How configure let's Encrypt with tomcat

Hi everyone I would like to configure let's encrypt with tomcat.
Tomcat is configured in the docker and nginx container on the host; before installing and running certbot, when on the browser I typed www.example.com the reverse proxy worked correctly giving me the tomcat screen as default page.

After launching and executing certbot, the latter sees the directive with the server_name in the configuration file and gives me ok results by generating the two certificates.

The problem is that when I go to the browser again, the message appears: "" "" "" "The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete . This problem can sometimes be caused by disabling or refusing to accept cookies. "" "" "" "" "

In my opinion it could be a problem that we need to configure let's encrypt also in the docker tomcat container and also configure the latter to communicate with the outside.

At this point a question arises: in this case let's encrypt should I configure it in the tomcat docker container, on nginx or both?

I hope for an answer

Hello everybody

Hi @Erica95, and welcome to the LE community forum :slight_smile:

You need to review the reverse proxy settings.

3 Likes

Hello thanks for the intervention. The reverse proxy worked before installing let's encrypt; the problem arose after installing let's encrypt

1 Like

You have not explained how you obtained the cert. If you used the --nginx plug-in it will modify your nginx config. If that's the case you should review your nginx reverse proxy settings for that server block.

It sounds like there might be a faulty redirect. Maybe a redirect in your https server block that redirects to itself?

It is difficult to give advice when you have not answered many of the questions on the form you were shown

No, you should not need a cert in tomcat if you are using nginx to proxy.

===========================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

I explain in detail what I did in step:

  1. I installed nginx and configured the following simple directive (only this one because I wanted to see if everything worked)

"" "server {
location / {
proxy_pass http: //x.x.x.x: 8080;
} "" "" So far everything has worked it redirected me to the default tomcat page.

  1. I have map ip x.x.x.x to dns name "example.com" on aruba and everything worked but we are still in http.

  2. I installed certbot and before running it I added the server_name directive and redirect to the previous block:

server {
server_name example.com;
return 301 https: // $ server_name $ request_uri; (I also tried https: // $ host $ request_uri; it always gives me error)
location / {
proxy_pass http: //x.x.x.x: 8080;

}

  1. I run sudo certbot --nginx and obviously I am going to modify the block by adding other directives and let's encrypt information.

  2. I try from the browser to run the url and it gives me the error:

The problem is that when I go to the browser again, the message appears: "" "" "" "The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete . This problem can sometimes be caused by disabling or refusing to accept cookies. "" "" "" "" "

Now that I've got this wrong for sure, but what I've done are these 5 steps

That is not correct. You should remove the redirect (return 301 ...). It can't work until you have a cert and the https server block (port 443) configured. Certbot will setup this https server block for you as you are using the --nginx plug-in.

You are also missing a listen statement in that server block. This should be in that http server block:

listen 80; 
3 Likes

Hello sorry for the delay I tried to delete the string and it doesn't work; of course when I deleted the string, I ran the command "sudo certbot --nginx" again and reinstalled the certificate. The procedure does not give me any errors, it tells me that it was successful.

I would not have to add something to nginx.conf file at the moment I have this situation in the http block:

http {
include /etc/nginx/mime.types;
include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;

While as a reminder in blocking the .conf file in sites-availables and sites-enabled I have this situation:

server {
server_name example.com;
location / {

proxy_pass http://x.x.x.x:8080;

}

The directive listen to 80; it is present in the bottom code block generated by certbot after running it because before running certbot I only had the previous code block; however after running certbot it creates the following blocks for me:

server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} #managed by Certbot

listen 80;
server_name example.com;

Anyway I also added after the directive "listen 80;" also in the initial server block; however the problem was not solved.

One last detail; always before installing certbot, if on the browser I typed the ip address: 80 the redirect for tomcat did it for me.

After installing certbot, as already mentioned above, if I type the dns name it gives me time out;

Again after installing certbot, if I type http://ip-address/80 it gives me: "404 Not Found
nginx/1.23.2"

At this point I wonder if I have to set the proxy again in the block generated by certbot to make the dns work correctly by redirecting me to the tomcat container?

