Search code examples
httpsopensslcertificatecentos7tomcat8

Want to configure HTTPS with Tomcat; don't have a registered domain

I'm trying to get HTTPS working with Tomcat. I'm using Tomcat 8.5.55 on a CentOS 7.7.1098. I don't have a registered domain to send a CSR to... rather just want to run this on my local host.

I've read multiple sources on the subject and they say to create my own CA. I did that like so:

openssl genrsa -des3 -out myCA.key 2048

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Then load it on the server:

cp myCA.pem /etc/pki/ca-trust/source/anchors/

update-ca-trust

Then import it into a keystore:

keytool -genkey -alias tomcat -keyalg RSA

keytool -importcert -alias tomcat -keystore ~/.keystore -file ~/tempcert/myCA.pem

Here's what the server.xml looks like:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="~/.keystore"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

But when I try to connect to https://localhost:8443, it just times out (e.g., in Firefox, "The connection has timed out. The server at localhost is taking too long to respond.)

There isn't any errors in the logs directory either.

Where have I gone wrong?

Solution

  • server.xml file should contain keystore password.could you please change server.xml as below :-

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="8443" keystoreFile="yourKeystorefilePath" keystorePass="yourKeystorepassword"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

    your keystore file should be imported in keystore with same password.

    still any issue, please send me output of below unix command and catalina.out log file from tomcat location to debug more.

    1. ps -ef | grep '8443'
    2. curl -iv --cert=file https://localhost:8443

    One more check, please install this keystore explorer tool from this link (https://keystore-explorer.org/) in your machine and import keystore file in it,once imported it will ask for password(enter correct password).if it will open means keystore file and password is correct.

    hope it will resolve your issue.