Thanks Maxim, I got it to work and you are correct I needed the SpecialSSLHostConfig in the server.xml
On Thu, Oct 17, 2019 at 2:29 AM Maxim Solodovnik <[email protected]> wrote: > Actually there is no need to specify *AprProtocol to use let's encrypt > certificates without conversions > Here is simple step-by-step guide: > https://community.letsencrypt.org/t/using-letsencrypt-certificates-on-tomcat-8-x-on-windows/28548/7 > all you need is "Special SSLHostConfig" > Documentation is here: > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig > > On Thu, 17 Oct 2019 at 13:16, René Scholz < > [email protected]> wrote: > >> Hello, >> >> hm, that looks complicated. In my configuration it was not necessary to >> define a protocol like you have done. >> The error-message shows that the choosen protocol requires a library. Its >> possible that this is the error, but I dont know >> if your certificate match to this protocol. >> >> I am afraid without deeper knowledge of your certificates and (maybe very >> complicated and high-secured) >> network-configuration I have no further idea what goes wrong. >> >> I have only rudimentary knowledge about certificates - in my >> configuration "behind a NAT" the https-certificate >> was the lesser evil. >> >> Best regrads, >> >> René >> >> >> >> >> >> Am 16.10.2019 um 15:25 schrieb Yah's Global Kingdom: >> >> Rene, I apologize and thanks for your help! I did use the lines you sent >> me and changed the necessary information. . >> The private key is using http11NioProtocol, the format you provided goes >> into the Http11AprProtocol section. >> >> I got this error: >> >> 16-Oct-2019 05:58:47.266 SEVERE [main] >> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to >> initialize component >> [Connector[org.apache.coyote.http11.Http11AprProtocol-5443]] >> org.apache.catalina.LifecycleException: The configured protocol >> [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native >> library which is not available >> >> When I use the Http11NioProtocol I get this error. My keystore only has >> one key in it the private key. >> >> 16-Oct-2019 06:05:35.065 INFO [main] >> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler >> ["http-nio-5080"] >> 16-Oct-2019 06:05:35.107 INFO [main] >> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler >> ["https-jsse-nio-5443"] >> 16-Oct-2019 06:05:35.352 SEVERE [main] >> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to >> initialize component [Connector[HTTP/1.1-5443]] >> org.apache.catalina.LifecycleException: Protocol handler initialization >> failed >> at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:983) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> at >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:584) >> at org.apache.catalina.startup.Catalina.start(Catalina.java:621) >> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.base/java.lang.reflect.Method.invoke(Method.java:566) >> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:344) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) >> Caused by: java.lang.IllegalArgumentException: Cannot store >> non-PrivateKeys >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) >> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) >> at >> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) >> at >> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) >> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) >> at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) >> at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:980) >> ... 13 more >> Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys >> at >> java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:262) >> at >> java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) >> at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1174) >> at >> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:324) >> at >> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) >> ... 20 more >> here is the relevant part of my server.xml that includes the original >> configuration plus the two configurations I have tried to use to get this >> to work commented out. <fqdn> is my servername.domainname.org perhaps >> you can look and see what I have done wrong. >> <?xml version="1.0" encoding="UTF-8"?> >> <!-- >> Licensed to the Apache Software Foundation (ASF) under one or more >> contributor license agreements. See the NOTICE file distributed with >> this work for additional information regarding copyright ownership. >> The ASF licenses this file to You under the Apache License, Version 2.0 >> (the "License"); you may not use this file except in compliance with >> the License. You may obtain a copy of the License at >> >> http://www.apache.org/licenses/LICENSE-2.0 >> >> Unless required by applicable law or agreed to in writing, software >> distributed under the License is distributed on an "AS IS" BASIS, >> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> See the License for the specific language governing permissions and >> limitations under the License. >> --> >> <!-- Note: A "Server" is not itself a "Container", so you may not >> define subcomponents such as "Valves" at this level. >> Documentation at /docs/config/server.html >> --> >> <Server port="8005" shutdown="SHUTDOWN"> >> <Listener className="org.apache.catalina.startup.VersionLoggerListener" >> /> >> <!-- Security listener. Documentation at /docs/config/listeners.html >> <Listener className="org.apache.catalina.security.SecurityListener" /> >> --> >> <!--APR library loader. Documentation at /docs/apr.html --> >> <Listener className="org.apache.catalina.core.AprLifecycleListener" >> SSLEngine="on" /> >> <!