I hope for other solutions

It sounds like you have some problems with the nginx server blocks. If you want help we need more info. Can you please upload the result of this command?

sudo nginx -T >config.txt

That is a capital T. Please do not change the domain names in the output. I think some important info is being lost when you try to describe just parts of your config but changing the names.

3 Likes

nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Yes, as I suspected there is a problem with your nginx config.

If you would please upload the config.txt file resulting from the command I showed we can help fix that.

If you cannot upload that txt file you can copy / paste the contents of that file here. In this case please put 3 backticks before and after the output like this:
```
contents of config.txt
```

4 Likes

"""

ubuntu@vpn:~$ sudo nginx -T >config.txt
nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

"""

In the meantime, thank you for your availability; however the command sudo nginx -T >config.txt , sends me the output on the command prompt in clear text and the only lines that appear are these posted above

That's because all the relevant lines are put into config.txt. See Mikes instructions above.

3 Likes
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    include      /etc/nginx/sites-enabled/*;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

That is not output of the nginx -T command. You are only showing parts of your config and those do not show the problem.

And, you are using double-quotes instead of a backtick. On my keyboard the backtick is one key to the left of the number 1 key.

The below command should create a config.txt file. Please upload it. Or copy/paste the entire contents of that file with 3 backticks before and after. It will be a lot of output and uploading might be easier.

sudo nginx -T >config.txt
5 Likes

@Erica95 during a reply you can use the UP Arrow from computer Icon tool to upload a file.

image

4 Likes

config.txt (7.8 KB)

2 Likes

Other side note observations:
Using https://crt.sh/ here is a list of issued certificates crt.sh | fantacalcalciomania.ns0.it, the most recent being 2022-11-17.

$ nmap 129.152.1.32
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-19 18:57 UTC
Nmap scan report for 129.152.1.32
Host is up (0.17s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

And again using https://crt.sh/ with ns0.it as the input, the list issued certificates https://crt.sh/?q=ns0.it
Kind of looks like ns0.it should be on the PUBLIC SUFFIX LIST View the Public Suffix List

2 Likes

A minor problem is that you have two identical server blocks. You should remove one of them to avoid the error about "conflicting server name"

So, remove one of the below server blocks from /etc/nginx/sites-enabled/custom_server.conf file.

server {
    if ($host = fantacalcalciomania.ns0.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

listen 80;
server_name fantacalcalciomania.ns0.it;
    return 404; # managed by Certbot
}

Then:

  • Run sudo nginx -t (lower case t) to see if the error went away.
  • And, run sudo systemctl reload nginx to refresh nginx config.

The main problem is you do not have port 443 open. As Bruce showed, you have ports 22, 80 and 8080 open but not 443. Port 443 is needed for HTTPS to work. Check your router or other network equipment to configure it like you did for these other ports.

Once port 443 is open, requests to your domain should work correctly. Do not use the IP address in your request. Just use your domain name in a browser.

Your nginx config will redirect HTTP requests to HTTPS. And, HTTPS requests will proxy to the IP in your proxy statement. However, you should change that IP to your local IP and not use the public IP. Then you can also block requests to port 8080 from the public internet so people cannot use HTTP to access your tomcat directly.

5 Likes

I had port 443 enabled on the host's linux system but not on the cloud; I thought I had it enabled. Now the link works I'm redirected to the tomcat container in https;

What I'm not clear about is why you say there are two blocks and I should delete one of them?
The following block:
'''
server {
if ($host = fantacalciomania.ns0.it) {
return 301 https://$host$request_uri;
} #managed by Certbot

listen 80;
server_name fantacalcalciomania.ns0.it;
return 404; # managed by Certbot
}

'''

certbot created it for me when I ran it.

2 Likes

I don't know how you got two identical server blocks. Something unusual happened as I have never seen Certbot do that.

It does create server blocks for https (port 443) based on your http server block (port 80). And, it can add redirects to your http server block as it did in your case.

If you look at the config.txt file you uploaded in post #16 you will see there are two identical server blocks. nginx only allows one server block for each domain name and port (listen value) combination. That is why you get the warning about one of them being ignored.

If you remove one of them you won't get the warning anymore. The nginx config will be cleaner. I don't think duplicates will be created again but let us know if it does.

3 Likes