Windows 10 Java error: cert.pem does not exist

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:http://archivepahs.org

I ran this command:Start Tomcat service using https connector on port 443

It produced this output:Error log snippet: >The certificate [C:/Certbot/live/archivepahs.org/cert.pem] or its private key [C:/Certbot/live/archivepahs.org/privkey.pem] could not be processed using a JSSE key manager and will be given directly to OpenSSL
25-Jul-2021 16:24:49.108 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
java.io.FileNotFoundException: Configured file [C:/Certbot/live/archivepahs.org/cert.pem] does not exist

My web server is (include version):Tomcat 8.5.63

The operating system my web server runs on is (include version):Window 10 pro version 10.0.19042 Build 19042

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.16.0

I've been running http for several months and would like to upgrade to https. I have successfully renewed my certificate after troubleshooting a permissions issue. I am running Tomcat as a service and I wonder if the service account might be lacking rights to the certificate. If that is not the case, perhaps there is a syntax issue with the connector. Here is the connector section from server.xml:

<!-- Define an SSL/TLS HTTP/1.1 Connector on port 443 with HTTP/2
     This connector uses the APR/native implementation which always uses
     OpenSSL for TLS.
     Either JSSE or OpenSSL style configuration may be used. OpenSSL style
     configuration is used below.
-->

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="C:/Certbot/live/archivepahs.org/privkey.pem"
                     certificateFile="C:/Certbot/live/archivepahs.org/cert.pem"
                     certificateChainFile="C:/Certbot/live/archivepahs.org/chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

I'm not too familiar with the TLS options with Tomcat...
But I've seen where it requires a keystore created before it can use a cert.
Are you following recent/updated instructions?

And, as always, you can introduce a (reverse) proxy to handle the TLS connections.
My recommendation: nginx
[although nginx for Windows isn't really a great thing these days - unless you compile it yourself]

Thanks for the quick response. I'm learning as I go here. I'll look into creating a keystore. When I started researching how to set up SSL, everything I found referred to the Java keytool and creating a keystore. I went through the steps but didn't understand them or how the keystore related to a certificate from a certificate authority. I'll take another look. I hope that it will make more sense to me now. Most instructions I've seen seem to be aimed at creating a self signed certificate and running on port 8443.

I'll look into nginx also. Your comment about nginx for Windows makes me think it may be over my head.

Steve

1 Like

You might also be able to use IIS as a reverse proxy too.
[if you have more experience/confidence with that]

And there are several good ACME clients for Windows with IIS integration.

I'm pretty green with all this web stuff. I'm a 72 year old retired network manager. I'm feeling my way through this. I've been reading docs and forums to try to educate myself. I was happy to have been able to install Tomcat on a donated windows box and set up my Orbi firewall at home to work with NoIP and get online. Now I'm trying to get SSL enabled. I'm grateful for any help I can find. The ResCarta web page that I have running on port 80 is designed to work with Tomcat, and is working well for me. When I started investigating SSL, I looked at certificate vendors who offered to set it all up for a price. Unfortunately, that service never included stand alone Tomcat! From what I understand so far, the simplest solution for me would be to create a keystore and use that to access the certificates that I installed with certbot.

1 Like

If you can detail the required steps to create/import/use that keystore, you might be able to script that entire process.
If so, then you can trigger that script on each certificate renewal OR say on a weekly schedule.

It may be a little overkill for what you need but the https://certifytheweb.com app I work on has a free community edition which also supports a Deployment Task for Tomcat (if it's a recent version of Tomcat)(Apache Tomcat | Certify The Web Docs).

You install the app and get your certificate, then add a "Deploy to Tomcat" task (and a service restart task), from then on when the certificate renews it also applies the cert to tomcat.

As @rg305 mentions it's a good idea to run a web server in front of tomcat, so that all the nasty internet attacks hit that first, then you use a reverse proxy setup to connect to the tomcat application running on another port (so you never need to expose tomcat directly to the internet).

Another option is to use Cloudflare (free) to host your DNS and it then works as a front-end proxy, handles https for you automatically and it absorbs some of the more nefarious hits from the internet.

1 Like

Thanks for the helpful suggestion. I was wondering how certificate renewal plays with the need to import certs to Tomcat. I have quite a bit of reading to do in order to understand this process. I'll start studying the tutorials and see what other questions pop up. Thanks for steering me in the right direction!

2 Likes

Thanks. Now on to reading tutorials.

Steve

1 Like

I appreciate the suggestions regarding using a reverse proxy, nginx, etc. Here is a quick explanation of why I'm using Tomcat standalone.
The ResCarta foundation provides software that allows organizations (I am a board member of the Pulaski Area Historical Society) to convert multimedia items to searchable web documents. Following the instructions included with the ResCarta toolkit, I installed Tomcat on a donated windows box (it's in my basement) and with the help of NoIP, got it up and running on port 80. I have posted vintage photographs and locally written history books. I've been told that I should be running SSL to enhance search engine visibility.
It appears that I'm in a bit over my head at the present, but I'm slowly working on it. The tutorial suggestions were very helpful, and I'll be installing OpenSSL to convert my .pem certificate to Java usable format. Other commitments and an upcoming family trip will slow my progress. I hope to either be online encrypted or else be posting additional questions in the near future. Thanks for the suggestions and encouragement.

