Actually there is no need to specify *AprProtocol to use let's encrypt certificates without conversions Here is simple step-by-step guide: https://community.letsencrypt.org/t/using-letsencrypt-certificates-on-tomcat-8-x-on-windows/28548/7 all you need is "Special SSLHostConfig" Documentation is here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig
On Thu, 17 Oct 2019 at 13:16, René Scholz <rene.sch...@abakus-edv-systems.de> wrote: > Hello, > > hm, that looks complicated. In my configuration it was not necessary to > define a protocol like you have done. > The error-message shows that the choosen protocol requires a library. Its > possible that this is the error, but I dont know > if your certificate match to this protocol. > > I am afraid without deeper knowledge of your certificates and (maybe very > complicated and high-secured) > network-configuration I have no further idea what goes wrong. > > I have only rudimentary knowledge about certificates - in my configuration > "behind a NAT" the https-certificate > was the lesser evil. > > Best regrads, > > René > > > > > > Am 16.10.2019 um 15:25 schrieb Yah's Global Kingdom: > > Rene, I apologize and thanks for your help! I did use the lines you sent > me and changed the necessary information. . > The private key is using http11NioProtocol, the format you provided goes > into the Http11AprProtocol section. > > I got this error: > > 16-Oct-2019 05:58:47.266 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component > [Connector[org.apache.coyote.http11.Http11AprProtocol-5443]] > org.apache.catalina.LifecycleException: The configured protocol > [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native > library which is not available > > When I use the Http11NioProtocol I get this error. My keystore only has > one key in it the private key. > > 16-Oct-2019 06:05:35.065 INFO [main] > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler > ["http-nio-5080"] > 16-Oct-2019 06:05:35.107 INFO [main] > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler > ["https-jsse-nio-5443"] > 16-Oct-2019 06:05:35.352 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component [Connector[HTTP/1.1-5443]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed > at org.apache.catalina.connector.Connector.initInternal(Connector.java:983) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:533) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) > at org.apache.catalina.startup.Catalina.start(Catalina.java:621) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:344) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) > Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) > at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > ... 13 more > Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys > at > java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:262) > at > java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) > at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1174) > at > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:324) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) > ... 20 more > here is the relevant part of my server.xml that includes the original > configuration plus the two configurations I have tried to use to get this > to work commented out. <fqdn> is my servername.domainname.org perhaps > you can look and see what I have done wrong. > <?xml version="1.0" encoding="UTF-8"?> > <!-- > Licensed to the Apache Software Foundation (ASF) under one or more > contributor license agreements. See the NOTICE file distributed with > this work for additional information regarding copyright ownership. > The ASF licenses this file to You under the Apache License, Version 2.0 > (the "License"); you may not use this file except in compliance with > the License. You may obtain a copy of the License at > > http://www.apache.org/licenses/LICENSE-2.0 > > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > See the License for the specific language governing permissions and > limitations under the License. > --> > <!-- Note: A "Server" is not itself a "Container", so you may not > define subcomponents such as "Valves" at this level. > Documentation at /docs/config/server.html > --> > <Server port="8005" shutdown="SHUTDOWN"> > <Listener className="org.apache.catalina.startup.VersionLoggerListener" > /> > <!-- Security listener. Documentation at /docs/config/listeners.html > <Listener className="org.apache.catalina.security.SecurityListener" /> > --> > <!--APR library loader. Documentation at /docs/apr.html --> > <Listener className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > <!-- Prevent memory leaks due to use of particular java/javax APIs--> > <Listener > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > <Listener > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > <Listener > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > > <!-- A "Service" is a collection of one or more "Connectors" that share > a single "Container" Note: A "Service" is not itself a "Container", > so you may not define subcomponents such as "Valves" at this level. > Documentation at /docs/config/service.html > --> > <Service name="Catalina"> > > <!