Thursday, November 5, 2015

Connector attribute SSLCertificateFile must be defined when using SSL with APR

I was recently setting up SSL for Apache Tomcat based on this article: https://support.comodo.com/index.php?/Knowledgebase/Article/View/646/0/tomcat-ssl-connector

However, after setting up SSL in my server.xml file according to the article, I received the following error message:

"Connector attribute SSLCertificateFile must be defined when using SSL with APR"

Well, as it turns out, this line in my server.xml file was causing problems:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Since I was running my Apache Tomcat SSL on the same port as AJP, it was causing conflicts and throwing this exception!

 

Therefore, my solution consisted of two parts:

 

Remove the redirectPort attribute from this element:

 



<Connector port="8009" protocol="AJP/1.3" />

Next, remove the Listener element from the server.xml file:

 


<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

I created a handy little PowerShell script to accomplish these tasks:



[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$KeyStoreFile,
[Parameter(Mandatory=$True)]
[string]$KeyStorePwd,
[Parameter(Mandatory=$False)]
[string]$PortNumber="8443"
)
 
$BaseScriptDir = "C:\MyCerts"
$ApacheTomcatDir = "C:\Program Files\Apache Software Foundation\Tomcat 8.0"
$ApacheTomcatConfDir = "$ApacheTomcatDir\conf"
$JavaCertFile = "$BaseScriptDir\$KeyStoreFile"
$ServerXMLFile = "$ApacheTomcatConfDir\server.xml"
$TomcatServiceName = "Tomcat8"
$BakFileExtension = ".bak"
$AJPPortNumber = "8943"
 
Write-Host "Copy the Java SSL Certificate for Apache Tomcat SSL"
Copy-Item $JavaCertFile $ApacheTomcatConfDir
 
Write-Host "Create a backup of the Apache Tomcat server.xml file"
Copy-Item $ServerXMLFile ($ServerXMLFile + $BakFileExtension)
 
#Stop the Apache Tomcat Service
Stop-Service $TomcatServiceName
 
#Read the content of the XML File
$serverXMLDoc = [xml](Get-Content $ServerXMLFile)
 
#Update the Http Protocol connector
$connectorXPath = "//Connector[@protocol='HTTP/1.1']"
$connectorNode = Select-Xml -Xml $serverXMLDoc -XPath $connectorXPath | Select-Object -ExpandProperty Node
 
$connectorNode.SetAttribute("port", $PortNumber)
$connectorNode.SetAttribute("SSLEnabled", $true)
$connectorNode.SetAttribute("maxThreads", 150)
$connectorNode.SetAttribute("scheme", "https")
$connectorNode.SetAttribute("secure", $true)
$connectorNode.SetAttribute("keystoreFile", "$ApacheTomcatConfDir\$KeyStoreFile")
$connectorNode.SetAttribute("keystorePass", $KeyStorePwd)
$connectorNode.SetAttribute("clientAuth", $false)
$connectorNode.SetAttribute("sslProtocol", "TLS")
$connectorNode.SetAttribute("maxHttpHeaderSize", "8192")
 
$connectorNode.RemoveAttribute("redirectPort")
 
#Update the AJP connector
$AJPConnectorXPath = "//Connector[@protocol='AJP/1.3']"
$AJPConnectorNode = Select-Xml -Xml $serverXMLDoc -XPath $AJPConnectorXPath | Select-Object -ExpandProperty Node
 
$AJPConnectorNode.RemoveAttribute("redirectPort")
 
#Remove the AJP Listener
$ListenerXPath = "//Listener[@className='org.apache.catalina.core.AprLifecycleListener']"
$ListenerNode = [System.Xml.XmlElement](Select-Xml -Xml $serverXMLDoc -XPath $ListenerXPath | Select-Object -ExpandProperty Node)
 
$ServerXPath = "//Server"
$ServerNode = [System.Xml.XmlElement](Select-Xml -Xml $serverXMLDoc -XPath $ServerXPath | Select-Object -ExpandProperty Node)
 
$ServerNode.RemoveChild($ListenerNode)
 
#Save the changes and update the server.xml file
$serverXMLDoc.Save($ServerXMLFile)
 
#Restart the Apache Tomcat service
Start-Service $TomcatServiceName


 

No comments:

Post a Comment