Mark although I am not finding it now I'm pretty sure that I sent out a reply 
to this last week saying I am getting the same exact result with ver. M27 as I 
was with M26; can't get a webpage login when I try the secure port of 8443. It 
just churns on the screen but never connects. However if I plug in the 
non-secure port of 8080 it goes to the 9.0.0.M27 webpage immediately. 
Also my boss suggested that I try using "Let's Encrypt so I tried that on 
Friday. It instructed me to run several updates first but when I tried to run 
the actual command of-
./certbot-auto --apache I got a messages below-
 DeprecationWarning: Python 2.6 is no longer supported by the Python core team, 
please upgrade your Python. A future version of cryptography will drop support 
for Python 2.6
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: 
The apache plugin is not working; there may be problems with your existing 
The error was: NoInstallationError('Cannot find Apache control command 

I went to the website and it suggested running the command 
./certbot-auto --apache certonly but it gave the same error.

John Ellis

405.285.2500 office

-----Original Message-----
From: Mark Thomas [] 
Sent: Friday, September 22, 2017 9:17 AM
To: Tomcat Users List <>
Subject: Re: tomcat ssl setup

On 22/09/17 15:05, John Ellis wrote:
> Andre I saw where you asked Mark Thomas, on another thread, if the 
> issue on that thread might be causing the SSL issue that I am having. 
> On the server that I have been using for the testing of Tomcat 9 
> version 8 was already installed on it. It's just that my boss said to 
> download, install and work with version 9. I wonder if it might work on with 
> version 8?

Try with 9.0.0.M27. You'll need to follow the browse link on the download page 
and then up a directory to find it. (It has been released but CVE-2017-12617 
happened and we decided not to announce it as the next 9.0.x release will be 
following shortly.)

Note there is still a regression in the keystore handling but it affects fewer 
configurations (just FIPS as far as I know).


