Hi.
I just downloaded tomcat 9 myself (the windows zip version, but it should be the same), to
look at the standard server.xml.
There is something which does not quite fit in all of this.
I can also not see, in the snippets of server.xml that you pasted, any obvious XML errors
or imbricated comments.
Yet the logfile points to these lines..
Somehow the logfile which you uploaded to drop-box, does not seem to match the server.xml
lines that you pasted here.
Ooooh, wait.
I know why it did not fit.
After looking again, more carefully, at the logfile that you posted, I see what was
confusing : that logfile shows several starts and stops of tomcat. It just accumulates. I
was looking just at the beginning, the first error that I found.
You have for example this :
08-Sep-2017 11:10:32.131 INFO [main] org.apache.coyote.AbstractProtocol.start Starting
ProtocolHandler ["http-nio-8080"]
08-Sep-2017 11:10:32.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting
ProtocolHandler ["ajp-nio-8009"]
08-Sep-2017 11:10:32.137 INFO [main] org.apache.catalina.startup.Catalina.start Server
startup in 18916 ms
Just before the error message that I was mentioning, which was :
08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed
character data or markup.
org.xml.sax.SAXParseException; systemId:
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber:
6; The content of elements must consist of well-formed character data or markup.
But that was like 21 minutes later, after tomcat had been running for 21
minutes.
Then after that there are a few more starts and stops, and a the lastest attempt, the
problem is different :
08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize
component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
So, here is what happened :
- when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it started fine,
ending in the line
08-Sep-2017 10:05:03.371 INFO [main] org.apache.catalina.startup.Catalina.start Server
startup in 482 ms
but then, you did not have the connector for port 8443 enabled yet.
- then you stopped tomcat, and you started it again at
08-Sep-2017 11:10:13.141 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Server version: Apache Tomcat/9.0.0.M26
- and then you had this :
08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed
character data or markup.
so my guess is that you modified the server.xml, while tomcat was still running, and then
you did a "shutdown.sh", to prepare to restart tomcat.
- And then there was that parse error.
And the reason is that the shutdown command, in fact starts another (small) instance of
tomcat, to issue the shutdown command to the running instance.
But that shutdown instance also reads server.xml, and at that time you /did/ have a syntax
error in it. So that is where this syntax error came from.
Later you apparently corrected the syntax, and restarted tomcat :
08-Sep-2017 15:24:34.889 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Server version: Apache Tomcat/9.0.0.M26
and this time, there was no syntax error anymore in server.xml, but then there is this
other problem :
08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize
component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
but that seems to only prevent the SSL connector to start, and the logfile shows that
tomcat continues to initialise anyway, with only the other connectors.
So that's why you can connect normally to port 8080.
I did not know that tomcat starts anyway, even if it encounters a severe problem with one
of its connectors.
(And I must say that, as a sysadmin myself, I find this behaviour a bit
questionable)(unless it is optional)
So anyway, your problem now is not the syntax of server.xml anymore, it is something to do
with your SSL keystore.
And for that I am not competent to help, and I'll have to ask someone else to
follow-up.
And now I've been top-posting myself all of this, contrary to the rules.
Apologies.
But John, for the rest, I suggest that before you restart tomcat, delete or rename that
old logfile, so that when you restart it will be "fresh" and contain only the result of
the last attempt. It will be clearer for everyone.
On 21.09.2017 21:47, John Ellis wrote:
One more thing Andre. I don't know if it matters or not but when I try to
access Tomcat 9 on the secure port of 8443
I see it saying down in the bottom left hand corner of my browser-
"Performing a TLS handshake to 10.22.8.70..." but it never
gives the webpage. However once I change the IP address to 10.22.8.70:8080
it immediately goes to the Tomcat 9 webpage.
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Thursday, September 21, 2017 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup
On 21.09.2017 17:17, John Ellis wrote:
OK. As I said there is nothing on line 87 but here is line 114-
SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"
I think you need to provide a bit more context then.
Can you paste here, say, that same line, but with 10 lines before and 10
lines after, and tell at which line number this starts in server.xml (so
that we can compare with the log) ?
The error messages in the log were apparently about comments (between <!--
and -->), so if these lines are (or contain) comments, copy them anyway.
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Thursday, September 21, 2017 10:15 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup
On 21.09.2017 16:43, John Ellis wrote:
Thanks so much for the quick reply Andre. There doesn't appear to be
anything on line 87 but there is on line 114. See the screenshot I
took of the server.xml file below-
Unfortunately, this list strips most attachments, and in fact asks for
text-only messages.
(and to avoid top-posting)
See : http://tomcat.apache.org/lists.html#tomcat-users --> Important
Please paste the corresponding lines directly, as text, in your next
message.
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, September 20, 2017 10:41 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup
On 20.09.2017 17:07, John Ellis wrote:
> All of what I have done so far has been in Tomcat version 9, which
I
> downloaded from the Apache Tomcat website. The way I start tomcat
is
> by running the command ./startup.sh from within the
> apache-tomcat-9.0.0.M26/bin directory. I stop it by running the
> command ./shutdown.sh from the same directory.
>
Ok, perfect. So there is only one tomcat9 we can be talking about, and
one server.xml file. And since this is a "standard tomcat", that
server.xml must be in .. let me look at the logfile again) ..
