Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and ".key"
files directly, instead of the Java Keystore file?
On 12/30/19 1:41 PM, Peter Kreuser wrote:
Correct!
Great. Then if I can figure out how to get this thing
I'm studying the server under discussion, and I can't figure out what I
did, some six months ago, to make Tomcat look like 443 to the outside world.
Here is what I do know:
* It's an AWS EC2 instance.
* There is no load balancer involved.
* The only active connector in server.xml has it listening on 8443, with
a proxyPort clause specifying 443.
* If I do a netstat, I find that something is indeed listening on 8443,
but nothing is listening on 443.
* If I look at the AWS console, if there is something translating 443 to
8443, I can't find it.
* If I do an "iptables -L," I get only column headings.
* There are evidently two copies of Apache httpd on the box, one of
which evidently came with the OS, and the other of which evidently came
with the Bitnami SVN/Trac stack. Only the latter copy is active. It is
listening on ports 81 (unsecured, but blocked by the firewall) and 8000
(secured).
* If I open port 81 up to my own IP (in the AWS firewall), I can reach
the same SVN/Trac landing page on unsecured port 81 that I can on
secured port 8000.
* Tomcat is running completely independently of the active httpd: if I
shut down the active httpd, Tomcat still responds.
* I was able to find the apache VirtualHost configurations (in a file
called bitnami.conf, naturally), and by replacing the one for port 81
with (and once again, domain names have been changed to protect the
innocent):
<VirtualHost _default_:81>
ServerName foo.bar.net
Redirect permanent / https://foo.bar.net:8000/
</VirtualHost>
the unsecured Port 81 now redirects to 80. Conversely, if I leave out
the :8000 it redirects to the Tomcat server.
* Like a complete and utter idiot, I left no notes whatsoever about how
I set this thing up in the first place. Probably because I didn't fully
understand what I'd done, or how.
* Just as it was when I *was* setting this thing up in the first place,
httpd configuration files (that can be all over the place) make me long
for the simplicity of Tomcat configuration files.
I *think* I can *probably* get Apache (and a cron job running certbot)
on Let's Encrypt, and Tomcat using its certs (and a cron job reloading
them), without understanding what I'd done to get Tomcat showing up on
443 to the outside world, but it would be nice if I *did* understand
what I'd done.
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