> John Ellis
> 405.285.2500 office
> -----Original Message-----
> From: André Warnier (tomcat) []
> Sent: Thursday, September 21, 2017 4:40 PM
> To:
> Subject: Re: tomcat ssl setup
> Hi.
> I just downloaded tomcat 9 myself (the windows zip version, but it 
> should be the same), to look at the standard server.xml.
> There is something which does not quite fit in all of this.
> I can also not see, in the snippets of server.xml that you pasted, any 
> obvious XML errors or imbricated comments.
> Yet the logfile points to these lines..
> Somehow the logfile which you uploaded to drop-box, does not seem to 
> match the server.xml lines that you pasted here.
> Ooooh, wait.
> I know why it did not fit.
> After looking again, more carefully, at the logfile that you posted, I 
> see what was confusing : that logfile shows several starts and stops of 
> tomcat.
> It just accumulates. I was looking just at the beginning, the first 
> error that I found.
> You have for example this :
> 08-Sep-2017 11:10:32.131 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["http-nio-8080"]
> 08-Sep-2017 11:10:32.136 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["ajp-nio-8009"]
> 08-Sep-2017 11:10:32.137 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 18916 ms
> Just before the error message that I was mentioning, which was :
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
>   org.xml.sax.SAXParseException; systemId: 
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; 
> lineNumber: 87;
> columnNumber: 
> 6; The content of elements must consist of well-formed character data 
> or markup.
> But that was like 21 minutes later, after tomcat had been running for 
> 21 minutes.
> Then after that there are a few more starts and stops, and a the 
> lastest attempt, the problem is different :
> 08-Sep-2017 15:24:35.920 INFO [main] 
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main] 
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed 
> to initialize component [Connector[HTTP/1.1-8443]]
>   org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> Cannot store non-PrivateKeys
>       at
> actJss
> So, here is what happened :
> - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), 
> it started fine, ending in the line
> 08-Sep-2017 10:05:03.371 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 482 ms
> but then, you did not have the connector for port 8443 enabled yet.
> - then you stopped tomcat, and you started it again at
> 08-Sep-2017 11:10:13.141 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log 
> Server version:        Apache Tomcat/9.0.0.M26
> - and then you had this :
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
> so my guess is that you modified the server.xml, while tomcat was 
> still running, and then you did a "", to prepare to restart tomcat.
> - And then there was that parse error.
> And the reason is that the shutdown command, in fact starts another 
> (small) instance of tomcat, to issue the shutdown command to the running 
> instance.
> But that shutdown instance also reads server.xml, and at that time you 
> /did/ have a syntax error in it. So that is where this syntax error came from.
> Later you apparently corrected the syntax, and restarted tomcat :
> 08-Sep-2017 15:24:34.889 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log 
> Server version:        Apache Tomcat/9.0.0.M26
> and this time, there was no syntax error anymore in server.xml, but 
> then there is this other problem :
> 08-Sep-2017 15:24:35.920 INFO [main] 
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main] 
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed 
> to initialize component [Connector[HTTP/1.1-8443]]
>   org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> Cannot store non-PrivateKeys
>       at
> actJss
> but that seems to only prevent the SSL connector to start, and the 
> logfile shows that tomcat continues to initialise anyway, with only 
> the other connectors.
> So that's why you can connect normally to port 8080.
> I did not know that tomcat starts anyway, even if it encounters a 
> severe problem with one of its connectors.
> (And I must say that, as a sysadmin myself, I find this behaviour a 
> bit questionable)(unless it is optional)
> So anyway, your problem now is not the syntax of server.xml anymore, 
> it is something to do with your SSL keystore.
> And for that I am not competent to help, and I'll have to ask someone 
> else to follow-up.
> And now I've been top-posting myself all of this, contrary to the rules.
> Apologies.
> But John, for the rest, I suggest that before you restart tomcat, 
> delete or rename that old logfile, so that when you restart it will be 
> "fresh" and contain only the result of the last attempt. It will be 
> clearer for everyone.
> On 21.09.2017 21:47, John Ellis wrote:
>> One more thing Andre. I don't know if it matters or not but when I 
>> try to access Tomcat 9 on the secure port of 8443
>>   I see it saying down in the bottom left hand corner of my browser- 
>> "Performing a TLS handshake to" but it never gives the 
>> webpage. However once I change the IP address to it 
