CODEWITHSUNDEEP
javaapachesslservertomcat9
Daniel Ef
Daniel Ef

Reputation: 75

Tomcat Doesn't Serve the SSL

this is the server.xml file :

<Connector port="8443" maxhttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" 
           acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server"
           keystoreFile="/etc/apache2/sites-available/ssl/sample.jks" keystorePass="*****" protocol="org.apache.coyote.http11.Http11NioProtocol"
            SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/apache2/sites-available/ssl/sample.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

and this is the tomcat config file in apache/sites-enabled

<VirtualHost *:80>

    ProxyPreserveHost On

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

</VirtualHost>

<VirtualHost *:443>

    ProxyPreserveHost On

    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/

</VirtualHost>

but my domain on HTTPS protocol show's nothing

and on 80 port, server return's 503 Service Unavailable

Upvotes: 0

Views: 231

Answers (1)

Olaf Kock
Olaf Kock

Reputation: 48057

The only connector that you show for your server.xml is for port 8443, but your Apache httpd connects to 8080 - if there's nothing listening on 8080, a 503 answer is reasonable.

The 443 VirtualHost configuration is the shortest that I've ever seen for a VirtualHost that's supposed to serve TLS: You're not using any of the encryption-related directives, e.g. key/certificate location, allowed algorithms etc. That's a good reason to show nothing - as no TLS connection can be established, not even an error message can be shown.

Recommendation: Start proxying to Tomcat via http, and only when that is running for every aspect, attempt to proxy to tomcat's https. It will involve:

  • On the tomcat side you'll need a key/certificate for localhost. As no established CA will provide that, you'll have to go self signed
  • On the httpd side, you'll need to explicitly trust the self-signed certificate

On top of that: I'd just use the port-80 VirtualHost to unconditionally redirect to https and not even worry about serving any content there.

Upvotes: 2

Related Questions