It's been almost 12 years I started using Apache Tomcat. I believe when I did my 1st under grade project, it was on Tomcat version 1.x. Now it's already on version 8.0. Mostly I've been in touch with Tomcat Server in my daily work life, simply can't live without it. On Crunchify we have already published almost 40 articles on Apache Tomcat. To install and configure SSL support on Tomcat 5, you need to follow these simple steps. For more information, read the rest of this HOW-TO. Create a keystore file to store the server's private key and self-signed certificate by executing the following command: Windows.
Use Java's Keytool to create a CSR and install your SSL/TLS certificate on your Tomcat (or other Java-based) server
Mar 30, 2021 Using name-based virtual hosts on a secured connection requires careful configuration of the names specified in a single certificate or Tomcat 8.5 onwards where Server Name Indication (SNI) support is available. SNI allows multiple certificates with different names to be associated with a single TLS connector. Purpose: SSL/TLS Certificate Installation GuideFor Tomcat Version 8.5+Skip to InstallationNeed Certificate Signing Request (CSR) help? Tomcat uses Keytool to create a CSR. You can use our Keytool CSR command Builder here to help you get started.For help using the Keytool CSR command Builder read this article here.After you have obtained the command to use to create the CSR from the command. This allows Tomcat 8.5 to use the newer Checkstyle releases while still building with Java 7. (markt) 63285: Add an option to service.bat so that when installing a Windows service, the name of the executables used by the Windows service may be changed to match the service name.
Use these instructions to generate your certificate signing request (CSR) and install your SSL/TLS certificate on your Tomcat server using Java's Keytool.
Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.
To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with Java Keytool.
To install your SSL certificate, see Tomcat Server: Install and Configure Your SSL/TLS Certificate.
To view these instructions in Spanish, see CSR para Tomcat and Tomcat Instalar Certificado SSL.
If you are looking for a simpler way to create CSRs, and install and manage your SSL/TLS certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and prepare your SSL/TLS certificate file for installation on your Tomcat server. See Tomcat: Create CSR & Install SSL/TLS Certificate with the DigiCert Utility.
I. Tomcat Server: Create Your CSR with Java's Keytool
Use the instructions in this section to create a new keystore (.jks) file and to generate your CSR.
Recommended Method: Use the DigiCert Java Keytool CSR Wizard
Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR.
Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.
The Java keytool utility creates both your private key and your certificate signing request, and saves them to two files: your_common_name.jks, and your_common_name.csr.
You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.
Skip to Step 2, part 3: Save and Back-up Your Keystore File.
Download Tomcat 8
Do you prefer a more manual approach to generating your Tomcat keystore and CSR? Follow the instructions below.
Step 1: Use Keytool to Create a New Keystore
Important: We recommend you generate a new keystore following the process outlined in this section. Installing a new certificate to an old keystore often ends in installation errors or the SSL/TLS certificate not working properly. Before you begin this process, backup and remove any old keystores.
Run Command
Navigate to the directory where you plan to manage your keystore and SSL/TLS certificate.
Enter the command below.
In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate. When ordering a Wildcard certificate, do not include the asterisk (*) in the filename (e.g., your_site_name). The asterisk is not a valid keytool character.
Create a Password
When prompted, create a password for your Keystore.
Note: You will specify this password in your Tomcat configuration file and then use it to generate your CSR and to import your certificate.
Store this password somewhere safe, such as a trusted and secured password manager.
Enter your SSL/TLS certificate information.
Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).
Enter your Organization information.
When prompted to verify your information, type y or yes to confirm.
When asked for a 'key password for ', press enter to use the password you just created for the keystore file.
Your keystore file, your_site_name.jks, is now created and in your current working directory.
Step 2: Generate a Certificate Signing Request (CSR) from your New Keystore
Run Command
In Keytool, type the following command:
In the command above, your_site_name should be the name of the keystore file you created in Step 1: Use Keytool to Create a New Keystore or when using the DigiCert Java Keytool CSR Wizard.
When prompted, enter the password you created earlier (when you created your new keystore).
In your current directory, csr.txt (e.g., your_site_domain.txt) now contains your CSR.
Save and Back-up Your Keystore File
Take note of the path to your keystore file (your_site_domain.jks) as your SSL/TLS certificate will be installed to it later.
We recommend that you create a back-up copy of your Keystore file (your_site_domain.jks) before continuing. Having a back-up of the Keystore file can help resolve issues that may occur during certificate SSL/TLS installation.
Order Your SSL/TLS Certificate
Open the .csr file you created with a text editor.
Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.
