-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/2/20 19:45, James H. H. Lampert wrote: >>>>> Am I to understand that Tomcat 8.5.40 can use the ".cer," >>>>> ".ca.crt" and ".key" files directly, instead of the Java >>>>> Keystore file? > > On 12/30/19 1:41 PM, Peter Kreuser wrote: >> Correct! > > Great. Then if I can figure out how to get this thing > > I'm studying the server under discussion, and I can't figure out > what I did, some six months ago, to make Tomcat look like 443 to > the outside world. > > Here is what I do know: * It's an AWS EC2 instance. > > * There is no load balancer involved. > > * The only active connector in server.xml has it listening on 8443, > with a proxyPort clause specifying 443. > > * If I do a netstat, I find that something is indeed listening on > 8443, but nothing is listening on 443. > > * If I look at the AWS console, if there is something translating > 443 to 8443, I can't find it. > > * If I do an "iptables -L," I get only column headings. > > * There are evidently two copies of Apache httpd on the box, one > of which evidently came with the OS, and the other of which > evidently came with the Bitnami SVN/Trac stack. Only the latter > copy is active. It is listening on ports 81 (unsecured, but blocked > by the firewall) and 8000 (secured). > > * If I open port 81 up to my own IP (in the AWS firewall), I can > reach the same SVN/Trac landing page on unsecured port 81 that I > can on secured port 8000. Is perhaps the AWS firewall (which is a Load Balancer, right?) redirecting the port? Easy test (from the server): $ telnet localhost 443 If it connects, you have something on the host making this work. If it fails to connect, the 443 -> 8443 magic is outside the host itself. Note that if you are using AWS load-balancer, AWS provides free certificates that auto-renew; just configure them and you are done forever. Also, AWS will happily connect to an EC2 server with a self-signed certificate, so there is no need to use Let's Encrypt for your host-specific certificates. Just generate a long-lived self-signed certificate and you are done for a while. You are still welcome to rotate your certs as often as you'd like. The only reason to use Let's Encrypt is if you want OTHER clients to trust your own certificate. > * Tomcat is running completely independently of the active httpd: > if I shut down the active httpd, Tomcat still responds. > > * I was able to find the apache VirtualHost configurations (in a > file called bitnami.conf, naturally), and by replacing the one for > port 81 with (and once again, domain names have been changed to > protect the innocent): >> <VirtualHost _default_:81> ServerName foo.bar.net Redirect >> permanent / https://foo.bar.net:8000/ </VirtualHost> > the unsecured Port 81 now redirects to 80. Conversely, if I leave > out the :8000 it redirects to the Tomcat server. > > * Like a complete and utter idiot, I left no notes whatsoever about > how I set this thing up in the first place. Probably because I > didn't fully understand what I'd done, or how. > > * Just as it was when I *was* setting this thing up in the first > place, httpd configuration files (that can be all over the place) > make me long for the simplicity of Tomcat configuration files. > > I *think* I can *probably* get Apache (and a cron job running > certbot) on Let's Encrypt, and Tomcat using its certs (and a cron > job reloading them), without understanding what I'd done to get > Tomcat showing up on 443 to the outside world, but it would be nice > if I *did* understand what I'd done. Let me know about the Load-Balancer. That's probably the piece of the puzzle you aren't looking at quite yet. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4PgIEACgkQHPApP6U8 pFgvtg/8DPjUrMAsW6oreNhOK1Aj4GmKgZHUJZsW/RBkgg5CTvwiFnVAxfAF3SP6 0Lill24qp9ZGvoq3FQC9sKu68N7nQCfSbNn6D54by7YscAtAL42puUxOPXOTDlLl sG0fHbZA6YAYuoVprpT5LuVODwSu13v9rOtCKJWZROWymKTuUf3C8oZgo2aYc/PS FScWwcGbtPgkgO7tuOY9QsmuJMqOj73Z1lq86voU9cW0PCH8cik/Wp2iS+30XbRH c+J+Yirie7WrDa7wVRBPm76sDGSmmyRy+DeR9dwuzFiixQOdsuP/Lsgp/2y+rc+M VbBCiPWy/pS+kcJWP7R3JtfujgZzyyqkuTL/AlTnhW2OykNSoCzHHUgnTYcDdHps udxUih+o5fikT5kJvxglvTECaY9QbizXN84Uy6S5rGCB2LMZtlDShTnF0cx+v2y1 zagbC1/5TDedGTCISqpCRu+RliuyvmPvUs8NoxgtIEvg5cqVOoVdaL9tLHZ+UxVC 0wLoboMdneyn0yEF5fe4ySefW7Do8pAyBNRJLpYg0wuQC3Q6j5Kv4CUAUOazrEyK /AlxrhM3Zg82EecbjgfzNbq87vSQnQvosALCVvqcylC1TtWUaE1WWPhy+0hxo8y+ PVuw4KSg2BZnn2kCMlBLVNWOREDl8tTdZDfX7ASf8xaCdZx8LiE= =ITNd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
