How to configure Tomcat SSLHostConfig correctly?

Asked 25/4, 2021 at 20:35 Answered 30/1 at 12:26

Solved java tomcat configuration ssl-certificate

I was following this tutorial to enable ssl in tomcat: https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2

Altough tomcat is running at the end, i can not access https, says unable to connect. So i checked the logs and i got:

Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector

, but my certificateFile is defined as you can see:

<Connector port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="100"
    compression="on"
    scheme="https"
    SSLEnabled="true"
    secure="true"
    SSLVerifyClient="none"
    SSLProtocol="TLSv1.2"
    defaultSSLHostConfigName="test.test">
    <SSLHostConfig hostName="test.test">
        <Certificate certificateFile="conf/cert.pem" certificateKeyFile="conf/privkey.pem" certificateChainFile="conf/chain.pem" />
    </SSLHostConfig>
</Connector>

these files are present in conf/

tomcat 9 docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html section SSLHostConfig and Certificate

Dillingham answered 25/4, 2021 at 20:35 Comment(0)

You use a mix of new (since Tomcat 8.5) and deprecated attributes (cf. Tomcat documentation). The effect of setting, e.g. SSLProtocol is the creation of a second <SSLHostConfig> with hostname _default_. That is the element that the error message is referring to.

You should replace the obsolete tags (SSLVerifyClient and SSLProtocol) with their current counterparts (or omit them if you want the default value):

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="100"
           compression="on"
           scheme="https"
           SSLEnabled="true"
           secure="true"
           defaultSSLHostConfigName="test.test">
    <SSLHostConfig hostName="test.test"
                   protocols="TLSv1.2">
        <Certificate certificateFile="conf/cert.pem"
                     certificateKeyFile="conf/privkey.pem"
                     certificateChainFile="conf/chain.pem" />
    </SSLHostConfig>
</Connector>

Remark: The attributes you used where specific to the APR connector. If that choice was intentional, you should change the protocol to org.apache.coyote.http11.Http11AprProtocol.

Historiography answered 25/4, 2021 at 22:25 Comment(2)

What would this look like if you were configuring in java? Ala – Bromo 31/1, 2023 at 17:43

startup.sh has a -generateCode <path_to_a_directory command line argument. You can use it to convert any configuration into code. – Historiography 31/1, 2023 at 21:7

To manually manage ciphers you can add ciphers as below:

<SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
                        TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
             protocols="TLSv1.2">

Contented answered 30/1 at 12:26 Comment(0)

Recommended topics

Hot tags