
>>>> > at the same server.xml file than the one you're looking at.
>>>>
>>>> > (Or else your XML file editor is not really good)
>>>>
>>>> >
>>>>
>>>> > How do you start this tomcat, on your server ?
>>>>
>>>> > And where did you get this tomcat from ? Is it the one from
>>>> the tomcat
>>>>
>>>> > website ?
>>>>
>>>> >
>>>>
>>>> >>
>>>>
>>>> >> John Ellis
>>>>
>>>> >>
>>>>
>>>> >> 405.285.2500 office
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >> http://biz-e.io
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >> -----Original Message-----
>>>>
>>>> >> From: André Warnier (tomcat) [mailto:[email protected]]
>>>>
>>>> >> Sent: Tuesday, September 19, 2017 3:47 PM
>>>>
>>>> >> To: [email protected] <mailto:[email protected]>
>>>>
>>>> >> Subject: Re: tomcat ssl setup
>>>>
>>>> >>
>>>>
>>>> >> On 19.09.2017 20:17, John Ellis wrote:
>>>>
>>>> >>> Here are the tomcat 9 log file DropBox links-
>>>>
>>>> >>>
>>>>
>>>> >>>
>>>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?d
>>>> l
>>>>
>>>> >>> =
>>>>
>>>> >>> 0
>>>>
>>>> >>
>>>>
>>>> >> Well, there you go. It tells you explicitly where you made
>>>> the
>>>>
>>>> >> mistakes, up to the file and line numbers.
>>>>
>>>> >> I can't see your server.xml, but I would bet that you have
>>>> modified
>>>>
>>>> >> it, by surrounding some XML comment sections by another
>>>> comment pair
>>>>
>>>> >> <!-- ... --> That crashes because XML does not allow that.
>>>>
>>>> >> You cannot have this kind of thing :
>>>>
>>>> >>
>>>>
>>>> >> <!-- ... <!-- ... --> -->
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>>
>>>>
>>>> >>>
>>>> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017
>>>> -
>>>>
>>>> >>> 0
>>>>
>>>> >>> 9
>>>>
>>>> >>> -19.txt?dl=0
>>>>
>>>> >>>
>>>>
>>>> >>> Thanks,
>>>>
>>>> >>>
>>>>
>>>> >>> John Ellis
>>>>
>>>> >>>
>>>>
>>>> >>> 405.285.2500 office
>>>>
>>>> >>>
>>>>
>>>> >>> United States
>>>>
>>>> >>>
>>>>
>>>> >>> bize-logo-rgb-original_Ryan_Revised_portal
>>>>
>>>> >>> sizecid:[email protected]
>>>>
>>>> >>>
>>>>
>>>> >>> http://biz-e.io
>>>>
>>>> >>>
>>>>
>>>> >>> *From:*Alejandro Vargas M.
>>>>
>>>> >>> [mailto:[email protected]]
>>>>
>>>> >>> *Sent:* Tuesday, September 19, 2017 11:10 AM
>>>>
>>>> >>> *To:* [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >>> *Subject:* Re: tomcat ssl setup
>>>>
>>>> >>>
>>>>
>>>> >>> Do you see what's on the log files, they can tell you what's
>>>> the
>>>>
>>>> >>> problem in. Maybe you can share those files too.
>>>>
>>>> >>>
>>>>
>>>> >>> I also saw on line 117 this "| -->|" Looks like there's
>>>> left
>> over.
>>>>
>>>> >>>
>>>>
>>>> >>> On 09/19/2017 09:31 AM, John Ellis wrote:
>>>>
>>>> >>>
>>>>
>>>> >>> I have been trying to setup SSL for tomcat 9.00.M26 on a
> RHEL
>>>>
>>>> >>> (version
>>>>
>>>> >> 6.4) server for
>>>>
>>>> >>> testing purposes. I downloaded & installed Tomcat9 fine and
> I
>>>>
>>>> >>> get a
>>>>
>>>> >> proper webpage on
>>>>
>>>> >>> port 8080 but when I used the keytool commands and created
> a
>>>>
>>>> >> certificate from
>>>>
>>>> >>> cacert.org and then edited the server.xml file to setup the
>>>>
>>>> >>> ssl
>>>>
>>>> >> configuration to run
>>>>
>>>> >>> on port 8443 I cannot get a webpage on that port; it
> defaults
>>>>
>>>> >>> back to
>>>>
>>>> >> port 8080. If I
>>>>
>>>> >>> am not providing all the needed info or asking a wrong
>>>>
>>>> >>> question please
>>>>
>>>> >> forgive me. I
>>>>
>>>> >>> am not a programmer. My background is in computer hardware.
> I
>>>>
>>>> >>> have
>>>>
>>>> >> just been forced to
>>>>
>>>> >>> learn this to support two products that we use here in our
>>>>
>>>> >>> office;
>>>>
>>>> >> Jira and
>>>>
>>>> >>> Confluence. I have actually been working on setting them up
>>>>
>>>> >>> for an SSL
>>>>
>>>> >> connection on a
>>>>
>>>> >>> different server. I got Confluence working on a secure port
>>>>
>>>> >>> but not
>>>>
>>>> >> Jira so my boss
>>>>
>>>> >>> suggested troubleshooting the issue by trying to first get
>> SSL
>>>>
>>>> >>> setup
>>>>
>>>> >> for Tomcat on
>>>>
>>>> >>> this other server.
>>>>
>>>> >>>
>>>>
>>>> >>> I am providing a copy of the Tomcat9 server.sml file here
> on
>> a
>>>>
>>>> >>> DropBox
>>>>
>>>> >> link-
>>>>
>>>> >>> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0
>>>>
>>>> >>>
>>>>
>>>> >>> Thanks in advance!
>>>>
>>>> >>>
>>>>
>>>> >>> John Ellis
>>>>
>>>> >>>
>>>>
>>>> >>> 405.285.2500 office
>>>>
>>>> >>>
>>>>
>>>> >>> United States
>>>>
>>>> >>>
>>>>
>>>> >>> bize-logo-rgb-original_Ryan_Revised_portal
>>>>
>>>> >>> sizecid:[email protected]
>>>>
>>>> >>>
>>>>
>>>> >>> http://biz-e.io
>>>>
>>>> >>>
>>>>
>>>> >>> --
>>>>
>>>> >>>
>>>>
>>>> >>>
>>>>
>>>> >>>
>>>>
>>>> >>> Alejandro Vargas Mayorga
>>>>
>>>> >>> */Gerente Desarrollo C.A. & C./*
>>>>
>>>> >>> *Tel. 506- 7232-3366*
>>>>
>>>> >>> *Email:**[email protected]*
>>>>
>>>> >>> <mailto:%[email protected]>*
>>>>
>>>> >>> **www.kymsolutions.com* <http://www.kymsolutions.com/>*
>>>> Visite
>>>>
>>>> >>> nuestra aula virtual! *
>>>>
>>>> >>>
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>> >> To unsubscribe, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >> For additional commands, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>
>>>>
>>>> >>
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>> >> To unsubscribe, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >> For additional commands, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >>
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>> > To unsubscribe, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> > For additional commands, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>>
>>>> >
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>> > To unsubscribe, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> > For additional commands, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> >
>>>>
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>> To unsubscribe, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>> For additional commands, e-mail: [email protected]
>>>> <mailto:[email protected]>
>>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
