Tomcat refusing connections on port 443

Question

I have a Tomcat7 installation on CentOS 6.7 that should only allow connections on port 443. The /etc/tomcat/server.xml file is configured as such:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLCertificateFile="./GoDaddy/Tomcat/combined.crt"
               SSLCertificateKeyFile="./GoDaddy/Tomcat/privateKey.key"
               SSLVerifyClient="optional" SSLProtocol="TLS"
         />

Furthermore, the /usr/share/tomcat/conf/server.xml is configured as such:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLCertificateFile="./GoDaddy/Tomcat/combined.crt"
               SSLCertificateKeyFile="./GoDaddy/Tomcat/privateKey.key"
               SSLVerifyClient="optional" SSLProtocol="TLS"
         />

IPtables is configured so:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP

Tomcat is running:

sudo service tomcat status
tomcat (pid 2687) is running...                            [  OK  ]

But when I try to browse to my web application, I get the following:

This webpage is not available

ERR_CONNECTION_REFUSED

I believe that I have followed Apache's instructions on the matter, but it's obvious something is wrong.

What do I need to do to resolve this?

score 2 · Accepted Answer · answered Feb 20 '16 at 15:14

First of all you should check a log file - /var/log/tomcat/catalina.out.

You can't use SSLCertificateKeyFile option with JSEE (BIO/NIO) connectors only with APR. If you want to use APR you must compile and install Tomcat Native. When you will start Tomcat you should see the following lines in the log

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=384m; support was removed in 8.0
Jul 03, 2015 6:43:47 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.34 using APR version 1.3.9.

score 1 · Answer 2 · answered Feb 10 '17 at 21:20

1

If you want to use existing SSL certificate in tomcat, then you need to create a keystore and then import certificates in the keystore. Here is a post explaining how to do it step by step.

answered Feb 10 '17 at 21:20

Ajeet Khan

191

score -1 · Answer 3 · answered Oct 30 '23 at 17:08

Ajeet Khan's article is very helpful. There's a typo in one of the commands though Ajeet:

openssl pkcs12 -export -name servercert -in /path/to/gd_bundle-g2-g1.crt -inkey /path/to/myorg.key -out /path/to/myp12keystore.12

SHOULD BE

openssl pkcs12 -export -name gd_bundle-g2-g1.crt -in /path/to/myorg.com.crt -inkey /path/to/myorg.key -out /path/to/myp12keystore.12

Tomcat refusing connections on port 443

3 Answers3