Example for a Tomcat 8.5. connector definition out there?

PEZ1967 · August 30, 2020, 10:36pm

Hello,
i have a tomcat 8.5 Server on a Windwos Server 2012 R2 Standard VM
Sucessfully installed Certify the web and generated a certificat for a domain.
Also in “Deployment Tasks” i can use “Deploy to Tomcat” to create the keystore with the certificate.
But i have troubles to setup a working connector entry in my Tomcat 8.5 server.xml configuration file

Does someone have a example configuration file of a working server.xml connector definition?

Thank you for your support in advance. Rudolf

webprofusion · August 31, 2020, 6:28am

Hi Rudolf, configuring Tomcat to use SSL is out of scope for our application but from testing on my machine with Apache Tomcat 9.0, the following configuration worked to enable the certificate in Tomcat (in this example the certificate was automatically exported to C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\certs\test.pfx using the Deploy to Tomcat Deployment Task).

See also https://docs.certifytheweb.com/docs/deployment/tasks/tomcat for tips on how to restart the Tomcat service automatically after cert renewal.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate 
           certificateKeystoreFile="conf/certs/test.pfx" 
           certificateKeystoreType="pkcs12" 
           certificateKeystorePassword="" 
           sslProtocol="TLS"
           type="RSA" />
    </SSLHostConfig>
</Connector>

PEZ1967 · August 31, 2020, 7:59pm

Hello webprofusion - Thank you for your example - i will try it asap. Rudolf

PEZ1967 · August 31, 2020, 9:19pm

Hello webprofusion, i tried your connector definition but still get no working connector.
In search for the failures in the error log file it seems to be very important which tomcat version is in use when it comes to https connectors.
Searched for: “java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain”
Regarding https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 in Comment 18 specific version numbers are mentionend:
quote on:
Fixed in:

master for 9.0.23 onwards
8.5.x for 8.5.44 onwards
quote off

So may i ask you which is your exact version number of your Tomcat 9 Server?
You only mentioned 9.0

Best Regards - Rudolf

webprofusion · September 1, 2020, 12:16am

It would have been 9.0.31.

PEZ1967 · September 1, 2020, 10:11am

Hello - thank you for the detailed version-number. Meanwhile i have asked the web-author which tomcat-version is allowed for his webapp to work. 9.x is not allowed at all but he will update to the last available 8.5.x Version and then i will fire another test run for the https - connector.
Best Regards - Rudolf

webprofusion · September 1, 2020, 11:12am

Note also that you can use the various Deployment Task options to do things like a custom export of the certificate to different formats (such as Deploy to Generic Server). The Tomcat deployment tasks is trying to export as PFX key/certificate store file but you can probably configure tomcat to use .crt/pem/key files instead, PFX just happens to be the easiest because it’s one self-contained file.

PEZ1967 · September 9, 2020, 9:08pm

Hello webprofusion,

after updating the Tomcat server to version 8.5.57 - your connector example worked perfectly. So it is really important which tomcat version is in charge! Thank you for your support!

Best regards - Rudolf