08-Sep-2017 10:05:02.911 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory
[/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
and considering this :
08-Sep-2017 11:31:21.952 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 87 column 6: The content of elements must
consist of well-formed character data or markup.
org.xml.sax.SAXParseException; systemId:
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
87; columnNumber:
6; The content of elements must consist of well-formed character data or
markup.
there is something on line 87, position 6, that he does not like.
And further down also :
08-Sep-2017 13:17:36.947 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 114 column 6: The string "--" is not permitted
within comments.
org.xml.sax.SAXParseException; systemId:
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
114; columnNumber:
6; The string "--" is not permitted within comments.
but maybe this is not in the server.xml file itself, but in something
else that the server.xml references there (like an external "XML entity"
or something).
Why don't you get those 2 lines from your server.xml and paste them here
:
...
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Wednesday, September 20, 2017 10:02 AM
> To: users@tomcat.apache.org <mailto:users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
>
> On 20.09.2017 15:20, John Ellis wrote:
>> Andre can you tell me which log file you are saying tells where
the
>> problem is?
>
> That's the one you uploaded to the dropbox :
> >>
>
https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0
>
> I have of course no idea at this point, which tomcat or which
> server.xml this was related to, but i suppose you do.
>
> I am not seeing it but I may not be even looking for the right thing.
> I
>> did open the server.xml file up in an XML file editor program and
it
>> didn't give any errors.
>
> Then it must be that this tomcat who wrote the logfile, is not
looking
> at the same server.xml file than the one you're looking at.
> (Or else your XML file editor is not really good)
>
> How do you start this tomcat, on your server ?
> And where did you get this tomcat from ? Is it the one from the
tomcat
> website ?
>
>>
>> John Ellis
>>
>> 405.285.2500 office
>>
>>
>>
>>
>> http://biz-e.io
>>
>>
>> -----Original Message-----
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Tuesday, September 19, 2017 3:47 PM
>> To: users@tomcat.apache.org <mailto:users@tomcat.apache.org>
>> Subject: Re: tomcat ssl setup
>>
>> On 19.09.2017 20:17, John Ellis wrote:
>>> Here are the tomcat 9 log file DropBox links-
>>>
>>>
https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl
>>> =
>>> 0
>>
>> Well, there you go. It tells you explicitly where you made the
>> mistakes, up to the file and line numbers.
>> I can't see your server.xml, but I would bet that you have
modified
>> it, by surrounding some XML comment sections by another comment
pair
>> <!-- ... --> That crashes because XML does not allow that.
>> You cannot have this kind of thing :
>>
>> <!-- ... <!-- ... --> -->
>>
>>
>>>
>>>
https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-
>>> 0
>>> 9
>>> -19.txt?dl=0
>>>
>>> Thanks,
>>>
>>> John Ellis
>>>
>>> 405.285.2500 office
>>>
>>> United States
>>>
>>> bize-logo-rgb-original_Ryan_Revised_portal
>>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>>
>>> http://biz-e.io
>>>
>>> *From:*Alejandro Vargas M.
>>> [mailto:alejandro.var...@kymsolutions.com]
>>> *Sent:* Tuesday, September 19, 2017 11:10 AM
>>> *To:* users@tomcat.apache.org <mailto:users@tomcat.apache.org>
>>> *Subject:* Re: tomcat ssl setup
>>>
>>> Do you see what's on the log files, they can tell you what's the
>>> problem in. Maybe you can share those files too.
>>>
>>> I also saw on line 117 this "| -->|" Looks like there's left
over.
>>>
>>> On 09/19/2017 09:31 AM, John Ellis wrote:
>>>
>>> I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL
>>> (version
>> 6.4) server for
>>> testing purposes. I downloaded & installed Tomcat9 fine and I
>>> get a
>> proper webpage on
>>> port 8080 but when I used the keytool commands and created a
>> certificate from
>>> cacert.org and then edited the server.xml file to setup the
>>> ssl
>> configuration to run
>>> on port 8443 I cannot get a webpage on that port; it defaults
>>> back to
>> port 8080. If I
>>> am not providing all the needed info or asking a wrong
>>> question please
>> forgive me. I
>>> am not a programmer. My background is in computer hardware. I
>>> have
>> just been forced to
>>> learn this to support two products that we use here in our
>>> office;
>> Jira and
>>> Confluence. I have actually been working on setting them up
>>> for an SSL
>> connection on a
>>> different server. I got Confluence working on a secure port
>>> but not
>> Jira so my boss
>>> suggested troubleshooting the issue by trying to first get
SSL
>>> setup
>> for Tomcat on
>>> this other server.
>>>
>>> I am providing a copy of the Tomcat9 server.sml file here on
a
>>> DropBox
>> link-
>>> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0
>>>
>>> Thanks in advance!
>>>
>>> John Ellis
>>>
>>> 405.285.2500 office
>>>
>>> United States
>>>
>>> bize-logo-rgb-original_Ryan_Revised_portal
>>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>>
>>> http://biz-e.io
>>>
>>> --
>>>
>>>
>>>
>>> Alejandro Vargas Mayorga
>>> */Gerente Desarrollo C.A. & C./*
>>> *Tel. 506- 7232-3366*
>>> *Email:**alejandro.var...@kymsolutions.com*
>>> <mailto:%20alejandro.var...@kymsolutions.com>*
>>> **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite
>>> nuestra aula virtual! *
>>>
>>
>>
>>
---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
>> For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
>>
>>
>>
>>
---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
>> For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
>>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: users-h...@tomcat.apache.org
<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
