• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Rob Spoor
  • Bear Bibeault
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh

https setup on tomcat on Windows 10

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a very specific question: a self-made certificate works on my Tomcat installation , that is, the connection to port 443 is NOT refused (but of course it is not valid on any browser, Google chrome for example says that the connection is insecure)

However, I installed a free zeroSSL certificate and then the connection is refused to port 443. Why? (I changed port 8080 to 80 and 8443 to 443 in the server.xml file)

By the way, I already had installed a free certificate from zeroSSL on another Server (Windows 8). and it works fine.

Thanks for help
Tony

 
Saloon Keeper
Posts: 23751
161
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch, Tony!

Port numbers below 4096 are privileged ports on most OS's, and that includes Windows, You'd have to run Tomcat under an administrative user account, and I don't recommend that as it's a major security exposure.

In most cases what I recommend is actually not to have Tomcat handle SSL at all, but to front Tomcat with a Reverse Proxy Server.

Basically, a Reverse Proxy acts as a webserver, but it's actually a forwarding point for one or more backend servers in addition to being easier to set up for secure communications. The Apache and Nginx webapp servers are often used for this purpose, although as far as I know, you can set up IIS to do so as well. I haven't worked with IIS since the beginning of the millenium, so I'm hazy on what it can do these days.

The regular webapp servers used for proxies start as priivileged users and then downshift their identities. There's no "write once/run anywhere" way to do that in Java and Tomcat is written 100% in Java, which is why it can't run securely on the front line.

Incidentally, while the security advantages of a reverse proxy server have always been good, the fact that such a server can host multiple apps and domains is especially useful now that so many applications run in Spring Boot and/or containers.

The one thing to note, though, is that the cert format used by Java is not the same as what servers like Apache and Nginx use. So you either have to get certs in the proper format or convert the ones you've already obtained.
 
Ranch Foreman
Posts: 122
5
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Never heared of ZeroSSL - have you tried Let's Encrypt?
My wild guess in the blue: The required root-cert isn't available for ZeroSSL. While the root certs for Let's Encrypt are part of current VMs.
 
Sheriff
Posts: 22211
117
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:I haven't worked with IIS since the beginning of the millenium, so I'm hazy on what it can do these days.


I had to set up an IIS server in front of JBoss quite recently. If I recall correctly you have to install a plugin, but after that's it's actually pretty easy.

Matthew Bendford wrote:Never heared of ZeroSSL - have you tried Let's Encrypt?
My wild guess in the blue: The required root-cert isn't available for ZeroSSL. While the root certs for Let's Encrypt are part of current VMs.


That would explaina browser error that Tony is already having with self-signed certificates. The server itself should just work.


Tony, I'm guessing that Tomcat is having issues with the certificate. What format is it in? I've been able to setup HTTPS in Tomcat using a PFX file, maybe your format is different and not supported by Java.
 
Tony Hürlimann
Greenhorn
Posts: 2
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Problem solved!

I am not a newbie in computer science, but really, it took me many hours to resolve the problem of adding https to a Tomcat 9 server (i'm a newbie in that domain, yeah!). The problem is not that it is particularly difficult, but finding the right track. There are so many offers in the Internet for (semi)-free certificates .

The previous post here lead me on the right track: "have you tried Let's Encrypt?" by Matthew Bendford. I then found a great page that explains the whole process clearly:

https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2  (With a page title: "How to install Let’s Encrypt with Tomcat" from Björn Raupach, 2018)

(see also : https://docs.incorta.com/5.0/references-security-https-for-apache-tomcat-with-openssl/)

Tony

 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic