Hi @schoen, @chandrub2004,
Here the problem is that @chandrub2004 is using Nio protocol in the connector and this protocol needs a keystore (as far as I know Nio2 and APR protocols supports openssl but Nio doesn't), as @chandrub2004 didn't define it in the connector, tomcat is trying to find it in the default path /usr/share/tomcat8/.keystore
and there is none so it fails.
@chandrub2004, if you want to use Nio Protocol, you should convert the certificates and key and add it to your own keystore (keep in mind that this conversion should be performed every time the certificates are renewed) and also use the right connector, something like this:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" URIEncoding="UTF-8"
keystoreFile="/etc/tomcat8/keystore/hereyour.keystore"
keystorePass="HERETHEPASSWORD"
clientAuth="false" sslProtocol="TLS" />
I wrote a post some time ago with the steps to convert the certificates and key to a keystore.
The other option is to use APR protocol, to use it you should install the package libtcnative-1
in your ubuntu server, uncomment the conf line to use it in your server.xml and create the right connector to use this APR protocol with the right directives pointing to your certificates and key.
1.- Install libtcnative-1 and its dependencies.
apt install libtcnative-1
2.- Uncomment APR conf in server.xml:
Before:
<!--
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-->
After:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
3.- Configure the connector (something like this)
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector
protocol="HTTP/1.1"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/cert.pem"
SSLCertificateKeyFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/privkey.pem"
SSLCertificateChainFile="/etc/letsencrypt/live/www.enterpriseindia.co.in/chain.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.1+TLSv1.2"/>
Keep in mind that in the examples I used port 443 instead of 8443 because in the server.xml example you posted above you used port 443. tomcat is started with unprivileged user tomcat8 so it can't start the server in ports below 1024, to be able to start tomcat with user tomcat8 on port 443 you need to activate the directive AUTHBIND
in conf file /etc/default/tomcat8
AUTHBIND=yes
I think it is installed by default but if not, you need to install the package authbind
too:
apt install authbind
I can't remember whether it is configured by default by ubuntu once activated the authbind in conf file /etc/default/tomcat8
, if it isn't, you would also need to give authorization to user tomcat8 to use authbind.
touch /etc/authbind/byuid/$(id -u tomcat8)
chmod 700 /etc/authbind/byuid/$(id -u tomcat8)
chown tomcat8:tomcat8 /etc/authbind/byuid/$(id -u tomcat8)
One more thing, in the server.xml you provided, you are trying to use http2 and as far as I know, it was added to tomcat 8.5 and you can't use it on tomcat 8.0.
Disclaimer: I don't use ubuntu nor tomcat
Good luck,
sahsanu