Posted on 04-24-2017 05:32 AM
Hi,
After upgrading to the latest version I've got some troubles having tomcat to bind properly to 443.
This is my catilina.out. As you can see it doesn't even try to bind 443.
casper@casper:/usr/local/jss/tomcat/logs$ tail catalina.out
SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding
SecurityConfiguration for ESAPI.Logger not found in ESAPI.properties. Using default: org.owasp.esapi.reference.JavaLogFactory
SecurityConfiguration for Logger.LogApplicationName not found in ESAPI.properties. Using default: true
SecurityConfiguration for Logger.LogServerIP not found in ESAPI.properties. Using default: true
24-Apr-2017 13:13:12.252 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive /usr/local/jss/tomcat/webapps/ROOT.war has finished in 41,400 ms
24-Apr-2017 13:13:12.268 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
24-Apr-2017 13:13:12.270 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
24-Apr-2017 13:13:12.273 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 42020 ms
Posted on 04-24-2017 01:03 PM
I would check your server.xml and see if your upgrade modified it. If it did, consider restoring it from backup.
Posted on 04-24-2017 01:10 PM
@futureworkshops Double check that your SSL keystores got restored to the proper place after the upgrade. Your SSL keys might not be in the right place and so it can't fire up the HTTPS connector
Posted on 04-24-2017 01:16 PM
@chriscollins is right.. either the connector port for 8443 is messed up in server.XML or a valid tomcat key store cannot be found by tomcat if 8080 is working but not 8443. With any upgrades to the JSS it's a good idea to back up the tomcat folder ahead of time so that way you have your old server.XML and Tomcat keystore among other things
Posted on 04-24-2017 01:18 PM
@futureworkshops Also, I should have added that if you used the installer provided by JAMF then it should have backed those files up for you at (assuming linux) /usr/local/jss/backups/tomcat/. Check the latest backups from that folder.
Posted on 04-25-2017 04:22 AM
Thanks for the suggestions. I've checked and:
- server.xml from backup and new server.xml installed are exactly the same.
- the .p12 certificate is at the right place and it's not corrupted.
Anything else I can try?
Posted on 04-25-2017 04:28 AM
Not so much that server.xml might be missing....I'm worried it got modified. I would check the modification dates...in reality server.xml should not change to frequently.
assuming it is perfect though for this...I would start looking as to whether you can go there on the server itself...try https://127.0.0.1:8443. If it works there and not elsewhere, then I would start looking at firewalls, proxies and traffic shapers. If it does not work, the server.xml hasn't changed and the keystore is there, then I might try saving your backup, wiping out the JSS folder and installing fresh. I didn't note whether you installed via the installer or performed a manual installation.
Posted on 04-25-2017 04:31 AM
@blackholemac I've used the installed. I've run a diff on the backup server.xml and the installed server.xml and there's no difference. Is there any issue with the certificate being stored in .p12 format?
Netstat shows nobody listening on 443 or 8443:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
So I guess the next step would be reinstalling the whole thing? :/
Posted on 04-25-2017 04:36 AM
There shouldn't be...the same cert was working before. Unless it was a really older one with slightly different security maybe or maybe expired. Is your cert self signed or signed by a commercial cert authority.
Its sounding like it...given your server.xml hasn't changed at all and given your cert being there, I would consider a quick uninstall/reinstall (provided you backup your original backup). I have heard that the Windows installer does strange things...at least it used to when we use it. I have done straight manual installs for about a year. Sure I have to check things like the server.xml/certs a little more closely, but at least the Windows install doesn't add in any issues.
Posted on 04-25-2017 05:36 AM
For some reason I noticed that tomcat preferred IPv6 - disabling that fixed my problem.
I have no idea why having ipv6 enabled didn't allow the binding or why it was working before, but it works now!
Posted on 04-25-2017 09:52 AM
Check permissions on the server.xml file.
Posted on 05-03-2017 08:07 AM
When we upgraded to the latest 9.98 we had issues with Tomcat as well. It had to do with the certificate not getting copied back over properly. We're hosted on Linux, but that's an issue we've ad in the past.
Posted on 05-03-2017 08:11 AM
When we upgraded to the latest 9.98 we had issues with Tomcat as well. It had to do with the certificate not getting copied back over properly. We're hosted on Linux, but that's an issue we've ad in the past.
Posted on 05-03-2017 08:12 AM
Sorry for the duplicates! The page timed out and I didn't realize they posted at all. Wish we had a way to remove posts of ours in cases like this.
Posted on 04-20-2018 01:19 PM
@futureworkshops I have the same issue as yours. Please let me know how you fixed it please! Below is my error message though I was not upgrading but instead i was enabling encryption key and change the 8080 port to 8443 port.
19-Apr-2018 11:47:34.049 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
19-Apr-2018 11:47:34.057 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
19-Apr-2018 11:47:34.058 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 60546 ms