Jump to content

Setting up https

ewong

By ewong
in Remote Management

 Share
Go to solution Solved by ewong,

Recommended Posts

  • Most Valued Members
ewong

ewong 6

Posted
  • Most Valued Members
Posted

Hi,

I have followed https://support.eset.com/en/kb7857-set-up-an-https-ssl-connection-for-eset-protect-linux but I'm finding it confusing because the server.xml changes for an Existing Certificate vs. a New certificate are different.

I am creating a new certificate and have changed the server.xml to include the following:

Quote

<Connector server="OtherWebServer" port="8445" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat/tomcat.keystore" keystorePass="yourpassword"/>

After saving, and restarting tomcat,  I still can't use https.  I used iptables to open the port 8445.

Quote

iptables -A INPUT -p tcp -m tcp --dport 8445 -j ACCEPT

That didn't work.  So I changed SELinux to Permissive.

No go.  I took a look at netstat, and 8445 is certainly opened.

Going to https://<ip>:8445/era/webconsole  gives me a timeout error. 

At this point, I'm somewhat stumped.  So i took a look at the tomcat logs and came across:

Quote

      org.apache.catalina.LifecycleException: Protocol handler start failed
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1042)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.core.StandardService.startInternal(StandardService.java:450)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:922)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
                at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
        Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
                at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:271)
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1039)
                ... 12 more

 

Which after searching, gave me the result of changing the following:

Quote

<Connector port="8009" protocol="AJP/1.3" redirectPort="8448" secretRequired="false" />

 

I added the secretRequired="false"   and that "fixed" the issue (but from my search, it wasn't a good idea.. but at this point, I just want it to work. 

19-Sep-2023 13:34:01.992 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
19-Sep-2023 13:34:02.266 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
19-Sep-2023 13:34:02.298 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8448"]
19-Sep-2023 13:34:02.608 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-8448], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/etc/tomcat/tomcat.keystore] using alias [tomcat] with trust store [null]
19-Sep-2023 13:34:02.611 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
19-Sep-2023 13:34:02.612 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [806] milliseconds
19-Sep-2023 13:34:02.638 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
19-Sep-2023 13:34:02.639 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.80]
19-Sep-2023 13:34:02.663 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/opt/tomcat/webapps/era.war]
19-Sep-2023 13:34:07.690 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
19-Sep-2023 13:34:08.506 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server starting...
19-Sep-2023 13:34:08.507 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server Version: 10.1.277.0
19-Sep-2023 13:34:08.512 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_certificates=all
19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_address=localhost
19-Sep-2023 13:34:08.513 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: server_port=2223
19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: remote_address_source=connection
19-Sep-2023 13:34:08.520 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: HSTS_enable=no value loaded
19-Sep-2023 13:34:08.521 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] Loaded config value: file_size_limit=20
19-Sep-2023 13:34:08.523 INFO [main] sk.eset.era.g2webconsole.server.modules.logger.LoggerWithPrefix.info [] ERA Web Server has started.

 

Now I have no idea what to do.  I can go back to 8080 for now. 

Which also makes me wonder since I thought the following lines: 

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8448" />

Wouldn't it redirect to port 8448 when I go to http://<serverIP>:8080/era/webconsole?

 

Any help appreciated

Thanks

 

Ed

Link to comment
Share on other sites
  • Marcos changed the title to Setting up https
  • Most Valued Members
  • Solution
ewong

ewong 6

Posted
  • Author
  • Most Valued Members
  • Solution
Posted

I was about to ping your support personnel; but I think I solved this issue.

The problem was indeed the firewall.  Unfortunately, not being familiar with CentOS7, I had thought it was using iptables; but it was actually using firewalld.  

After doing the following command:

firewa 

sudo firewall-cmd --zone=public --add-port=8445/tcp

It now works.

 

Ed

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...