Make sure that when you Select Server Software, you select Tomcat.
Tomcat SSL/TLS Certificates, Guides, & Tutorials
Buy NowLearn MoreInstall Certificate
After you've received your SSL/TLS certificate from DigiCert, you can install it on your Tomcat server.
- Optional 'thank-you' note:
Tomcat works and our application works etc with basic server.xml config, but when I add in the SSL info tomcat service stops and throws an error. Is SSL configured differently in 8.5?
This is what I had in the Tomcat 7 server.xml and was working prior to upgrade. I am trying it in the tomcat 8.5 server.xml and tomcat will not start.
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <Connector port='8443' protocol='org.apache.coyote.http11.Http11AprProtocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='C:PATHname_keystore' keystorePass='changeit!' clientAuth='false' sslProtocol='TLS'> <UpgradeProtocol className='org.apache.coyote.http2.Http2Protocol' /> I have tried with this section both commented and un-commented: <!-- <SSLHostConfig> <Certificate certificateKeyFile='C:PATHname_keystore.jks' certificateFile='C:PATHname_keystore.jks' certificateChainFile='C:PATHname_keystore.jks' type='RSA' /> </SSLHostConfig> --> </Connector> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port='8009' protocol='AJP/1.3' redirectPort='8443'/>
Error:
2017-06-14 09:57:13 Commons Daemon procrun stdout initialized
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback.groovy]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/E:/opt/Tomcat%208.5/bin/logback-config/logback.xml]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.ContextNameAction - Setting logger context name as [TC]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Adding LoggerContextListener of type [ch.qos.logback.classic.jul.LevelChangePropagator] to the object stack
09:57:14,358 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating DEBUG level on Logger[ROOT] onto the JUL framework
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Starting LoggerContextListener
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.JMXConfiguratorAction - begin
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - Naming appender as [STDOUT]
09:57:14,389 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type [ch.qos.logback.classic.encoder.PatternLayoutEncoder] for [encoder] property
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of ROOT logger to INFO
09:57:14,421 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating INFO level on Logger[ROOT] onto the JUL framework
09:57:14,421 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction - Attaching appender named [STDOUT] to Logger[ROOT]
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.ConfigurationAction - End of configuration.
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.JoranConfigurator@1ee807c6 - Registering current configuration as safe fallback point
2017-06-14 09:57:14,421 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystoreFile] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystorePassword] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [sslProtocol] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC ERROR [main] org.apache.tomcat.util.digester.Digester - End event threw exception
java.lang.reflect.InvocationTargetException: null
- Optional 'thank-you' note:
Do I need configure the SSLHostConfig section? And can I put in the full path to the .jks file or does it need to be in the conf dir? (E:keystorekey.jks)
<Connector port='8443' protocol='org.apache.coyote.http11.Http11NioProtocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='E:keystorekey.jks' keystorePass='changeit!' clientAuth='false' sslProtocol='TLS'> </Connector> <!-- <SSLHostConfig> <Certificate certificateKeystoreFile='conf/localhost-rsa.jks' type='RSA' /> </SSLHostConfig> </Connector> -->
- Optional 'thank-you' note:
16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.2.12 using APR version 1.5.2. 16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 16-Jun-2017 16:56:05.965 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.2k 26 Jan 2017) 16-Jun-2017 16:56:06.121 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ['http-nio-8443'] 16-Jun-2017 16:56:06.246 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read 16-Jun-2017 16:56:06.246 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ['https-openssl-nio-8443'] connector has been configured to support negotiation to [h2] via ALPN 16-Jun-2017 16:56:06.246 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ['https-openssl-nio-8443'] 16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['https-openssl-nio-8443'] java.net.BindException: Address already in use: bind at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:972) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) at org.apache.catalina.connector.Connector.initInternal(Connector.java:968) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:970) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.net.BindException: Address already in use: bind at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:972) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) at org.apache.catalina.connector.Connector.initInternal(Connector.java:968) ... 13 more
- 1
- Optional 'thank-you' note:
Quincy Schmidt wrote:From the log file:
16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['https-openssl-nio-8443'] java.net.BindException: Address already in use: bind
Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR.
Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.
The Java keytool utility creates both your private key and your certificate signing request, and saves them to two files: your_common_name.jks, and your_common_name.csr.
You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.
Skip to Step 2, part 3: Save and Back-up Your Keystore File.
Download Tomcat 8
Do you prefer a more manual approach to generating your Tomcat keystore and CSR? Follow the instructions below.
