-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh,
On 8/11/2009 4:47 PM, Josh Gooding wrote: > ok back to the topic at hand here. I have removed httpd from my server, > installed APR, and have gotten my cert file from my hosting company. it is > in pfx format. Now I found some information on the net: > > http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html > > It was saying that I can just use the pfx file with tomcat 5.5, so I put the > file in my $CATALINA_HOME directory just as a test, modified my server.xml > file to accept SSL: > > *<Connector protocol="HTTP/1.1" > port="443" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="C:/Program > Files/[*****]/apache-tomcat-6.0.18/[*****].com.pfx" > keystorePass="[*************]" keystoreType="pkcs12" > clientAuth="false" sslProtocol="TLS" />* > > *and.... blamo I get these exceptions:* Not surprising. Read the documentation for the APR connector: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Specifically, search for the term "certificate". First of all, your SSL configuration is completely wrong for use with APR. You don't use keystoreFile, keystorePass, and keystoreType. Even if you did, telling Java that the keystore is actually a PKCS12 keystore while providing it is a PFX-encoded SSL certificate should have tipped you off that something was amiss. If you were previously following the standard SSL documentation (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html), you should have seen this note at the top of the file: " IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR, Tomcat will use OpenSSL, which uses a different configuration. " What you want is SSLCertificateFile and friends. SSLCertificateFile is documented to only accept certificates in PEM format. Check out this page for some tricks to converting your certificate files using openssl: http://eoc.eu-eela.eu/doku.php?id=manipulate_your_certificate There is also a Java tool that can do thing like this called Portecle (http://portecle.sourceforge.net/) if you don't have openssl handy. > *and these to boot.... says it cannot bind to port 443 (or 8443 either)* > > *Aug 11, 2009 4:13:51 PM org.apache.coyote.http11.Http11AprProtocol start > SEVERE: Error starting endpoint > java.lang.Exception: Socket bind failed: [730048] Only one usage of each > socket address (protocol/network address/port) is normally permitted. Do you have multiple <Connector> elements specified? If so, check all the port numbers. If not, make sure that Tomcat isn't already running. If it's not, make sure Apache httpd isn't running :) Finally, make sure IIS isn't running or using those ports. > So it looks like I cannot use a pfx file with tomcat 6.0.18. You should be able to, just not with the APR connector because openssl doesn't grok PKCS12/PFX. > Am I able to use the pfx file with tomcat 6? Yes, just not with the APR connector. > The socket bind issue I have no clue, it > looks like something is already running on port 443, but that is > impossible. Really? Try running 'netstat' to find out who is bound to port 443 (or 8443). > I only have the tomcat server running, IIS is disabled and > httpd has been removed from the system completely. I also tried port 8443 > but I am getting the same error message. netstat -a -b -n -o | find "443" (make sure you're an administrator or you'll get no output) Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqCKokACgkQ9CaO5/Lv0PBBxACgjcVaS2sdKa7COzdKnSbAAHun gl0AnRaKPC30C+und74r7tFKuN63OOmq =QIJp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
