I am trying to make the SSL installation of my website and configure its HTTPS settings. I installed Tomcat 8.0.3 on Ubuntu 22.04. The java version is:
openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-8u382-ga-1~22.04.1-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)
I got letsencrypt certificate using acme.sh:
acme.sh --issue --dns dns_namesilo -d example.com -d www.example.com --dnssleep 2000
root@server:/# acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
example.com "ec-256" www.example.com LetsEncrypt.org 2023-11-02T19:40:54Z 2023-12-31T19:40:54Z
acme.sh created these certificate files:
SSLCertificateFile="/root/.acme.sh/example.com_ecc/fullchain.cer"
SSLCACertificateFile="/root/.acme.sh/example.com_ecc/ca.cer"
SSLCertificateKeyFile="/root/.acme.sh/example.com_ecc/example.com.key"
Then I had to import the certificate and the key as PrivateKeyEntry:
openssl pkcs12 -export -in /root/.acme.sh/example.com_ecc/example.com.cer -inkey /root/.acme.sh/example.com_ecc/example.com.key -name example.com -out example.com.p12
keytool -importkeystore -deststorepass changeit -destkeystore /root/.keystore -srckeystore example.com.p12 -srcstoretype PKCS12
Now I have two files: example.com.jks and example.com.p12. But the first one is trustedCertEntry:
root@server:/# keytool -list -keystore /example.com.jks
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
example.com, Nov 5, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256)
The .p12 one ise the PrivateKeyEntry:
root@server:/# keytool -list -keystore /example.com.p12
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
example.com, Nov 5, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256)
So I changed the server.xml like this:
...
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
keystoreAlias="example.com"
keystoreFile="/example.com.p12"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
...
But it didn't work.
The error message I encounter is as follows:
root@server:/# openssl s_client -connect example.com:443
4047E1C40B7F0000:error:8000006F:system library:BIO_connect:Connectionrefused:../crypto/bio/bio_sock2.c:125:calling connect()
4047E1C40B7F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:connect:errno=111
Then I noticed that port 443 is closed:
root@server:/# nmap -p 443 example.com --reason
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-06 23:36 +03
Nmap scan report for example.com
Host is up, received localhost-response (0.00012s latency).
PORT STATE SERVICE REASON
443/tcp closed https reset ttl 64
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
root@server:/# netstat -anltp | grep LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 229/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 336/sshd: /usr/sbin
tcp6 0 0 :::8080 :::* LISTEN 254540/java
tcp6 0 0 :::22 :::* LISTEN 336/sshd: /usr/sbin
tcp6 101 0 :::8443 :::* LISTEN 254540/java
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 254540/java
tcp6 0 0 :::8009 :::* LISTEN 254540/java
Appears on the ufw list:
root@server:/# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 80 ALLOW IN Anywhere
[ 4] 443 ALLOW IN Anywhere
[ 5] 8080 ALLOW IN Anywhere
[ 6] 8443 ALLOW IN Anywhere
[ 7] OpenSSH ALLOW IN Anywhere
The detailed status of other ports is as follows:
root@server:/# lsof -i:8080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 254540 tomcat 57u IPv6 2619532819 0t0 TCP *:http-alt (LISTEN)
root@server:/# lsof -i:8443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 254540 tomcat 58u IPv6 2619532820 0t0 TCP *:8443 (LISTEN)
root@server:/# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhpcd 431 root 10u IPv4 2625048130 0t0 TCP server.example.com:36174->ns31430745.ip-141-94-96.eu:http (ESTABLISHED)
I've read that acme.sh doesn't use IPv6, but I'm not sure if that has anything to do with it.
I have to re-setup my website using old versions of Tomcat and Java and this is causing too many problems. Frankly, I have no clear ideas what I should do at this stage. I will be grateful if you could help me.
EDIT:
root@server:/# openssl s_client -connect example.com:8443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
SOLUTION:
The problem was due to iptables redirection. There are two points to consider at this point. First, to delete prerouting records, you need to use a command like this: iptables -t nat -D PREROUTING... Second, the commands needed to permanently save the change. What worked for me were the following:
# /sbin/iptables-save > /etc/iptables/rules.v4
# /sbin/ip6tables-save > /etc/iptables/rules.v6