I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.
Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https
Related
I have a single AWS ec2 instance without a load balancer. I have apache tomcat server running on the same. How should i install a ssl certificate on the server for the website that i am hosting on the server? I am running a java struts 2 application running on the server.
All the options online are about using ACM with load balancer.
For Tomcat8 I would do the following:
Copy your .p12 to /usr/java/latest/
Add the following to your server.xml file, ensuring the keystoreFile matches the above step and keystorePass corresponds to the cert
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/usr/java/latest/<your.p12>"
keystorePass="<add passwd here>" keystoreType="PKCS12"
connectionTimeout="20000" redirectPort="8443"
proxyPort="443" server="NunYa"
proxyName="<fqdn>" />
If you want to prevent unencrypted traffic, comment out block in server.xml starting with <Connector port="8080" protocol="HTTP/1.1"
For more details see the references below.
References
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
You can use ngnix server to route the default 443 port to your tomcat 8080 or 8443 port Amazon instance.
For that you need to buy ssl or get free ssl for 3 month duration via "https://letsencrypt.org" websites.
you can even configure ngnix by using openssl certificate if your going work as a demo purpose.
I currently have Tomcat 7 server running a web service.
I've enabled 2-way SSL in server.xml
<Connector port="8443"
maxThreads="500"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="tomcat_keystore.jks"
keystorePass="*******"
truststoreFile="tomcat_truststore.jks"
truststorePass="*****"
clientAuth="true"
keyAlias="tomcat"
redirectPort="8080"
sslProtocol="TLS"/>
The direct connection to HTTPS web service works fine.
But when I call it through the Load Balancer, it is failing because current health check fails (so it thinks that web service is down).
If this health check passes, the Load balancer will simply forward the request to Tomcat server.
Current health check is just calling HTTPS GET method and expects a 200 OK.
I know I can get this resolved by installing the certs on the Load balancer but I don't want to do that because I just need to verify:
1) If the box is up and running
2) if the tomcat server is up and running
Is it possible to have another web service running at the same time on the same tomcat server which can be called by HTTP GET (no SSL)? which I can add it in the Load Balancer health check?
Yes, it is possible. But not on same port.
You have to configure another connector.
I am configuring ssl self signed certificate on tomcat server using centos on amazon ec2 platform and facing some issues. I step by step follow the following tutorial.
http://tecadmin.net/configure-ssl-certificate-in-tomcat/#
but when open my url https://ec2-52-57-105-24.eu-central-1.compute.amazonaws.com:8443/ it says "The site cannot be reached" where as the https://ec2-52-57-105-24.eu-central-1.compute.amazonaws.com/ without 8443 port works fine. Can anybody please tell me what is basically the issue with the tomcat 8443 port. In my server.xml I am using the following configuration.
<Connector port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
SSLEnabled="true"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreFile="/etc/pki/keystore"
keystorePass="_password_" />
Any help would be highly appreciated. Thanks.
Ideally its perfect to access without port (443) for HTTPS.
But still if you want access the URL with port number, you can make your URL re-direct from 443 to 8443, you can make use of IPTABLES and make it work it.
sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
sudo /sbin/iptables save
1/
Install the latest version of tomcat (8.0.28) and run it on java 8 (I'm using the 1.8.0_45 / 64-Bit version).
I'm running the Tomcat on a Windows 7 64-Bit
2/ Enable SSL on Tomcat:
Activate SSL by creating a keystore and uncommenting the https connector in the server.xml file, add
keystoreFile="" keystorePass=""
to the connector.
FYI: here is my connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="password"
keystoreFile="/path/to/my/keystore" />
3/ Install Fiddler (www.telerik.com/fiddler) or any other tool to sniff the traffic between your host and the server, the fiddler should run on your host. I did my screen shots with Fiddler.
4/
Go to tools/options/https and check "enable decrypt".
5/
Using Internet explorer 11 (chrome also works but as it compresses the websocket traffic it makes it harder to reach 8KB of data), access your tomcat remotely using https and open the example app at https://server:8443/examples/websocket/echo.xhtml
choose "Programmatic API", hit "Connect", then send a small test message
on fiddler, double click on the websocket session and look at the result in the websocket tab.
Now, try to send a large text of say 20KB, you'll see that the reply is split in frames of 8KB marked "Continuation". There should be a frame marked "Final" which is missing at this point.
Send another small message so that the missing frame is flushed.
Important:
If I connect to a Tomcat running locally on my host I do not reproduce this issue.
If I do not use SSL, I do not reproduce this issue.
Questions:
- why such behavior, did anyone experience the same thing ?
- how to properly troubleshoot this issue ?
- I tried to enable the Tomcat logging but nothing interesting in the logging: org.apache.tomcat.websocket.level = FINE
The issue is apparently OS related:
When Tomcat is on Windows 7 it does not work
When Tomcat is on Windows 10 it works
When Tomcat is on Windows Server 2012 R2 it works
In short this issue a combination of OS (some versions of windows) / SSL and WebSockets.
The "dirty" workaround I found for now is to send a last message to flush the buffer since I have access to the code of the server side.
please let me knwo if you faced such issue as this could be something related to the SSL handshake for some specific windows versions and I don't knwo how to trouble shoot that.
I am using tomcat 5.5 and configured keystore and added this connector inside server.xml file
<Connector port="443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"/>
But I am not sure why when I type in https://locahost the browser tells me "This program cannot display the webpage".
Did you check Tomcat's logs?
Perhaps the connector could not start up.
Perhaps Tomcat could not read or find the .keystore you configured.
Perhaps the .keystore has a password which Tomcat does not know about.
Perhaps another process is already bound to that port.
The logs will probably tell you exactly which of these is going on.
Possibly you have your browser configured to use a web proxy. In this case, make sure that localhost and 127.0.0.1 are exceptions to using this proxy under the browser's preferences or options. ALSO make sure that localhost is mapped to 127.0.0.1 in your /etc/hosts file. Which in windows is under \WINDOWS\system32\drivers\etc\hosts.
Try to add the port
localhost :443