________________________________
From: Pid <p...@pidster.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Friday, December 16, 2011 12:35:24 PM
Subject: Re: Change Default SSL port on Tomcat
On 16/12/2011 08:47, Blaxton wrote:
>
>
>
>
> ________________________________
> From: Pid * <p...@pidster.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Sent: Friday, December 16, 2011 10:59:02 AM
> Subject: Re: Change Default SSL port on Tomcat
>
> On 16 Dec 2011, at 03:28, Blaxton <blaxx...@yahoo.com> wrote:
>
>> Hi
>>
>> Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine.
>>
>> uncommented Connector port=8443 and by adding required fields in web.xml
>> accessing secured pages would be forwarded to https with port 8443,
>> but when I change the port from 8443 to 443, the same URL that was
>> working with 8443, I get "Secure Connection Failed"
>>
>> is there any thing else I need to do to change the default SSL port ?
>>
>>
>> did following steps to change the SSL port from Tomcat default to 443 but got
>>
>>
>> 1- Generated /root/.keystore with following command:
>> %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
>>
>>
>> 2- then uncommented following lines in server.xml
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS" />
>
> Did you add the keystore to the connector?
>
>
> p
>
>>
>> 3- <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
>>
>>
>> 4- restarted tomcat
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> yes, I did add the keystore to the connector as well and didn't work either.
> as a matter of fact I followed following link step by step
>
> http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
>
> with keystore placed in Connector, I get following error in browser :
> SSL received a record that exceeded the maximum permissible length.
> (Error code: ssl_error_rx_record_too_long)
>
> and nothing shows up in mod_jk.log
>
> with no keystore and default port 8443 in all Connectors either AJP
> or SSL port, every thing is working fine, and I get the certificate
> from the secured page and forwarded to https but as soon as I change
> the AJP Connector redirectport to 443, I get following error
> in mod_jk.log file:
>
> Secure Connection Failed
> An error occurred during a connection to mydomain.com.
> Peer's certificate has an invalid signature.
>
> with following config :
> Connector port="8443" and
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
> following error shows up in mod_jk.log file:
> connecting to back end failed. Tomcat is probably not started or is listening
> on the wrong port (errno=61)
>
> again and finally , with
> Connector port="8443" and
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> everthing works fine and I will be forwarded to secure http and no problem.
>
> I think this has to do with mod_jk , this is the mod_jk that can not connect
> to port 443
> when default port is changing to 443.
>
> to make sure , I added the required JkMount /* to vhost1_httpd.conf for port
> 443 as well.
>
> one question :
> according to following url :
>
> To define a Java (JSSE) connector, regardless of whether the APR library
> is loaded or not do:
> I need to have one of the following in server.xml file:
>
>
> <-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector protocol="org.apache.coyote.http11.Http11Protocol"
> port="8443" .../>
>
> <-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="8443" .../>
>
>
>
> I added following lines to server.xml
>
> <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
> />
>
> but this time the browser shows:
> The connection was interrupted
>
> and nothing shows up in mod_jk.log.
Sorry, I read this on my phone I missed the first bit.
If you're using mod_jk/AJP then you do the SSL decoding before sending
traffic to Tomcat.
HTTPD:80 -->
Tomcat:8009
HTTPD:443 -->
You should configure SSL on HTTPD instead.
p
--
[key:62590808]
Thank you pid,
I looked in Catalina.out and found out 443 port is already in use error
and I had listen 443 in apache, so removed it and now tomcat
comes up and all is good.
I am not sure if it is better to serve ssl and https through Tomcat or Apache ?