Step 1: Use Keytool to Create a New Keystore
Important: We recommend you generate a new keystore following the process outlined in this section. Installing a new certificate to an old keystore often ends in installation errors or the SSL/TLS certificate not working properly. Before you begin this process, backup and remove any old keystores.
Run Command
Navigate to the directory where you plan to manage your keystore and SSL/TLS certificate.
Enter the command below.
In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate. When ordering a Wildcard certificate, do not include the asterisk (*) in the filename (e.g., your_site_name). The asterisk is not a valid keytool character.
Create a Password
When prompted, create a password for your Keystore.
Note: You will specify this password in your Tomcat configuration file and then use it to generate your CSR and to import your certificate.
Store this password somewhere safe, such as a trusted and secured password manager.
Enter your SSL/TLS certificate information.
Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).
Enter your Organization information.
When prompted to verify your information, type y or yes to confirm.
When asked for a 'key password for ', press enter to use the password you just created for the keystore file.
Your keystore file, your_site_name.jks, is now created and in your current working directory.
Step 2: Generate a Certificate Signing Request (CSR) from your New Keystore
Run Command
In Keytool, type the following command:
In the command above, your_site_name should be the name of the keystore file you created in Step 1: Use Keytool to Create a New Keystore or when using the DigiCert Java Keytool CSR Wizard.
When prompted, enter the password you created earlier (when you created your new keystore).
In your current directory, csr.txt (e.g., your_site_domain.txt) now contains your CSR.
Save and Back-up Your Keystore File
Take note of the path to your keystore file (your_site_domain.jks) as your SSL/TLS certificate will be installed to it later.
We recommend that you create a back-up copy of your Keystore file (your_site_domain.jks) before continuing. Having a back-up of the Keystore file can help resolve issues that may occur during certificate SSL/TLS installation.
Order Your SSL/TLS Certificate
Open the .csr file you created with a text editor.
Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.
Make sure that when you Select Server Software, you select Tomcat.
Tomcat SSL/TLS Certificates, Guides, & Tutorials
Buy NowLearn MoreInstall Certificate
After you've received your SSL/TLS certificate from DigiCert, you can install it on your Tomcat server.
- Optional 'thank-you' note:
Tomcat works and our application works etc with basic server.xml config, but when I add in the SSL info tomcat service stops and throws an error. Is SSL configured differently in 8.5?
This is what I had in the Tomcat 7 server.xml and was working prior to upgrade. I am trying it in the tomcat 8.5 server.xml and tomcat will not start.
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <Connector port='8443' protocol='org.apache.coyote.http11.Http11AprProtocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='C:PATHname_keystore' keystorePass='changeit!' clientAuth='false' sslProtocol='TLS'> <UpgradeProtocol className='org.apache.coyote.http2.Http2Protocol' /> I have tried with this section both commented and un-commented: <!-- <SSLHostConfig> <Certificate certificateKeyFile='C:PATHname_keystore.jks' certificateFile='C:PATHname_keystore.jks' certificateChainFile='C:PATHname_keystore.jks' type='RSA' /> </SSLHostConfig> --> </Connector> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port='8009' protocol='AJP/1.3' redirectPort='8443'/>
Error:
2017-06-14 09:57:13 Commons Daemon procrun stdout initialized
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback.groovy]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
09:57:14,280 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/E:/opt/Tomcat%208.5/bin/logback-config/logback.xml]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.ContextNameAction - Setting logger context name as [TC]
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Adding LoggerContextListener of type [ch.qos.logback.classic.jul.LevelChangePropagator] to the object stack
09:57:14,358 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating DEBUG level on Logger[ROOT] onto the JUL framework
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.LoggerContextListenerAction - Starting LoggerContextListener
09:57:14,358 |-INFO in ch.qos.logback.classic.joran.action.JMXConfiguratorAction - begin
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]
09:57:14,374 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - Naming appender as [STDOUT]
09:57:14,389 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type [ch.qos.logback.classic.encoder.PatternLayoutEncoder] for [encoder] property
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of ROOT logger to INFO
09:57:14,421 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@7cbd213e - Propagating INFO level on Logger[ROOT] onto the JUL framework
09:57:14,421 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction - Attaching appender named [STDOUT] to Logger[ROOT]
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.action.ConfigurationAction - End of configuration.
