Debian 9 Tomcat 9 Let's Encrypt SSL config

Question

It drives me nuts now.

I have created sym links to the PEM files. I made the PEM files readable for the tomcat user. I set the server.xml to use SSL. And the connector fails to start.

<Connector port="8443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="200"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               clientAuth="false"
               sslProtocol="TLS"
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               defaultSSLHostConfigName="mydomain.com"
    >
        <SSLHostConfig hostName="mydomain.com" protocols="+TLSv1,+TLSv1.1,+TLSv1.2">
            <Certificate
                certificateKeyFile="conf/privkey.pem"
                certificateFile="conf/cert.pem"
                certificateChainFile="conf/chain.pem"
                type="UNDEFINED"
            />
        </SSLHostConfig>
    </Connector>

I did try to change the type to RSA, to no avail. All I see in the log is:

02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
02-Jan-2021 17:40:54.466 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
        org.apache.catalina.LifecycleException: Protocol handler initialization failed
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
                ... some lines removed
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
        Caused by: java.lang.IllegalArgumentException
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
                ... some lines are removed
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
                ... 13 more
        Caused by: java.io.IOException
                at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
                at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
                at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
                ... 20 more

I've checked the SSLUtilBase.java code (tomcat 9.0.33):

            if (certificate.getCertificateFile() == null) {
                throw new IOException(sm.getString("jsse.noCertFile"));
            }

I did try to copy the files instead of using sym links. No avail. Removed the comments from the cert files. No avail. It seems tomcat cannot find the files I've specified in the server.xml.

What do I miss?

Answer 1

Whenever you use one of the deprecated properties on a connector, Tomcat creates an <SSLHostConfig> element with hostName="_default_" and a <Connector> element inside it. The error is caused by the lack of the certificateFile on this particular element.

Remove the deprecated attributes (clientAuth, sslProtocol) from the <Connector> element and everything should work.

    <Connector port="8443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               defaultSSLHostConfigName="mydomain.com">
        <SSLHostConfig hostName="mydomain.com" protocols="TLSv1+TLSv1.1+TLSv1.2">
            <Certificate
                certificateKeyFile="conf/privkey.pem"
                certificateFile="conf/cert.pem"
                certificateChainFile="conf/chain.pem"
                type="UNDEFINED"
            />
        </SSLHostConfig>
    </Connector>

Remark: the sslProtocol attribute is a characteristic of JSSE and should always be left at the default value (TLS).