Letsencrypt certificate with Tomcat and Certbot connection refused

_az · December 19, 2017, 2:56am

Tomcat doesn’t seem to be running/listening on port 80 anymore - I can’t curl it.

Tomcat needs to be running when you run that Certbot command.

NombriTech · December 19, 2017, 2:57am

I’m restarting it right now because I found out I have something like this in web.xml:

	<security-constraint>
  <web-resource-collection>
    <web-resource-name>Viewpoint Secure URLs</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I change it to NONE maybe this is stopping http but I think this connector with 80 simply doesn’t work…

NombriTech · December 19, 2017, 3:01am

I’m getting something like this in catalina.out:

19-Dec-2017 03:59:27.040 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-80"]
19-Dec-2017 03:59:27.075 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-80]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:622)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:645)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.net.BindException: Address already in use
        at java.base/sun.nio.ch.Net.bind0(Native Method)
        at java.base/sun.nio.ch.Net.bind(Net.java:433)
        at java.base/sun.nio.ch.Net.bind(Net.java:425)
        at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:225)
        at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
        at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:227)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:202)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1042)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:70)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 13 more

19-Dec-2017 03:59:27.080 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-443"]
19-Dec-2017 03:59:27.085 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:622)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:645)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.net.BindException: Address already in use
        at java.base/sun.nio.ch.Net.bind0(Native Method)
        at java.base/sun.nio.ch.Net.bind(Net.java:433)
        at java.base/sun.nio.ch.Net.bind(Net.java:425)
        at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:225)
        at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
        at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:227)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:202)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1042)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:70)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 13 more

but Tomcat is starting and working despite of this

ahaw021 · December 19, 2017, 3:14am

my 5 cents

leave tomcat configs alone

8080 pointing to 8443 and 8443 confgured with SSL

run the standalone version of certbot which will temporarily stand up a web server to answer the challenge on port 80 or 443 (which are not in use by tomcat)

Tomcat roots are a bit harder then what patches describes which is whyI usually use the DNS challenge or standalone

Andrei

NombriTech · December 19, 2017, 3:54am

I don’t know why but it worked when I did like this:

root@vps366782:/opt/tomcat/bin# sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): nombritech.pl www.nombritech.pl
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for nombritech.pl
tls-sni-01 challenge for www.nombritech.pl
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nombritech.pl/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nombritech.pl/privkey.pem
   Your cert will expire on 2018-03-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

So using certbot certonly command without arguments seems to be working… now I have to figure it out how to connect this with Tomcat and check if it’s working

@ahaw021 I don’t know if it had any impact but I changed it like you said, but it didn’t work any other way

ahaw021 · December 19, 2017, 4:33am

when you are feeling bored read up on this: How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates on Ubuntu 16.04 | DigitalOcean

Andrei

NombriTech · December 19, 2017, 4:38am

FINALLY WORKED

Thank all of you very very much I spent the whole night trying to set this up and I’m so happy I finally managed to do it with your help

@ahaw021 I used your tutorial to convert .pem to .keystore and added this to tomcat

I would like to give the exact solution what was wrong with the configuration at the beginning in case someone came across something similar to this, but I don’t know it myself why it did work when I called the Certbot without any arguments… Maybe the problem was complex and many factors had impact on that: firewall, tomcat configuration and so on…

ahaw021 · December 19, 2017, 4:52am

read the whole chain

sounds like a mixture of many parts not working as well as they could have been

its always worthwhile getting this kind of feedback as it helps others help you

system · January 18, 2018, 4:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.