Jump to content

Setting up https


Go to solution Solved by ewong,

Recommended Posts

  • Most Valued Members
Posted

Hi,

I have followed https://support.eset.com/en/kb7857-set-up-an-https-ssl-connection-for-eset-protect-linux but I'm finding it confusing because the server.xml changes for an Existing Certificate vs. a New certificate are different.

I am creating a new certificate and have changed the server.xml to include the following:

Quote

<Connector server="OtherWebServer" port="8445" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat/tomcat.keystore" keystorePass="yourpassword"/>

After saving, and restarting tomcat,  I still can't use https.  I used iptables to open the port 8445.

Quote

iptables -A INPUT -p tcp -m tcp --dport 8445 -j ACCEPT

That didn't work.  So I changed SELinux to Permissive.

No go.  I took a look at netstat, and 8445 is certainly opened.

Going to https://<ip>:8445/era/webconsole  gives me a timeout error. 

At this point, I'm somewhat stumped.  So i took a look at the tomcat logs and came across:

Quote

      org.apache.catalina.LifecycleException: Protocol handler start failed
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1042)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.core.StandardService.startInternal(StandardService.java:450)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:922)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
        Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
                at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:271)
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1039)
                ... 12 more

 

Which after searching, gave me the result of changing the following:

Quote

<Connector port="8009" protocol="AJP/1.3" redirectPort="8448" secretRequired="false" />

 

I added the secretRequired="false"   and that "fixed" the issue (but from my search, it wasn't a good idea.. but at this point, I just want it to work.

19-Sep-2023 13:34:01.992 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
19-Sep-2023 13:34:02.266 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
19-Sep-2023 13:34:02.298 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8448"]
19-Sep-2023 13:34:02.608 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-8448], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/etc/tomcat/tomcat.keystore] using alias [tomcat] with trust store [null]
19-Sep-2023 13:34:02.611 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
19-Sep-2023 13:34:02.612 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [806] milliseconds
19-Sep-2023 13:34:02.638 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
19-Sep-2023 13:34:02.639 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.80]
19-Sep-2023 13:34:02.663 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/era.war]
19-Sep-2023 13:34:07.690 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
19-Sep-2023 13:34:08.506 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server starting...
19-Sep-2023 13:34:08.507 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server Version: 10.1.277.0
19-Sep-2023 13:34:08.512 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_certificates=all
19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_address=localhost
19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_port=2223
19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: remote_address_source=connection
19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: HSTS_enable=no value loaded
19-Sep-2023 13:34:08.521 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: file_size_limit=20
19-Sep-2023 13:34:08.523 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server has started.

 

Now I have no idea what to do.  I can go back to 8080 for now. 

Which also makes me wonder since I thought the following lines:

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8448" />

Wouldn't it redirect to port 8448 when I go to http://<serverIP>:8080/era/webconsole?

 

Any help appreciated

Thanks

 

Ed

  • Marcos changed the title to Setting up https
  • Administrators
Posted

Please raise a support ticket for help with troubleshooting the issue.

  • Most Valued Members
  • Solution
Posted

I was about to ping your support personnel; but I think I solved this issue.

The problem was indeed the firewall.  Unfortunately, not being familiar with CentOS7, I had thought it was using iptables; but it was actually using firewalld.  

After doing the following command:

firewa

sudo firewall-cmd --zone=public --add-port=8445/tcp

It now works.

 

Ed

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...