>> immediately goes to the Tomcat 9 webpage.
>> John Ellis
>> 405.285.2500 office
>> -----Original Message-----
>> From: André Warnier (tomcat) []
>> Sent: Thursday, September 21, 2017 11:34 AM
>> To:
>> Subject: Re: tomcat ssl setup
>> On 21.09.2017 17:17, John Ellis wrote:
>>> OK. As I said there is nothing on line 87 but here is line 114-
>>> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"
>> I think you need to provide a bit more context then.
>> Can you paste here, say, that same line, but with 10 lines before and 
>> 10 lines after, and tell at which line number this starts in 
>> server.xml (so that we can compare with the log) ?
>> The error messages in the log were apparently about comments (between 
>> <!-- and -->), so if these lines are (or contain) comments, copy them anyway.
>>> John Ellis
>>> 405.285.2500 office
>>> -----Original Message-----
>>> From: André Warnier (tomcat) []
>>> Sent: Thursday, September 21, 2017 10:15 AM
>>> To:
>>> Subject: Re: tomcat ssl setup
>>> On 21.09.2017 16:43, John Ellis wrote:
>>>> Thanks so much for the quick reply Andre. There doesn't appear to 
>>>> be anything on line 87 but there is on line 114. See the screenshot 
>>>> I took of the server.xml file below-
>>> Unfortunately, this list strips most attachments, and in fact asks 
>>> for text-only messages.
>>> (and to avoid top-posting)
>>> See :  --> 
>>> Important
>>> Please paste the corresponding lines directly, as text, in your next 
>>> message.
>>>> John Ellis
>>>> 405.285.2500 office
>>>> -----Original Message-----
>>>> From: André Warnier (tomcat) []
>>>> Sent: Wednesday, September 20, 2017 10:41 AM
>>>> To:
>>>> Subject: Re: tomcat ssl setup
>>>> On 20.09.2017 17:07, John Ellis wrote:
>>>>    > All of what I have done so far has been in Tomcat version 9, 
>>>> which I
>>>>    > downloaded from the Apache Tomcat website. The way I start 
>>>> tomcat is
>>>>    > by running the command ./ from within the
>>>>    > apache-tomcat-9.0.0.M26/bin directory. I stop it by running 
>>>> the
>>>>    > command ./ from the same directory.
>>>>    >
>>>> Ok, perfect. So there is only one tomcat9 we can be talking about, 
>>>> and one server.xml file. And since this is a "standard tomcat", 
>>>> that server.xml must be in .. let me look at the logfile again) ..
>>>> 08-Sep-2017 10:05:02.911 INFO [main]
>>>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying 
>>>> web application directory 
>>>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>>>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>>>> and considering this :
>>>> 08-Sep-2017 11:31:21.952 SEVERE [main] 
>>>> org.apache.tomcat.util.digester.Digester.fatalError
>>>> Parse Fatal Error at line 87 column 6: The content of elements must 
>>>> consist of well-formed character data or markup.
>>>>      org.xml.sax.SAXParseException; systemId:
>>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
>>> 87; columnNumber:
>>>> 6; The content of elements must consist of well-formed character 
>>>> data or
>>> markup.
>>>> there is something on line 87, position 6, that he does not like.
>>>> And further down also :
>>>> 08-Sep-2017 13:17:36.947 SEVERE [main] 
>>>> org.apache.tomcat.util.digester.Digester.fatalError
>>>> Parse Fatal Error at line 114 column 6: The string "--" is not 
>>>> permitted
>>> within comments.
>>>>      org.xml.sax.SAXParseException; systemId:
>>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
>>> 114; columnNumber:
>>>> 6; The string "--" is not permitted within comments.
>>>> but maybe this is not in the server.xml file itself, but in 
>>>> something else that the server.xml references there (like an external "XML 
>>>> entity"
>>> or something).
>>>> Why don't you get those 2 lines from your server.xml and paste them 
>>>> here
>> :
>>>> ...
>>>>    > John Ellis
>>>>    >
>>>>    > 405.285.2500 office
>>>>    >
>>>>    >
>>>>    >
>>>>    >
>>>>    >
>>>>    >
>>>>    >
>>>>    > -----Original Message-----
>>>>    > From: André Warnier (tomcat) []
>>>>    > Sent: Wednesday, September 20, 2017 10:02 AM
>>>>    > To: <>
>>>>    > Subject: Re: tomcat ssl setup
>>>>    >
>>>>    > On 20.09.2017 15:20, John Ellis wrote:
>>>>    >> Andre can you tell me which log file you are saying tells 
>>>> where the
>>>>    >> problem is?
>>>>    >
>>>>    > That's the one you uploaded to the dropbox :
>>>>    >   >>
>>>>    >
>>>> l=0
>>>>    >
>>>>    > I have of course no idea at this point, which tomcat or which
>>>>    > server.xml this was related to, but i suppose you do.
>>>>    >
>>>>    > I am not seeing it but I may not be even looking for the right
> thing.
>>>>    > I
>>>>    >> did open the server.xml file up in an XML file editor program 
>>>> and it
>>>>    >> didn't give any errors.
>>>>    >
>>>>    > Then it must be that this tomcat who wrote the logfile, is not 
>>>> looking
>>>>    > at the same server.xml file than the one you're looking at.
>>>>    > (Or else your XML file editor is not really good)
>>>>    >
>>>>    > How do you start this tomcat, on your server ?
>>>>    > And where did you get this tomcat from ? Is it the one from 
>>>> the tomcat
>>>>    > website ?
>>>>    >
>>>>    >>
