在 Tomcat 8 上配置 SSL 和连接超时

Question

I setup a keystore and got a SSL cert from openssl.com. The exact steps I followed are here: https://drive.google.com/file/d/0B6PUGo7cBLcDTzdkc0pzT2pTMk0/view?usp=sharing

Unfortunately even after following their instructions for tomcat exactly and working with customer support my https connection times out.

It seems like tomcat is up and running, listening on port 443, but I don't know how to debug deeper. Http requests are served just fine, so I know tomcat itself is working just fine.

[ec2-user@ip- logs]$ sudo netstat -tunlp | grep 443 
tcp6       0      0 :::443                  :::*                    LISTEN      19407/java

[ec2-user@ip- logs]$ ps -ef | grep java 
root     19407     1  1 23:03 pts/0    00:00:06 /usr/java/jre1.8.0_60//bin/java
-Djava.util.logging.config.file=/usr/apache-tomcat-8.0.26//conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/apache-tomcat-8.0.26//endorsed -classpath /usr/apache-tomcat-8.0.26//bin/bootstrap.jar:/usr/apache-tomcat-8.0.26//bin/tomcat-juli.jar -Dcatalina.base=/usr/apache-tomcat-8.0.26/ -Dcatalina.home=/usr/apache-tomcat-8.0.26/ -Djava.io.tmpdir=/usr/apache-tomcat-8.0.26//temp org.apache.catalina.startup.Bootstrap start ec2-user 19449 18021  0 23:13 pts/0    00:00:00 grep --color=auto java

My connector is configured as:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" KeystoreFile="/home/ec2-user/.keystore" KeystorePass="password" />

Please help!

Answer 1

When I configure tomcat, if there's a delay before I see any response, it is almost always because the PORT is blocked for some reason. Are you positive port 443 is open through the firewall (assuming this is being done on an external server)?

If your standard port works fine but 443 just sits and spins for a period of time before failing, I'd put my money on a blocked port.

Answer 2

First ensure the 8443 is open,443 is the port reserved for https,you can use it for tomcat,but I prefer to use 8443 or another port different from 443 to avoid conflict with httpd https. For testing from outside

telnet yourserver 8443

Must connect,if not check the firewall. Then check permission of your certificates,pem or keystore(depend from your configuration) must be readable from group or user which run tomcat(on debian is tomcat8,on fedora simply tomcat).

For example,this is my configuration of /etc/tomcat/server.xml

 <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/tomcat/keystore" keystorePass="ooops"
           clientAuth="false" sslProtocol="TLS"/>

The keystore perms

ls -lh /etc/tomcat/keystore 
-r--r-----. 1 tomcat tomcat 2,6K 20 dic 01.06 /etc/tomcat/keystore

The port 8443 is open,and I can connect without problem

Answer 3

Would you mind sharing how you created the keystore? I have the same timeout problem except port 443 is open and if I create a self-signed store it works (with the warning but it works) meaning there is a problem in the keystore which I generate from the CRT file provided by sectigo. I appreciate your help since I can