Most Valued Members ewong 8 Posted September 19, 2023 Most Valued Members Posted September 19, 2023 Hi, I have followed https://support.eset.com/en/kb7857-set-up-an-https-ssl-connection-for-eset-protect-linux but I'm finding it confusing because the server.xml changes for an Existing Certificate vs. a New certificate are different. I am creating a new certificate and have changed the server.xml to include the following: Quote <Connector server="OtherWebServer" port="8445" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat/tomcat.keystore" keystorePass="yourpassword"/> After saving, and restarting tomcat, I still can't use https. I used iptables to open the port 8445. Quote iptables -A INPUT -p tcp -m tcp --dport 8445 -j ACCEPT That didn't work. So I changed SELinux to Permissive. No go. I took a look at netstat, and 8445 is certainly opened. Going to https://<ip>:8445/era/webconsole gives me a timeout error. At this point, I'm somewhat stumped. So i took a look at the tomcat logs and came across: Quote org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1042) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:450) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:922) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171) at org.apache.catalina.startup.Catalina.start(Catalina.java:772) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478) Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:271) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1039) ... 12 more Which after searching, gave me the result of changing the following: Quote <Connector port="8009" protocol="AJP/1.3" redirectPort="8448" secretRequired="false" /> I added the secretRequired="false" and that "fixed" the issue (but from my search, it wasn't a good idea.. but at this point, I just want it to work. 19-Sep-2023 13:34:01.992 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib] 19-Sep-2023 13:34:02.266 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 19-Sep-2023 13:34:02.298 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8448"] 19-Sep-2023 13:34:02.608 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-8448], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/etc/tomcat/tomcat.keystore] using alias [tomcat] with trust store [null] 19-Sep-2023 13:34:02.611 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"] 19-Sep-2023 13:34:02.612 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [806] milliseconds 19-Sep-2023 13:34:02.638 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 19-Sep-2023 13:34:02.639 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.80] 19-Sep-2023 13:34:02.663 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/era.war] 19-Sep-2023 13:34:07.690 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 19-Sep-2023 13:34:08.506 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server starting... 19-Sep-2023 13:34:08.507 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server Version: 10.1.277.0 19-Sep-2023 13:34:08.512 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_certificates=all 19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_address=localhost 19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_port=2223 19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: remote_address_source=connection 19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: HSTS_enable=no value loaded 19-Sep-2023 13:34:08.521 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: file_size_limit=20 19-Sep-2023 13:34:08.523 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server has started. Now I have no idea what to do. I can go back to 8080 for now. Which also makes me wonder since I thought the following lines: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8448" /> Wouldn't it redirect to port 8448 when I go to http://<serverIP>:8080/era/webconsole? Any help appreciated Thanks Ed
Administrators Marcos 5,450 Posted September 19, 2023 Administrators Posted September 19, 2023 Please raise a support ticket for help with troubleshooting the issue.
Most Valued Members Solution ewong 8 Posted September 19, 2023 Author Most Valued Members Solution Posted September 19, 2023 I was about to ping your support personnel; but I think I solved this issue. The problem was indeed the firewall. Unfortunately, not being familiar with CentOS7, I had thought it was using iptables; but it was actually using firewalld. After doing the following command: firewa sudo firewall-cmd --zone=public --add-port=8445/tcp It now works. Ed
Recommended Posts