>>>>    >> John Ellis
>>>>    >>
>>>>    >> 405.285.2500 office
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >> -----Original Message-----
>>>>    >> From: André Warnier (tomcat) []
>>>>    >> Sent: Tuesday, September 19, 2017 3:47 PM
>>>>    >> To: <>
>>>>    >> Subject: Re: tomcat ssl setup
>>>>    >>
>>>>    >> On 19.09.2017 20:17, John Ellis wrote:
>>>>    >>> Here are the tomcat 9 log file DropBox links-
>>>>    >>>
>>>>    >>>
>>>> l
>>>>    >>> =
>>>>    >>> 0
>>>>    >>
>>>>    >> Well, there you go. It tells you explicitly where you made 
>>>> the
>>>>    >> mistakes, up to the file and line  numbers.
>>>>    >> I can't see your server.xml, but I would bet that you have 
>>>> modified
>>>>    >> it, by surrounding some XML comment sections by another 
>>>> comment pair
>>>>    >> <!-- ... --> That crashes because XML does not allow that.
>>>>    >> You cannot have this kind of thing :
>>>>    >>
>>>>    >> <!-- ... <!-- ... -->  -->
>>>>    >>
>>>>    >>
>>>>    >>>
>>>>    >>>
>>>> -
>>>>    >>> 0
>>>>    >>> 9
>>>>    >>> -19.txt?dl=0
>>>>    >>>
>>>>    >>> Thanks,
>>>>    >>>
>>>>    >>> John Ellis
>>>>    >>>
>>>>    >>> 405.285.2500 office
>>>>    >>>
>>>>    >>> United States
>>>>    >>>
>>>>    >>> bize-logo-rgb-original_Ryan_Revised_portal
>>>>    >>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>>>    >>>
>>>>    >>>
>>>>    >>>
>>>>    >>> *From:*Alejandro Vargas M.
>>>>    >>> []
>>>>    >>> *Sent:* Tuesday, September 19, 2017 11:10 AM
>>>>    >>> *To:* 
>>>> <>
>>>>    >>> *Subject:* Re: tomcat ssl setup
>>>>    >>>
>>>>    >>> Do you see what's on the log files, they can tell you what's 
>>>> the
>>>>    >>> problem in. Maybe you can share those files too.
>>>>    >>>
>>>>    >>> I also saw on line 117 this "|  -->|"  Looks like there's 
>>>> left
>> over.
>>>>    >>>
>>>>    >>> On 09/19/2017 09:31 AM, John Ellis wrote:
>>>>    >>>
>>>>    >>>       I have been trying to setup SSL for tomcat 9.00.M26 on a
>>>>    >>> (version
>>>>    >> 6.4) server for
>>>>    >>>       testing purposes. I downloaded & installed Tomcat9 fine and
> I
>>>>    >>> get a
>>>>    >> proper webpage on
>>>>    >>>       port 8080 but when I used the keytool commands and created
> a
>>>>    >> certificate from
>>>>    >>> and then edited the server.xml file to setup the
>>>>    >>> ssl
>>>>    >> configuration to run
>>>>    >>>       on port 8443 I cannot get a webpage on that port; it
> defaults
>>>>    >>> back to
>>>>    >> port 8080. If I
>>>>    >>>       am not providing all the needed info or asking a wrong
>>>>    >>> question please
>>>>    >> forgive me. I
>>>>    >>>       am not a programmer. My background is in computer hardware.
> I
>>>>    >>> have
>>>>    >> just been forced to
>>>>    >>>       learn this to support two products that we use here in our
>>>>    >>> office;
>>>>    >> Jira and
>>>>    >>>       Confluence. I have actually been working on setting them up
>>>>    >>> for an SSL
>>>>    >> connection on a
>>>>    >>>       different server. I got Confluence working on a secure port
>>>>    >>> but not
>>>>    >> Jira so my boss
>>>>    >>>       suggested troubleshooting the issue by trying to first get
>> SSL
>>>>    >>> setup
>>>>    >> for Tomcat on
>>>>    >>>       this other server.
>>>>    >>>
>>>>    >>>       I am providing a copy of the Tomcat9 server.sml file here
> on
>> a
>>>>    >>> DropBox
>>>>    >> link-
>>>>    >>>
>>>>    >>>
>>>>    >>>       Thanks in advance!
>>>>    >>>
>>>>    >>>       John Ellis
>>>>    >>>
>>>>    >>>       405.285.2500 office
>>>>    >>>
>>>>    >>>       United States
>>>>    >>>
>>>>    >>>       bize-logo-rgb-original_Ryan_Revised_portal
>>>>    >>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>>>    >>>
>>>>    >>>
>>>>    >>>
>>>>    >>> --
>>>>    >>>
>>>>    >>>
>>>>    >>>
>>>>    >>> Alejandro Vargas Mayorga
>>>>    >>> */Gerente Desarrollo C.A. & C./*
>>>>    >>> *Tel. 506- 7232-3366*
>>>>    >>> *Email:***
>>>>    >>> <>*
>>>>    >>> *** <>* 
>>>> Visite
>>>>    >>> nuestra aula virtual! *
>>>>    >>>
>>>>    >>
>>>>    >>
>>>>    >>
>>>> -------------------------------------------------------------------
>>>> --
>>>>    >> To unsubscribe, e-mail:
>>>> <>
>>>>    >> For additional commands, e-mail: 
>>>> <>
>>>>    >>
>>>>    >>
>>>>    >>
>>>>    >>
>>>> -------------------------------------------------------------------
>>>> --
>>>>    >> To unsubscribe, e-mail:
>>>> <>
>>>>    >> For additional commands, e-mail: 
>>>> <>
>>>>    >>
>>>>    >
>>>>    >
>>>>    >
>>>> -------------------------------------------------------------------
>>>> --
>>>>    > To unsubscribe, e-mail:
>>>> <>
>>>>    > For additional commands, e-mail: 
>>>> <>
>>>>    >
>>>>    >
>>>>    >
>>>>    >
>>>> -------------------------------------------------------------------
>>>> --
>>>>    > To unsubscribe, e-mail:
>>>> <>
>>>>    > For additional commands, e-mail: 
>>>> <>
>>>>    >
>>>> -------------------------------------------------------------------
>>>> --
>>>> To unsubscribe, e-mail:
>>>> <>
>>>> For additional commands, e-mail: 
>>>> <>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to