09:57:14,421 |-INFO in ch.qos.logback.classic.joran.JoranConfigurator@1ee807c6 - Registering current configuration as safe fallback point
2017-06-14 09:57:14,421 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystoreFile] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [Certificate.certificateKeystorePassword] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC WARN [main] org.apache.tomcat.util.net.SSLHostConfig - The property [sslProtocol] was set on the SSLHostConfig named [_default_] and is for connectors of type [JSSE] but the SSLHostConfig is being used with a connector of type [OPENSSL]
2017-06-14 09:57:14,436 TC ERROR [main] org.apache.tomcat.util.digester.Digester - End event threw exception
java.lang.reflect.InvocationTargetException: null
- Optional 'thank-you' note:
Do I need configure the SSLHostConfig section? And can I put in the full path to the .jks file or does it need to be in the conf dir? (E:keystorekey.jks)
<Connector port='8443' protocol='org.apache.coyote.http11.Http11NioProtocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='E:keystorekey.jks' keystorePass='changeit!' clientAuth='false' sslProtocol='TLS'> </Connector> <!-- <SSLHostConfig> <Certificate certificateKeystoreFile='conf/localhost-rsa.jks' type='RSA' /> </SSLHostConfig> </Connector> -->
- Optional 'thank-you' note:
16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.2.12 using APR version 1.5.2. 16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 16-Jun-2017 16:56:05.309 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 16-Jun-2017 16:56:05.965 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.2k 26 Jan 2017) 16-Jun-2017 16:56:06.121 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ['http-nio-8443'] 16-Jun-2017 16:56:06.246 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read 16-Jun-2017 16:56:06.246 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ['https-openssl-nio-8443'] connector has been configured to support negotiation to [h2] via ALPN 16-Jun-2017 16:56:06.246 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ['https-openssl-nio-8443'] 16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['https-openssl-nio-8443'] java.net.BindException: Address already in use: bind at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:972) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) at org.apache.catalina.connector.Connector.initInternal(Connector.java:968) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:970) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.net.BindException: Address already in use: bind at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.Net.bind(Unknown Source) at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:972) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) at org.apache.catalina.connector.Connector.initInternal(Connector.java:968) ... 13 more
- 1
- Optional 'thank-you' note:
Quincy Schmidt wrote:From the log file:
16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['https-openssl-nio-8443'] java.net.BindException: Address already in use: bind
That means that something is already running on the same port (8443). Did you shutdown any previous instance of Tomcat?
To find out what's running on that port you can run netstat -ban as Administator (on Linux it's netstat -plan), then search for the port.
SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask QuestionsHow To Answer Questions
- 3
- Optional 'thank-you' note:
Rob Spoor wrote:
Quincy Schmidt wrote:From the log file:
16-Jun-2017 16:56:06.246 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['https-openssl-nio-8443'] java.net.BindException: Address already in use: bind
That means that something is already running on the same port (8443). Did you shutdown any previous instance of Tomcat?
To find out what's running on that port you can run netstat -ban as Administator (on Linux it's netstat -plan), then search for the port.
Thank you for the reply! I changed port 8080 to 8443 as a test. Having changed it back the bind error no longer comes up.
<Connector port='8080' protocol='HTTP/1.1' connectionTimeout='20000' redirectPort='8443'/>
Finally got it figured out!
Tomcat7:
<Connector port='8443' protocol='org.apache.coyote.http11.Http11Protocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='E:keystorekeystore_12292016' keystorePass='changeit!' clientAuth='false' sslProtocol='TLS' />
Tomcat8:
Not sure if this is needed or not, but after reading another forum post I commented out line 28:
Download Tomcat 8.5
SSL Config:
<Connector port='8443' protocol='org.apache.coyote.http11.Http11NioProtocol' maxThreads='200' scheme='https' secure='true' SSLEnabled='true' keystoreFile='E:keystorekeystore_TC8.jks' <--needed .jks keystorePass='changeit!' clientAuth='false' sslProtocol='TLS'> <UpgradeProtocol className='org.apache.coyote.http2.Http2Protocol' /> <-- Added this line </Connector>
- Optional 'thank-you' note:
All things are lawful, but not all things are profitable.
- Optional 'thank-you' note:
To get the certificate working, did you need to follow all these steps?
https://cas.hgtc.edu/docs/ssl-howto.html
Any of these particularly problematic?
I'm going to tackle SSL in Tomcat issue this coming week once I figure out which cert to get.
Thanks,
- mike
- Optional 'thank-you' note:
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
All things are lawful, but not all things are profitable.
- Optional 'thank-you' note:
Knute Snortum wrote:That URL seems to be an out-of-date version of this:
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
Tomcat 8.5 Ssl Let's Encrypt
Thanks, will update my link, thank you.If I get my certificate files for Apache, it looks like I skip to:
1. Modify the Tomcat config files, and
2. The Step: 'Installing a Certificate from a Certificate Authority'
Thanks,
- Mike