-- Prevent memory leaks due to use of particular java/javax APIs--> >> <Listener >> className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >> <Listener >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >> <Listener >> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> >> >> <!-- A "Service" is a collection of one or more "Connectors" that share >> a single "Container" Note: A "Service" is not itself a >> "Container", >> so you may not define subcomponents such as "Valves" at this level. >> Documentation at /docs/config/service.html >> --> >> <Service name="Catalina"> >> >> <!--The connectors can use a shared executor, you can define one or >> more named thread pools--> >> <!-- >> <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" >> maxThreads="150" minSpareThreads="4"/> >> --> >> >> >> <!-- A "Connector" represents an endpoint by which requests are >> received >> and responses are returned. Documentation at : >> Java HTTP Connector: /docs/config/http.html >> Java AJP Connector: /docs/config/ajp.html >> APR (HTTP/AJP) Connector: /docs/apr.html >> Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 >> --> >> <Connector port="5080" protocol="HTTP/1.1" >> connectionTimeout="20000" >> redirectPort="5443" /> >> <Connector port="5443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" SSLEnabled="true" >> keystoreFile="conf/keystore" keystorePass="openmeetings" >> clientAuth="false" sslProtocol="TLS"/> >> >> <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 >> This connector uses the APR/native implementation which always >> uses >> OpenSSL for TLS. >> Either JSSE or OpenSSL style configuration may be used. OpenSSL >> style >> configuration is used below. >> --> >> --> >> <!--Connector port="5443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> SSLCertificateFile="/etc/letsencrypt/live/<fqdn>/cert.pem" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" URIEncoding="UTF-8" >> keystoreFile="/etc/letsencrypt/live/<fqdn>/privkey.pem" >> clientAuth="false" sslProtocol="TLS" /--> >> <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 >> This connector uses the APR/native implementation which always >> uses >> OpenSSL for TLS. >> Either JSSE or OpenSSL style configuration may be used. OpenSSL >> style >> configuration is used below. >> --> >> >> <!--Connector port="5443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true"> >> >> <UpgradeProtocol >> className="org.apache.coyote.http2.Http2Protocol" /> >> <SSLHostConfig> >> <Certificate >> certificateKeyFile="/etc/letsencrypt/live/<fqdn>/cert.pem" >> >> certificateFile="/etc/letsencrypt/live/<fqdn>/privkey.pem" >> >> certificateChainFile="/etc/letsencrypt/live/<fqdn>/fullchain.pem" >> type="RSA" /> >> </SSLHostConfig> >> </Connector> >> --> >> On Wed, Oct 16, 2019 at 1:50 AM René Scholz < >> [email protected]> wrote: >> >>> Hello, >>> >>> why don't you try out the config-part I sent you? >>> Make a backup of your sever.xml, edit the part for your connector-port, >>> restart your OM, pray a little bit and open your browser with https and >>> your port. >>> >>> Whats the result? >>> >>> When you mean that something goes wrong replace it with your backuped >>> server.xml. >>> >>> Best regards, >>> >>> René >>> >>> Am 15.10.2019 um 22:30 schrieb Yah's Global Kingdom: >>> >>> Your saying I don't have to use a keystore with these certs? >>> >>> On Mon, Oct 14, 2019 at 4:06 AM Maxim Solodovnik <[email protected]> >>> wrote: >>> >>>> With this config import is redundant >>>> you can use your keys as-is :) >>>> >>>> On Sun, 13 Oct 2019 at 21:11, Yah's Global Kingdom <[email protected]> >>>> wrote: >>>> >>>>> Thanks for the information, if I might ask which of these keys did you >>>>> import into your keystore for openmeetings? >>>>> >>>>> On Sat, Oct 12, 2019 at 1:36 PM R. Scholz < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> this is the part in my server.xml in the conf-dir of my openmeeting I >>>>>> use without problems: >>>>>> >>>>>> <Connector port="5443" >>>>>> SSLEnabled="true"> >>>>>> <SSLHostConfig> >>>>>> <Certificate certificateFile="/etc/letsencrypt/live/ >>>>>> subdomain.domain.de/cert.pem" >>>>>> certificateKeyFile="/etc/letsencrypt/live/ >>>>>> subdomain.domain.de/privkey.pem" >>>>>> certificateChainFile="/etc/letsencrypt/live/ >>>>>> subdomain.domain.de/fullchain.pem" /> >>>>>> </SSLHostConfig> >>>>>> </Connector> >>>>>> >>>>>> With best regards, >>>>>> >>>>>> René >>>>>> >>>>>> >>>>>> >>>>>> Am 12.10.2019 um 17:35 schrieb Yah's Global Kingdom: >>>>>> >>>>>> Ok understood for the VOIP implementation. Hopefully, there will be >>>>>> time for in the near future as it was feature that was really appreciated >>>>>> and used. >>>>>> On a different note. I am using LetsEncrypt for ssl certificates. >>>>>> The wiki at https://openmeetings.apache.org/HTTPS.html does not seem >>>>>> to apply as you can not submit a .csr file to lets encrypt and it only >>>>>> works on port 443. I have changed /conf/server.conf to 443 but the server >>>>>> still refuses to connect. Are there any instructions for how to make OM >>>>>> 5.0.0.M2 OR M3 work with LetEncrypt and Certbot? Thanks for all your >>>>>> help >>>>>> Maxim. >>>>>> >>>>>> On Thu, Oct 10, 2019 at 12:45 PM Maxim Solodovnik < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Yes, sure >>>>>>> unfortunately my time is very limited >>>>>>> not sure i can provide any estimates >>>>>>> >>>>>>> On Thu, 10 Oct 2019 at 09:16, Yah's Global Kingdom < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Is there a plan to implement VOIP for this version of Openmeetings? >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> WBR >>>>>>> Maxim aka solomax >>>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> WBR >>>> Maxim aka solomax >>>> >>> >>> >> > > -- > WBR > Maxim aka solomax >
