Rene, I apologize and thanks for your help! I did use the lines you sent
me and changed the necessary information. .
The private key is using http11NioProtocol, the format you provided goes
into the Http11AprProtocol section.
I got this error:
16-Oct-2019 05:58:47.266 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component
[Connector[org.apache.coyote.http11.Http11AprProtocol-5443]]
org.apache.catalina.LifecycleException: The configured protocol
[org.apache.coyote.http11.Http11AprProtocol] requires the APR/native
library which is not available
When I use the Http11NioProtocol I get this error. My keystore only has
one key in it the private key.
16-Oct-2019 06:05:35.065 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["http-nio-5080"]
16-Oct-2019 06:05:35.107 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-jsse-nio-5443"]
16-Oct-2019 06:05:35.352 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-5443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.start(Catalina.java:621)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:344)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at
java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:262)
at
java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1174)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:324)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
here is the relevant part of my server.xml that includes the original
configuration plus the two configurations I have tried to use to get this
to work commented out. <fqdn> is my servername.domainname.org perhaps you
can look and see what I have done wrong.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or
more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="5080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="5443" />
<Connector port="5443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="openmeetings"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL
style
configuration is used below.
-->
-->
<!--Connector port="5443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLCertificateFile="/etc/letsencrypt/live/<fqdn>/cert.pem"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
URIEncoding="UTF-8"
keystoreFile="/etc/letsencrypt/live/<fqdn>/privkey.pem"
clientAuth="false" sslProtocol="TLS" /-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL
style
configuration is used below.
-->
<!--Connector port="5443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
<SSLHostConfig>
<Certificate
certificateKeyFile="/etc/letsencrypt/live/<fqdn>/cert.pem"
certificateFile="/etc/letsencrypt/live/<fqdn>/privkey.pem"
certificateChainFile="/etc/letsencrypt/live/<fqdn>/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
On Wed, Oct 16, 2019 at 1:50 AM René Scholz <
rene.sch...@abakus-edv-systems.de> wrote:
> Hello,
>
> why don't you try out the config-part I sent you?
> Make a backup of your sever.xml, edit the part for your connector-port,
> restart your OM, pray a little bit and open your browser with https and
> your port.
>
> Whats the result?
>
> When you mean that something goes wrong replace it with your backuped
> server.xml.
>
> Best regards,
>
> René
>
> Am 15.10.2019 um 22:30 schrieb Yah's Global Kingdom:
>
> Your saying I don't have to use a keystore with these certs?
>
> On Mon, Oct 14, 2019 at 4:06 AM Maxim Solodovnik <solomax...@gmail.com>
> wrote:
>
>> With this config import is redundant
>> you can use your keys as-is :)
>>
>> On Sun, 13 Oct 2019 at 21:11, Yah's Global Kingdom <yahs...@gmail.com>
>> wrote:
>>
>>> Thanks for the information, if I might ask which of these keys did you
>>> import into your keystore for openmeetings?
>>>
>>> On Sat, Oct 12, 2019 at 1:36 PM R. Scholz <
>>> rene.sch...@abakus-edv-systems.de> wrote:
>>>
>>>> Hello,
>>>>
>>>> this is the part in my server.xml in the conf-dir of my openmeeting I
>>>> use without problems:
>>>>
>>>> <Connector port="5443"
>>>> SSLEnabled="true">
>>>> <SSLHostConfig>
>>>> <Certificate certificateFile="/etc/letsencrypt/live/
>>>> subdomain.domain.de/cert.pem"
>>>> certificateKeyFile="/etc/letsencrypt/live/
>>>> subdomain.domain.de/privkey.pem"
>>>> certificateChainFile="/etc/letsencrypt/live/
>>>> subdomain.domain.de/fullchain.pem" />
>>>> </SSLHostConfig>
>>>> </Connector>
>>>>
>>>> With best regards,
>>>>
>>>> René
>>>>
>>>>
>>>>
>>>> Am 12.10.2019 um 17:35 schrieb Yah's Global Kingdom:
>>>>
>>>> Ok understood for the VOIP implementation. Hopefully, there will be
>>>> time for in the near future as it was feature that was really appreciated
>>>> and used.
>>>> On a different note. I am using LetsEncrypt for ssl certificates. The
>>>> wiki at https://openmeetings.apache.org/HTTPS.html does not seem to
>>>> apply as you can not submit a .csr file to lets encrypt and it only works
>>>> on port 443. I have changed /conf/server.conf to 443 but the server still
>>>> refuses to connect. Are there any instructions for how to make OM 5.0.0.M2
>>>> OR M3 work with LetEncrypt and Certbot? Thanks for all your help Maxim.
>>>>
>>>> On Thu, Oct 10, 2019 at 12:45 PM Maxim Solodovnik <solomax...@gmail.com>
>>>> wrote:
>>>>
>>>>> Yes, sure
>>>>> unfortunately my time is very limited
>>>>> not sure i can provide any estimates
>>>>>
>>>>> On Thu, 10 Oct 2019 at 09:16, Yah's Global Kingdom <yahs...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Is there a plan to implement VOIP for this version of Openmeetings?
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> WBR
>>>>> Maxim aka solomax
>>>>>
>>>>
>>>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
