On 22/09/17 15:05, John Ellis wrote: > Andre I saw where you asked Mark Thomas, on another thread, if the issue on > that thread might be causing the SSL issue that I am having. On the server > that I have been using for the testing of Tomcat 9 version 8 was already > installed on it. It's just that my boss said to download, install and work > with version 9. I wonder if it might work on with version 8?
Try with 9.0.0.M27. You'll need to follow the browse link on the download page and then up a directory to find it. (It has been released but CVE-2017-12617 happened and we decided not to announce it as the next 9.0.x release will be following shortly.) Note there is still a regression in the keystore handling but it affects fewer configurations (just FIPS as far as I know). Mark > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -----Original Message----- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 4:40 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > Hi. > > I just downloaded tomcat 9 myself (the windows zip version, but it should be > the same), to look at the standard server.xml. > > There is something which does not quite fit in all of this. > I can also not see, in the snippets of server.xml that you pasted, any > obvious XML errors or imbricated comments. > Yet the logfile points to these lines.. > Somehow the logfile which you uploaded to drop-box, does not seem to match > the server.xml lines that you pasted here. > > Ooooh, wait. > I know why it did not fit. > > After looking again, more carefully, at the logfile that you posted, I see > what was confusing : that logfile shows several starts and stops of tomcat. > It just accumulates. I was looking just at the beginning, the first error > that I found. > You have for example this : > > 08-Sep-2017 11:10:32.131 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] > 08-Sep-2017 11:10:32.136 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] > 08-Sep-2017 11:10:32.137 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 18916 ms > > Just before the error message that I was mentioning, which was : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must consist > of well-formed character data or markup. > org.xml.sax.SAXParseException; systemId: > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; > columnNumber: > 6; The content of elements must consist of well-formed character data or > markup. > > But that was like 21 minutes later, after tomcat had been running for 21 > minutes. > > Then after that there are a few more starts and stops, and a the lastest > attempt, the problem is different : > > 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-jsse-nio-8443"] > 08-Sep-2017 15:24:36.300 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed ... > Caused by: java.lang.IllegalArgumentException: > java.security.KeyStoreException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss > eEndpoint.java:113) > > > So, here is what happened : > > - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it > started fine, ending in the line > 08-Sep-2017 10:05:03.371 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 482 ms > > but then, you did not have the connector for port 8443 enabled yet. > > - then you stopped tomcat, and you started it again at > 08-Sep-2017 11:10:13.141 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log > Server version: Apache Tomcat/9.0.0.M26 > > - and then you had this : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must consist > of well-formed character data or markup. > > so my guess is that you modified the server.xml, while tomcat was still > running, and then you did a "shutdown.sh", to prepare to restart tomcat. > > - And then there was that parse error. > > And the reason is that the shutdown command, in fact starts another (small) > instance of tomcat, to issue the shutdown command to the running instance. > But that shutdown instance also reads server.xml, and at that time you /did/ > have a syntax error in it. So that is where this syntax error came from. > > Later you apparently corrected the syntax, and restarted tomcat : > > 08-Sep-2017 15:24:34.889 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log > Server version: Apache Tomcat/9.0.0.M26 > > and this time, there was no syntax error anymore in server.xml, but then > there is this other problem : > > 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-jsse-nio-8443"] > 08-Sep-2017 15:24:36.300 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed ... > Caused by: java.lang.IllegalArgumentException: > java.security.KeyStoreException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss > eEndpoint.java:113) > > but that seems to only prevent the SSL connector to start, and the logfile > shows that tomcat continues to initialise anyway, with only the other > connectors. > > So that's why you can connect normally to port 8080. > > I did not know that tomcat starts anyway, even if it encounters a severe > problem with one of its connectors. > > (And I must say that, as a sysadmin myself, I find this behaviour a bit > questionable)(unless it is optional) > > So anyway, your problem now is not the syntax of server.xml anymore, it is > something to do with your SSL keystore. > And for that I am not competent to help, and I'll have to ask someone else > to follow-up. > > > And now I've been top-posting myself all of this, contrary to the rules. > Apologies. > > But John, for the rest, I suggest that before you restart tomcat, delete or > rename that > old logfile, so that when you restart it will be "fresh" and contain only > the result of > the last attempt. It will be clearer for everyone. > > > On 21.09.2017 21:47, John Ellis wrote: >> One more thing Andre. I don't know if it matters or not but when I try to >> access Tomcat 9 on the secure port of 8443 >> I see it saying down in the bottom left hand corner of my browser- >> "Performing a TLS handshake to 10.22.8.70..." but it never >> gives the webpage. However once I change the IP address to 10.22.8.70:8080 >> it immediately goes to the Tomcat 9 webpage. >> >> John Ellis >> >> 405.285.2500 office >> >> >> >> >> http://biz-e.io >> >> >> -----Original Message----- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Thursday, September 21, 2017 11:34 AM >> To: users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> On 21.09.2017 17:17, John Ellis wrote: >>> OK. As I said there is nothing on line 87 but here is line 114- >>> >>> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" >> >> I think you need to provide a bit more context then. >> >> Can you paste here, say, that same line, but with 10 lines before and 10 >> lines after, and tell at which line number this starts in server.xml (so >> that we can compare with the log) ? >> >> The error messages in the log were apparently about comments (between <!-- >> and -->), so if these lines are (or contain) comments, copy them anyway. >> >> >>> >>> >>> >>> John Ellis >>> >>> 405.285.2500 office >>> >>> >>> >>> >>> http://biz-e.io >>> >>> -----Original Message----- >>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>> Sent: Thursday, September 21, 2017 10:15 AM >>> To: users@tomcat.apache.org >>> Subject: Re: tomcat ssl setup >>> >>> >>> >>> On 21.09.2017 16:43, John Ellis wrote: >>>> Thanks so much for the quick reply Andre. There doesn't appear to be >>>> anything on line 87 but there is on line 114. See the screenshot I >>>> took of the server.xml file below- >>>> >>> >>> Unfortunately, this list strips most attachments, and in fact asks for >>> text-only messages. >>> (and to avoid top-posting) >>> >>> See : http://tomcat.apache.org/lists.html#tomcat-users --> Important >>> >>> Please paste the corresponding lines directly, as text, in your next >>> message. >>> >>> >>>> John Ellis >>>> >>>> 405.285.2500 office >>>> >>>> http://biz-e.io >>>> >>>> -----Original Message----- >>>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>>> Sent: Wednesday, September 20, 2017 10:41 AM >>>> To: users@tomcat.apache.org >>>> Subject: Re: tomcat ssl setup >>>> >>>> On 20.09.2017 17:07, John Ellis wrote: >>>> >>>> > All of what I have done so far has been in Tomcat version 9, which >>>> I >>>> >>>> > downloaded from the Apache Tomcat website. The way I start tomcat >>>> is >>>> >>>> > by running the command ./startup.sh from within the >>>> >>>> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the >>>> >>>> > command ./shutdown.sh from the same directory. >>>> >>>> > >>>> >>>> Ok, perfect. So there is only one tomcat9 we can be talking about, and >>>> one server.xml file. And since this is a "standard tomcat", that >>>> server.xml must be in .. let me look at the logfile again) .. >>>> >>>> 08-Sep-2017 10:05:02.911 INFO [main] >>>> >>>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web >>>> application directory >>>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] >>>> >>>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml >>>> >>>> and considering this : >>>> >>>> 08-Sep-2017 11:31:21.952 SEVERE [main] >>>> org.apache.tomcat.util.digester.Digester.fatalError >>>> >>>> Parse Fatal Error at line 87 column 