1

I am currently running an instance of Tomcat8 on a ubuntu server that I installed using apt-get install tomcat8. I hosted an application and it was running fine without a SSL certificate.

Recently I bought a SSL certificate from sslcertificate.com and followed https://support.comodo.com/index.php?/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool to install it. I was able to package it together and configure the server.xml file.

Here is what the server.xml file looks like:

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="443"
            useIPVHosts="true"/>

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="myfile.jks" keystorePass="my_pass"/>

Nothing else was changed and the server suddenly stopped working. When I try to go to my site it says that the server refused to connect. I tried to remove the changes I made to the server.xml but it's still refusing to connect.

I tried sudo lsof -i -P -n | grep LISTEN and this was the output:

sshd     1018    root    3u  IPv4  13571      0t0  TCP *:22 (LISTEN)
sshd     1018    root    4u  IPv6  13573      0t0  TCP *:22 (LISTEN)
mysqld   1083   mysql   19u  IPv4  16958      0t0  TCP 127.0.0.1:3306 
(LISTEN)
sshd     1351  ubuntu    9u  IPv6  13938      0t0  TCP [::1]:6010 (LISTEN)
sshd     1351  ubuntu   10u  IPv4  13939      0t0  TCP 127.0.0.1:6010 
(LISTEN)
sshd     2623  ubuntu    9u  IPv6  22382      0t0  TCP [::1]:6011 (LISTEN)
sshd     2623  ubuntu   10u  IPv4  22383      0t0  TCP 127.0.0.1:6011 
(LISTEN)
java     2721 tomcat8   62u  IPv4  21439      0t0  TCP 127.0.0.1:8005 
(LISTEN)

I'm not sure what is wrong. Any help is appreciated!

Pang
  • 9,564
  • 146
  • 81
  • 122
Henry La
  • 346
  • 2
  • 5
  • 14
  • What are the errors in the log files ? Based on the lsof output it does not seem to be listening on 8080 or 80. If you were running it on port 80 you will need to run it as user root. – souser Jan 09 '18 at 22:21
  • 1
    I would ask this in https://serverfault.com – jeprubio Jan 09 '18 at 22:22
  • it used to be listening to 8080 but I changed to 80 and it was working fine. The error log says: `09-Jan-2018 14:22:45.095 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-80"] java.net.SocketException: Permission denied ` – Henry La Jan 09 '18 at 22:25
  • Are you running it as user root or as user tomcat or some other user ? You need to run it as user root. – souser Jan 09 '18 at 23:06

2 Answers2

10

Issue SOLVED.

I searched around and was able to find a solution, it was at: https://wolfpaulus.com/java/tomcat-ssl/

The server issue was fixed by the following command:

sudo setcap cap_net_bind_service+ep /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Restarted the server and everything worked!

Henry La
  • 346
  • 2
  • 5
  • 14
0

Your configuration of the Connectors is using ports 80 and 443 which are both privileged ports. You need to run Tomcat as root to make this working. Otherwise, switch to non-privileged ports like 8080 and 8443 which are popular choices.

Achille
  • 607
  • 1
  • 11
  • 23
  • Do *not not *not** run Tomcat as `root`. There are ways to use port 80 without running as `root`. – Christopher Schultz Jan 09 '18 at 22:28
  • i see, does that mean i have to run it at either 80 or 443? but not both? – Henry La Jan 09 '18 at 22:33
  • Ideally, you should run it on a non-privileged port. Say 8080 and then 8443. That way you dont need to make the changes you described earlier to run it as user tomcat. And then have say a load balancer in front that allows you to access the application over http and https. – souser Jan 09 '18 at 23:34
  • Christopher, he is telling us this was working previously. So, it seems he already did run Tomcat as root. So, either his problem is this time he tried to run it with the wrong user, either he should switch to non-privileged ports. – Achille Jan 10 '18 at 21:07