1 Like

I don't see how that will be any easier than installing an nginx proxy.
But either way, if you hit a wall, feel free to come back and ask for more help.

I would also consider moving your DNS to Cloudflare, so they can act as an automatic front-end for your web service (I don't work for them even though I sound like I do!). This provides caching, protection against various basic script-kiddie attacks and means your tomcat is not directly (your version of tomcat is old and will have various security vulnerabilities). It won't provide complete protection, but it will help.

For the price of a cloud hosted virtual machine I'd also suggest you move your service off of your home network. If the server is compromised by someone they will be on your home network. I know cost can be the main issue there, but there are some free and low cost tiers especially if you are prepared to move to linux (windows servers cost more because of the OS licensing). For instance a very basic AWS Lightsail vm costs less than $5 a month. The electricity for the windows box you are running probably costs significantly more than that per month.

1 Like

Point of clarification:

That would only use their DNS service [which isn't broken (at the moment)].
What you speak of then is their CDN service (which can be used with/without their DNS service):

Using a CDN would act as an online proxy and you would not need to handle that part locally.
And there we are agreed; If the management/installation of a local reverse proxy is too complicated, then using Cloudflare CDN instead might fit the bill nicely.

Thanks, I've never used their service without moving DNS there. The free proxying works by toggling the feature off and on at the DNS control panel level, I've no idea how it would work without them hosting the nameservers (you'd probably have to CNAME records to point to something they host). The caching alone is worth moving if you have a service with lots of media or other static content.

1 Like

Yes, I've hit a wall again. Tutorials I read suggested that I needed to use openSSL to convert to pkcs format and then using keytool to import the pkcs cert to the keystore. After following the instructions in a tutorial entitled " Converting Standard certbot artifacts to a JKS", I had a .p12 in my certbot\live folder in addition to the .pem files. I copied that file to a folder within my Tomcat installation and tried starting Tomcat with the following connector:



I was hoping that the error log would give me some clues as to how to properly configure the connector. Instead I got the following:

Error at (110, 42) : No enum constant org.apache.tomcat.util.net.SSLHostConfigCertificate.Type.PKCS12
03-Aug-2021 16:50:30.282 SEVERE [main] org.apache.catalina.startup.Catalina.start Cannot start server. Server instance is not configured.>>

The pkcs file has a password (not supplied in the connector). Am I way out in left field here? With zero experience in linux of Nginx, it seems that sticking with Tomcat is the path of least resistance. However Webprofusion's comments about getting hacked do give me pause. I'd love to get to a cloud platform and reduce my risk.

Steve

1 Like

Sorry about the missing connector. Here it is:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateFile="C:/Program Files/Apache Software Foundation/keystore/archivepahs.org.p12"
                     type="PKCS12" />
    </SSLHostConfig>
</Connector>

Steve

1 Like

I've never seem any examples of TLS/SSL connectors working with Tomcat.
[Even adding a proxy would be simpler and easier to automate - Déjà vu! Am I repeating myself?]

I second the notion of understanding and mitigating the risks introduced when serving content.
If you haven't done so, or don't know the first thing about doing so, you should probably be using a dedicated host somewhere far from your internal (home) network.

Note: There are some relatively inexpensive ways to secure a complicated home network, but this isn't the time nor place to discuss home networking security best practices.

A .p12 file (which you presumably made earlier and is not the standard output of certbot) is a format known as a keystore and it's identical to a PFX file (commonly used on windows). It contains all the stuff for your certificate including the main certificate and the private key. So for your version of Tomcat it looks like you need to specify the file as a keystore and specify the keystore password: Apache Tomcat 8 (8.5.69) - SSL/TLS Configuration How-To

I'm not a Tomcat expert but I believe your config will be something along the lines of :

<!-- Define an SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="C:/Program Files/Apache Software Foundation/keystore/archivepahs.org.p12" keystorePass="whatever_your_keystore_password_was"
           clientAuth="false" sslProtocol="TLS"/>
``
1 Like

Thanks for the feedback. I've been thinking lately about my need to get the server out of my basement. Not just for security reasons, but this project for the local historical society should be structured to survive my involvement. I'm thinking that the high school tech-ed department would be a good entity to manage it. My initial thoughts were to host it in the cloud, but the ResCarta developer suggested putting it on a local server. I'll check into nginx as a proxy. At his time, I'm pretty ignorant of how it would work. Would I install it on the same box and then configure SSL on the nginx proxy or would I need a separate box?

I took a quick look at AWS pricing. $10 per month would be fine. But I'm unsure about how large my content database will eventually grow. The State Historical Society has a microfilm newspaper archive of our local paper and putting that online was the original goal of this project. They will create tiff images of each frame for a fee. There will be about 24,000 images altogether. I don't know how large those images will be. So far I have about 2,000 image files and the archive takes up about 12 gigs. My pre-retirement experience with document imaging in the banking industry tells me that it is possible to represent textual data in small tiff files.

The ResCarta package comes as a WebApp that drops into Tomcat and is therefore very easy to get up and running. Lots to investigate! Thank you Webprofusion for the connector suggestion and tutorial link.