[FIXED] Tomcat Doesn't Serve the SSL

Issue

this is the server.xml file :

<Connector port="8443" maxhttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" 
           acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server"
           keystoreFile="/etc/apache2/sites-available/ssl/sample.jks" keystorePass="*****" protocol="org.apache.coyote.http11.Http11NioProtocol"
            SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/apache2/sites-available/ssl/sample.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

and this is the tomcat config file in apache/sites-enabled

<VirtualHost *:80>

    ProxyPreserveHost On

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

</VirtualHost>

<VirtualHost *:443>

    ProxyPreserveHost On

    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/

</VirtualHost>

but my domain on HTTPS protocol show's nothing

and on 80 port, server return's 503 Service Unavailable

Solution

The only connector that you show for your server.xml is for port 8443, but your Apache httpd connects to 8080 - if there's nothing listening on 8080, a 503 answer is reasonable.

The 443 VirtualHost configuration is the shortest that I've ever seen for a VirtualHost that's supposed to serve TLS: You're not using any of the encryption-related directives, e.g. key/certificate location, allowed algorithms etc. That's a good reason to show nothing - as no TLS connection can be established, not even an error message can be shown.

Recommendation: Start proxying to Tomcat via http, and only when that is running for every aspect, attempt to proxy to tomcat's https. It will involve:

• On the tomcat side you'll need a key/certificate for localhost. As no established CA will provide that, you'll have to go self signed
• On the httpd side, you'll need to explicitly trust the self-signed certificate

On top of that: I'd just use the port-80 VirtualHost to unconditionally redirect to https and not even worry about serving any content there.

Answered By - Olaf Kock
Answer Checked By - Katrina (JavaFixing Volunteer)