6: The content of elements must >>>> consist of well-formed character data or markup. >>>> >>>> org.xml.sax.SAXParseException; systemId: >>>> >>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: >>> 87; columnNumber: >>>> >>>> 6; The content of elements must consist of well-formed character data or >>> markup. >>>> >>>> there is something on line 87, position 6, that he does not like. >>>> >>>> And further down also : >>>> >>>> 08-Sep-2017 13:17:36.947 SEVERE [main] >>>> org.apache.tomcat.util.digester.Digester.fatalError >>>> >>>> Parse Fatal Error at line 114 column 6: The string "--" is not permitted >>> within comments. >>>> >>>> org.xml.sax.SAXParseException; systemId: >>>> >>>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: >>> 114; columnNumber: >>>> >>>> 6; The string "--" is not permitted within comments. >>>> >>>> but maybe this is not in the server.xml file itself, but in something >>>> else that the server.xml references there (like an external "XML entity" >>> or something). >>>> >>>> Why don't you get those 2 lines from your server.xml and paste them here >> : >>>> >>>> ... >>>> >>>> > John Ellis >>>> >>>> > >>>> >>>> > 405.285.2500 office >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> >>>> > http://biz-e.io >>>> >>>> > >>>> >>>> > >>>> >>>> > -----Original Message----- >>>> >>>> > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>>> >>>> > Sent: Wednesday, September 20, 2017 10:02 AM >>>> >>>> > To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>>> >>>> > Subject: Re: tomcat ssl setup >>>> >>>> > >>>> >>>> > On 20.09.2017 15:20, John Ellis wrote: >>>> >>>> >> Andre can you tell me which log file you are saying tells where >>>> the >>>> >>>> >> problem is? >>>> >>>> > >>>> >>>> > That's the one you uploaded to the dropbox : >>>> >>>> > >> >>>> >>>> > >>>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 >>>> >>>> > >>>> >>>> > I have of course no idea at this point, which tomcat or which >>>> >>>> > server.xml this was related to, but i suppose you do. >>>> >>>> > >>>> >>>> > I am not seeing it but I may not be even looking for the right > thing. >>>> >>>> > I >>>> >>>> >> did open the server.xml file up in an XML file editor program and >>>> it >>>> >>>> >> didn't give any errors. >>>> >>>> > >>>> >>>> > Then it must be that this tomcat who wrote the logfile, is not >>>> looking >>>> >>>> > at the same server.xml file than the one you're looking at. >>>> >>>> > (Or else your XML file editor is not really good) >>>> >>>> > >>>> >>>> > How do you start this tomcat, on your server ? >>>> >>>> > And where did you get this tomcat from ? Is it the one from the >>>> tomcat >>>> >>>> > website ? >>>> >>>> > >>>> >>>> >> >>>> >>>> >> John Ellis >>>> >>>> >> >>>> >>>> >> 405.285.2500 office >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> http://biz-e.io >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> -----Original Message----- >>>> >>>> >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >>>> >>>> >> Sent: Tuesday, September 19, 2017 3:47 PM >>>> >>>> >> To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>>> >>>> >> Subject: Re: tomcat ssl setup >>>> >>>> >> >>>> >>>> >> On 19.09.2017 20:17, John Ellis wrote: >>>> >>>> >>> Here are the tomcat 9 log file DropBox links- >>>> >>>> >>> >>>> >>>> >>> >>>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl >>>> >>>> >>> = >>>> >>>> >>> 0 >>>> >>>> >> >>>> >>>> >> Well, there you go. It tells you explicitly where you made the >>>> >>>> >> mistakes, up to the file and line numbers. >>>> >>>> >> I can't see your server.xml, but I would bet that you have >>>> modified >>>> >>>> >> it, by surrounding some XML comment sections by another comment >>>> pair >>>> >>>> >> <!-- ... --> That crashes because XML does not allow that. >>>> >>>> >> You cannot have this kind of thing : >>>> >>>> >> >>>> >>>> >> <!-- ... <!-- ... --> --> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >>> >>>> >>>> >>> >>>> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017- >>>> >>>> >>> 0 >>>> >>>> >>> 9 >>>> >>>> >>> -19.txt?dl=0 >>>> >>>> >>> >>>> >>>> >>> Thanks, >>>> >>>> >>> >>>> >>>> >>> John Ellis >>>> >>>> >>> >>>> >>>> >>> 405.285.2500 office >>>> >>>> >>> >>>> >>>> >>> United States >>>> >>>> >>> >>>> >>>> >>> bize-logo-rgb-original_Ryan_Revised_portal >>>> >>>> >>> sizecid:image002.jpg@01CECFDA.65B42CD0 >>>> >>>> >>> >>>> >>>> >>> http://biz-e.io >>>> >>>> >>> >>>> >>>> >>> *From:*Alejandro Vargas M. >>>> >>>> >>> [mailto:alejandro.var...