Cyclos Docker SSL Impelementation for tomcat

#1

I have configured tomcat inside docker container as follows

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="my.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
                <Certificate certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
                        certificateFile="/etc/letsencrypt/live/example.com/cert.pem"
                        certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem"
                         type="RSA" />

Restarted the docker container but its not accessible via https

where my.jks is stored inside tomcat/conf directory.

I configure docker container as follows:

docker run -d \
    --name=nameofcontainer \
    -p 80:8080 \
    -p 443:8443 \
    --net=cyclos-net \
    --cap-add=NET_ADMIN \
    -e DB_HOST=cyclos-db \
    -e DB_NAME=cyclos \
    -e DB_USER=cyclos \
    -e DB_PASSWORD=cyclos \
    image-id
#2

Hi muazzamazaz, welcome to the community.

Can you show me the output if you curl -viL ${DOCKER_IP_ADDR} the container on port 80 and 443?

Your configuration looks very similar to this blog post, I assume this is what you followed? https://mvysny.github.io/Lets-Encrypt-with-Docker-Tomcat/

Another possible config to look at would be https://github.com/AtomGraph/letsencrypt-tomcat

1 Like
#3

root@4b0535d06a77:/usr/local/cyclos# curl -viL ${DOCKER_IP_ADDR}
curl: no URL specified!

#4

I just installed certbot and set paths of .pem files in server.xml. After that I have restarted docker container as I see in docker cyclos container tomcat is installed but not able to access it as service.

#5

I have tried to connect via telnet at port 80 and 8443, but only port 80 works

https://members.kentuckianatrade.com:8443/

#6

Hi @muazzamazaz,

Inside the container the example ${DOCKER_IP_ADDR} variable should be 127.0.0.1. Outside the container it should be something like

$ sudo docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' sdf1234
172.17.0.2

What do your catalina logs say about the TLS configuration or when you try to access port 8443? Inside the container do you see a process bound to port 8443 netstat -plunt ?

Can you try configuring tomcat per the document at https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html? The doc states you should include at least scheme="https" in your connector options.

#7

After commenting this connector it gets working as two different SSL protocols were configured on same port.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="my.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

SSL Imlementation - Server Fault Post

1 Like