Cyclos Docker SSL Impelementation for tomcat

muazzamazaz · May 15, 2019, 10:27am

I have configured tomcat inside docker container as follows

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="my.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
                <Certificate certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
                        certificateFile="/etc/letsencrypt/live/example.com/cert.pem"
                        certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem"
                         type="RSA" />

Restarted the docker container but its not accessible via https

where my.jks is stored inside tomcat/conf directory.

I configure docker container as follows:

docker run -d \
    --name=nameofcontainer \
    -p 80:8080 \
    -p 443:8443 \
    --net=cyclos-net \
    --cap-add=NET_ADMIN \
    -e DB_HOST=cyclos-db \
    -e DB_NAME=cyclos \
    -e DB_USER=cyclos \
    -e DB_PASSWORD=cyclos \
    image-id

nitishmowall · May 15, 2019, 4:03pm

hey
check inside the container on which network ip the port is attached. using netstat -ntlp. If it is not set 0.0.0.0 or bridge network ip, please do that. as port mapping happens to bridge interface ips only( host can access bridge interface port service only).

muazzamazaz · May 16, 2019, 7:47am

root@4b0535d06a77:/usr/local/cyclos# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:44514        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      1/java
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      1/java
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1/java
tcp       24      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      1/java

nitishmowall · May 16, 2019, 7:58am

it looks good
did you try telnet to that port from host. to see if are you able to connect to that port.
If yes then check the tomcat server log what is going on

muazzamazaz · May 16, 2019, 8:16am

Microsoft Telnet> o members.kentuckianatrade.com 8443
Connecting To members.kentuckianatrade.com…Could not open connection to the ho
st, on port 8443: Connect failed

which log file to see

root@9aeaabef6e66:/usr/local/tomcat/logs# ls
catalina.2019-05-14.log localhost.2019-05-16.log
catalina.2019-05-15.log localhost_access_log.2019-05-14.txt
catalina.2019-05-16.log localhost_access_log.2019-05-15.txt
host-manager.2019-05-14.log localhost_access_log.2019-05-16.txt
host-manager.2019-05-15.log manager.2019-05-14.log
host-manager.2019-05-16.log manager.2019-05-15.log
localhost.2019-05-14.log manager.2019-05-16.log
localhost.2019-05-15.log

nneelamjjain1 · May 19, 2023, 7:47am

I was facing the same issue. After lot of research i could conclude on the following.

letsencrypt creates a soft link on the file system while creating certificate under the /etc/letsencrypt/live/ directory.
Docker does not scan files with soft link. Hence, certs will be missing in the docker repository. To overcome this situation provide absolute path to the certs. For e.g. in this case there will be directory /etc/letsencrypt/archive/

In the tomcat server.xml link the files under the archive directory.