@kymsolutions.com] >>>> >>>> >>> *Sent:* Tuesday, September 19, 2017 11:10 AM >>>> >>>> >>> *To:* users@tomcat.apache.org <mailto:users@tomcat.apache.org> >>>> >>>> >>> *Subject:* Re: tomcat ssl setup >>>> >>>> >>> >>>> >>>> >>> Do you see what's on the log files, they can tell you what's the >>>> >>>> >>> problem in. Maybe you can share those files too. >>>> >>>> >>> >>>> >>>> >>> I also saw on line 117 this "| -->|" Looks like there's left >> over. >>>> >>>> >>> >>>> >>>> >>> On 09/19/2017 09:31 AM, John Ellis wrote: >>>> >>>> >>> >>>> >>>> >>> I have been trying to setup SSL for tomcat 9.00.M26 on a > RHEL >>>> >>>> >>> (version >>>> >>>> >> 6.4) server for >>>> >>>> >>> testing purposes. I downloaded & installed Tomcat9 fine and > I >>>> >>>> >>> get a >>>> >>>> >> proper webpage on >>>> >>>> >>> port 8080 but when I used the keytool commands and created > a >>>> >>>> >> certificate from >>>> >>>> >>> cacert.org and then edited the server.xml file to setup the >>>> >>>> >>> ssl >>>> >>>> >> configuration to run >>>> >>>> >>> on port 8443 I cannot get a webpage on that port; it > defaults >>>> >>>> >>> back to >>>> >>>> >> port 8080. If I >>>> >>>> >>> am not providing all the needed info or asking a wrong >>>> >>>> >>> question please >>>> >>>> >> forgive me. I >>>> >>>> >>> am not a programmer. My background is in computer hardware. > I >>>> >>>> >>> have >>>> >>>> >> just been forced to >>>> >>>> >>> learn this to support two products that we use here in our >>>> >>>> >>> office; >>>> >>>> >> Jira and >>>> >>>> >>> Confluence. I have actually been working on setting them up >>>> >>>> >>> for an SSL >>>> >>>> >> connection on a >>>> >>>> >>> different server. I got Confluence working on a secure port >>>> >>>> >>> but not >>>> >>>> >> Jira so my boss >>>> >>>> >>> suggested troubleshooting the issue by trying to first get >> SSL >>>> >>>> >>> setup >>>> >>>> >> for Tomcat on >>>> >>>> >>> this other server. >>>> >>>> >>> >>>> >>>> >>> I am providing a copy of the Tomcat9 server.sml file here > on >> a >>>> >>>> >>> DropBox >>>> >>>> >> link- >>>> >>>> >>> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 >>>> >>>> >>> >>>> >>>> >>> Thanks in advance! >>>> >>>> >>> >>>> >>>> >>> John Ellis >>>> >>>> >>> >>>> >>>> >>> 405.285.2500 office >>>> >>>> >>> >>>> >>>> >>> United States >>>> >>>> >>> >>>> >>>> >>> bize-logo-rgb-original_Ryan_Revised_portal >>>> >>>> >>> sizecid:image002.jpg@01CECFDA.65B42CD0 >>>> >>>> >>> >>>> >>>> >>> http://biz-e.io >>>> >>>> >>> >>>> >>>> >>> -- >>>> >>>> >>> >>>> >>>> >>> >>>> >>>> >>> >>>> >>>> >>> Alejandro Vargas Mayorga >>>> >>>> >>> */Gerente Desarrollo C.A. & C./* >>>> >>>> >>> *Tel. 506- 7232-3366* >>>> >>>> >>> *Email:**alejandro.var...@kymsolutions.com* >>>> >>>> >>> <mailto:%20alejandro.var...@kymsolutions.com>* >>>> >>>> >>> **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite >>>> >>>> >>> nuestra aula virtual! * >>>> >>>> >>> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> --------------------------------------------------------------------- >>>> >>>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> <mailto:users-unsubscr...@tomcat.apache.org> >>>> >>>> >> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> <mailto:users-h...@tomcat.apache.org> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> --------------------------------------------------------------------- >>>> >>>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> <mailto:users-unsubscr...@tomcat.apache.org> >>>> >>>> >> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> <mailto:users-h...@tomcat.apache.org> >>>> >>>> >> >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> --------------------------------------------------------------------- >>>> >>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> <mailto:users-unsubscr...@tomcat.apache.org> >>>> >>>> > For additional commands, e-mail: users-h...@tomcat.apache.org >>>> <mailto:users-h...@tomcat.apache.org> >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> --------------------------------------------------------------------- >>>> >>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> <mailto:users-unsubscr...@tomcat.apache.org> >>>> >>>> > For additional commands, e-mail: users-h...@tomcat.apache.org >>>> <mailto:users-h...@tomcat.apache.org> >>>> >>>> > >>>> >>>> --------------------------------------------------------------------- >>>> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> <mailto:users-unsubscr...@tomcat.apache.org> >>>> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> <mailto:users-h...@tomcat.apache.org> >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org