SSL installed but ERR_CONNECTION_CLOSED?

Chinas · June 21, 2019, 10:44pm

Hello geeks!

I’ve been installing an SSL certificate in the last 3 weeks and i just cant install it with keytool, cloudflare, another free SSL certs… So, a friend tell me Lets encrypt and i’ve been trying to install it all day and i cant install it so far.
I’ve done various searches on google to solve some problems and now im stopped… I’m checking catalina erros logs but now i don’t have any errors:

> 22-Jun-2019 01:58:42.107 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.2.21 using APR version 1.7.0.
> 22-Jun-2019 01:58:42.108 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
> 22-Jun-2019 01:58:42.156 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCertificateFile' to '/etc/letsencrypt/live/gamefuzion.pt-0001/cert.pem' did not find a matching property.
> 22-Jun-2019 01:58:42.157 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCertificateKeyFile' to '/etc/letsencrypt/live/gamefuzion.pt-0001/privkey.pem' did not find a matching property.
> 22-Jun-2019 01:58:42.157 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCertificateChainFile' to '/etc/letsencrypt/live/gamefuzion.pt-0001/chain.pem' did not find a matching property.
> 22-Jun-2019 01:58:42.160 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLVerifyClient' to 'optional' did not find a matching property.
> 22-Jun-2019 01:58:42.161 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLProtocol' to 'TLSv1+TLSv1.1+TLSv1.2' did not find a matching property.
> 22-Jun-2019 01:58:42.161 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keystorePath' to '/root/.keystore' did not find a matching property.
> 22-Jun-2019 01:58:42.205 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.1.0j  20 Nov 2018)
> 22-Jun-2019 01:58:42.332 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-185.113.141.147-80"]
> 22-Jun-2019 01:58:42.347 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-443"]
> 22-Jun-2019 01:58:42.557 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
> 22-Jun-2019 01:58:42.563 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 707 ms
> 22-Jun-2019 01:58:42.589 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina
> 22-Jun-2019 01:58:42.589 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.5
> 22-Jun-2019 01:58:42.616 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive /root/apache-tomcat-8.0.5/webapps/ROOT.war
> 22-Jun-2019 01:58:44.956 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /root/apache-tomcat-8.0.5/webapps/forum
> 22-Jun-2019 01:58:46.036 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /root/apache-tomcat-8.0.5/webapps/host-manager
> 22-Jun-2019 01:58:47.160 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /root/apache-tomcat-8.0.5/webapps/manager
> 22-Jun-2019 01:58:47.945 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-apr-185.113.141.147-80"]
> 22-Jun-2019 01:58:47.949 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-443"]
> 22-Jun-2019 01:58:47.951 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 5386 ms

When i try to access my website trhought HTTPS it says “ERR_CONNECTION_CLOSED”

I dont really know what to do next and my mind is just like an explosion with this SSL thing…
Im not an experto but i’ve tried to do it correctly.

My server.xml is configured like that:

> 	<Connector  protocol="org.apache.coyote.http11.Http11NioProtocol"
> 				port="443" 
> 				maxThreads="150"
> 				scheme="https"
> 				secure="true"
> 				SSLEnabled="true"
> 				SSLCertificateFile="/etc/letsencrypt/live/gamefuzion.pt-0001/cert.pem"
> 				SSLCertificateKeyFile="/etc/letsencrypt/live/gamefuzion.pt-0001/privkey.pem"
> 				SSLCertificateChainFile="/etc/letsencrypt/live/gamefuzion.pt-0001/chain.pem"
> 				SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> 				keystorePath="/root/.keystore"
> 				keystorePass="qwerty08" />

I’m running tomcat 8.0.5 in Debian 8.

> **Link:** gamefuzion.pt

Im sorry if im posting it wrongly or i missed something but i am really desesperated at the moment to make it work.

gpatel-fr · June 21, 2019, 10:48pm

did you try to access your site with something along the lines of

https://mytomcat:8443

Chinas · June 22, 2019, 1:03am

@gpatel-fr Just updated the thread to another solution that gives me another type of errors, and it’s related to Tomcat 8.0. Also, updated the port as tomcat is being run as root.