--The connectors can use a shared executor, you can define one or > more named thread pools--> > <!-- > <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" > maxThreads="150" minSpareThreads="4"/> > --> > > > <!-- A "Connector" represents an endpoint by which requests are > received > and responses are returned. Documentation at : > Java HTTP Connector: /docs/config/http.html > Java AJP Connector: /docs/config/ajp.html > APR (HTTP/AJP) Connector: /docs/apr.html > Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 > --> > <Connector port="5080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="5443" /> > <Connector port="5443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" > keystoreFile="conf/keystore" keystorePass="openmeetings" > clientAuth="false" sslProtocol="TLS"/> > > <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 > This connector uses the APR/native implementation which always > uses > OpenSSL for TLS. > Either JSSE or OpenSSL style configuration may be used. OpenSSL > style > configuration is used below. > --> > --> > <!--Connector port="5443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > SSLCertificateFile="/etc/letsencrypt/live/<fqdn>/cert.pem" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > URIEncoding="UTF-8" > keystoreFile="/etc/letsencrypt/live/<fqdn>/privkey.pem" > clientAuth="false" sslProtocol="TLS" /--> > <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 > This connector uses the APR/native implementation which always > uses > OpenSSL for TLS. > Either JSSE or OpenSSL style configuration may be used. OpenSSL > style > configuration is used below. > --> > > <!--Connector port="5443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true"> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > <SSLHostConfig> > <Certificate > certificateKeyFile="/etc/letsencrypt/live/<fqdn>/cert.pem" > > certificateFile="/etc/letsencrypt/live/<fqdn>/privkey.pem" > > certificateChainFile="/etc/letsencrypt/live/<fqdn>/fullchain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > --> > On Wed, Oct 16, 2019 at 1:50 AM René Scholz < > rene.sch...@abakus-edv-systems.de> wrote: > >> Hello, >> >> why don't you try out the config-part I sent you? >> Make a backup of your sever.xml, edit the part for your connector-port, >> restart your OM, pray a little bit and open your browser with https and >> your port. >> >> Whats the result? >> >> When you mean that something goes wrong replace it with your backuped >> server.xml. >> >> Best regards, >> >> René >> >> Am 15.10.2019 um 22:30 schrieb Yah's Global Kingdom: >> >> Your saying I don't have to use a keystore with these certs? >> >> On Mon, Oct 14, 2019 at 4:06 AM Maxim Solodovnik <solomax...@gmail.com> >> wrote: >> >>> With this config import is redundant >>> you can use your keys as-is :) >>> >>> On Sun, 13 Oct 2019 at 21:11, Yah's Global Kingdom <yahs...@gmail.com> >>> wrote: >>> >>>> Thanks for the information, if I might ask which of these keys did you >>>> import into your keystore for openmeetings? >>>> >>>> On Sat, Oct 12, 2019 at 1:36 PM R. Scholz < >>>> rene.sch...@abakus-edv-systems.de> wrote: >>>> >>>>> Hello, >>>>> >>>>> this is the part in my server.xml in the conf-dir of my openmeeting I >>>>> use without problems: >>>>> >>>>> <Connector port="5443" >>>>> SSLEnabled="true"> >>>>> <SSLHostConfig> >>>>> <Certificate certificateFile="/etc/letsencrypt/live/ >>>>> subdomain.domain.de/cert.pem" >>>>> certificateKeyFile="/etc/letsencrypt/live/ >>>>> subdomain.domain.de/privkey.pem" >>>>> certificateChainFile="/etc/letsencrypt/live/ >>>>> subdomain.domain.de/fullchain.pem" /> >>>>> </SSLHostConfig> >>>>> </Connector> >>>>> >>>>> With best regards, >>>>> >>>>> René >>>>> >>>>> >>>>> >>>>> Am 12.10.2019 um 17:35 schrieb Yah's Global Kingdom: >>>>> >>>>> Ok understood for the VOIP implementation. Hopefully, there will be >>>>> time for in the near future as it was feature that was really appreciated >>>>> and used. >>>>> On a different note. I am using LetsEncrypt for ssl certificates. >>>>> The wiki at https://openmeetings.apache.org/HTTPS.html does not seem >>>>> to apply as you can not submit a .csr file to lets encrypt and it only >>>>> works on port 443. I have changed /conf/server.conf to 443 but the server >>>>> still refuses to connect. Are there any instructions for how to make OM >>>>> 5.0.0.M2 OR M3 work with LetEncrypt and Certbot? Thanks for all your help >>>>> Maxim. >>>>> >>>>> On Thu, Oct 10, 2019 at 12:45 PM Maxim Solodovnik < >>>>> solomax...@gmail.com> wrote: >>>>> >>>>>> Yes, sure >>>>>> unfortunately my time is very limited >>>>>> not sure i can provide any estimates >>>>>> >>>>>> On Thu, 10 Oct 2019 at 09:16, Yah's Global Kingdom <yahs...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Is there a plan to implement VOIP for this version of Openmeetings? >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> WBR >>>>>> Maxim aka solomax >>>>>> >>>>> >>>>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >> >> > -- WBR Maxim aka solomax