_az · June 22, 2019, 1:10am

Take a look at https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support_-_BIO,_NIO_and_NIO2

The SSLCertificate* attributes that you are using are not valid for the connector you are using. If you want to use those, change to the APR connector:

protocol="org.apache.coyote.http11.Http11AprProtocol"

gpatel-fr · June 22, 2019, 7:22am

It has been a long time since I looked at anything tomcat related, just checked and it confirms the classic problem plaguing most ‘inexpensive’ tomcat installs; you are connecting to the internet an unsupported software running as root.
I’d suggest at the very least to set a proxy between your server software and the Internet, it may mitigate some risks. You have even advertised publicly that you were running outdated software (it’s easy to find your domain from what you posted). And it could be easier to setup ssl on nginx and just running plain html on your tomcat.

Chinas · June 22, 2019, 9:31am

You are right but i need to run swf files so…

Chinas · June 22, 2019, 9:32am

Anyway, @_az solved my problem big up for you!
Now, could you please quickly tell me how to redirect http to https in a easy way?
Thank you!

JuergenAuer · June 22, 2019, 9:53am

Hi @Chinas

is gamefuzion.pt your domain? If yes, you have installed the wrong certificate ( https://check-your-website.server-daten.de/?q=gamefuzion.pt ):

You have 3 certificates created in the last 7 days:

CertSpotter-Id	Issuer	not before	not after	Domain names	LE-Duplicate
979628351	CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US	2019-06-21 22:47:06	2019-09-19 22:47:06	gamefuzion.pt - 1 entries	duplicate nr. 2
979081349	CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US	2019-06-21 15:09:28	2019-09-19 15:09:28	gamefuzion.pt - 1 entries	duplicate nr. 1
973498196	CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US	2019-06-18 13:58:01	2019-09-16 13:58:01	gamefuzion.pt, www.gamefuzion.pt - 2 entries	duplicate nr. 1

But you use the wrong certificate

CN=gamefuzion.pt
	22.06.2019
	20.09.2019
expires in 90 days	gamefuzion.pt - 1 entry

that has only one domain name. Use the certificate created 2019-06-18, so both versions are secure.

Then - your http + non-www doesn’t answer:

Domainname	Http-Status	Sec.	G
• http://gamefuzion.pt/
185.113.141.147	-2	1.186	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 185.113.141.147:80

• http://www.gamefuzion.pt/
185.113.141.147	404	3.970	M
Not Found

• https://gamefuzion.pt/
185.113.141.147	404	0.887	M
Not Found

• https://www.gamefuzion.pt/
185.113.141.147	404	0.653	N
Not Found
Certificate error: RemoteCertificateNameMismatch

So a redirect http + non-www -> https + non-www would be invisible.

There

https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html

is something about a redirectPort - configuration.

If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here. The default value is 443.

Chinas · June 22, 2019, 10:07am

When you tried to access my website probably i was trying to configurate the redirection… Could you please help me doind this?
Thank you!

JuergenAuer · June 22, 2019, 10:16am

I don’t know how that tomcat works. Check the documentation if a redirect is possible.

https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html

sounds like you have only add a configuration element.

But first you should change your certificate, so both connections are secure.

Chinas · June 22, 2019, 10:16am

Ok now its done!
I’ve just edited web.xml and pasted the following content:

> <!-- Force HTTPS, required for HTTP redirect! --> 
> <security-constraint> 
> <web-resource-collection> 
> <web-resource-name>Protected Context</web-resource-name> 
> <url-pattern>/*</url-pattern> 
> </web-resource-collection> 
>   
> <!-- auth-constraint goes here if you require authentication --> 
> <user-data-constraint> 
> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
> </user-data-constraint> 
> </security-constraint>

I hope it helps another people getting their SSL working and forcing! Closed!

system · July 22, 2019, 10:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.