We Keep Coding

tomcat 10 SSLHostConfig problem - protocol handler fails to start - attribute certificateFile must be defined

I have tomcat 10.0.18 on macOS (via homebrew)
In my server.xml I have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<hostName>test</hostName>
<protocols>TLSv1.2</protocols>
<certificateVerification>required</certificateVerification>
<Certificate>
<caCertificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12</caCertificateFile>
<certificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12</certificateFile>
<certificateKeyPassword>egeria</certificateKeyPassword>
</Certificate>
</SSLHostConfig>
</Connector>
However when I start & connect I see an error:
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-jsse-nio2-8443"] connector has been configured to
support negotiation to [h2] via ALPN
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio2-8443"]
30-Mar-2022 09:51:21.162 WARNING [main] org.apache.tomcat.util.net.Nio2Endpoint.shutdownExecutor The executor associated with thread pool [https-jsse-nio2-8443] has not ful
ly shutdown. Some application threads may still be running.
30-Mar-2022 09:51:21.163 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Htt
p11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:132)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1192)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1205)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:580)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052)
... 11 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:310)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 18 more
30-Mar-2022 09:51:21.164 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [13255] milliseconds
Yes as best I can see, I do have the value assigned.
Background -- just testing some mutual SSL config for our open-source project with some self-signed certs I generated. We use springboot server-side, a variety of java, python, go, node etc client-side -- but for debugging/understanding I'm just trying base tomcat, with curl/httpie clients
The .p12 files above should contain the right combination of certs/keys, but this is the area I'm exploring. I can adapt, use individual PEMs, try a chain via a directory.. but this first issue seems more about the basics of defining a config and is what I'm trying to understand - being fairly new to tomcat.

I figured it out - so will answer my own question for the benefit of future readers.
The parsing issue was down to format. I'm so used to editing other XML files such as maven, where the above format I tried is typical. tomcat was new to me, so I realised it needs to be:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="required">
<Certificate
caCertificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12"
certificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12"
certificateKeyPassword="egeria"
/>
</SSLHostConfig>
</Connector>
I now get other exceptions - but that is specific to the certs, something I'm debugging. I share this to answer the question specifically on why the properties could not be found.

Am facing following issue while working with openSSL

Am facing following issue while working with openSSL.
Below are the server details:
Tomcat : 8.5.43
Ubuntu: 18.
JVM: 1.8.0_221-b11
Apache Tomcat Native library: 1.2.23
APR Version: 1.7.0
Open SSL : 1.1.1
Below is our Connector configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
acceptCount="100"
connectionTimeout="20000"
SSLCertificateFile="certificate/server.crt"
SSLCertificateKeyFile="certificate/servercertkey.pem"
SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCipherSuite="RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5">
</Connector>
Am getting following error:
29-Jul-2019 12:56:48.856 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit> Failed getting cipher list
java.lang.Exception: Not implemented
at org.apache.tomcat.jni.SSL.newSSL(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:77)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:54)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:92)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:82)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:42)
at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:397)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
29-Jul-2019 12:56:48.941 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [certificate/server.crt] or its private key [certificate/servercertkey.pem] could not be processed using a JSSE key manager and will be given directly to OpenSSL
29-Jul-2019 12:56:48.963 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1037 ms
What am doing wrong? Any pointers would help.
Thank you in advance.

Connection timed out on port

I have an application running on Apache Tomcat, I am getting a connection timed out error when I try to telnet to that port. Here is the server.xml config:
<Service name="Catalina">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector port="8868" maxThreads="200" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" redirectPort="8804" acceptCount="100" debug="0" connectionTimeout="60000" disableUploadTimeout="true"/>
When I do netstat -tupln, it shows that the port is listening:
netstat -tulpn | grep :8868
tcp 0 0 0.0.0.0:8868 0.0.0.0:* LISTEN 15629/java
I am able to ping the IP address, but when I do a telnet to the port I get a connection timed out. I don't think it is a firewall issue because I ran service iptables status and got
iptables: Firewall is not running.
same thing with service ip6tables status
ip6tables: Firewall is not running.

Failed to parse multipart request org.apache.commons.fileupload.FileUploadException: Processing of multipart/form-data request failed. null

I know the similar questions are already asked, but unfortunately I can't find the good answer to find the solution for this problem. When I try to upload any file (XML/CSV formats accepted only), it works in local, but on the server it doesn’t work.
I don't have any timeout or read timeout error. Here you can find more details.
IMPORTANT : I have this error after correction of Hibernate Session's error, in fact I had always Session Close error in log file so I changed my code and now the Sessions will be closed after finishing the task, but I have this new error only in Server and not in LOCAL !!
Server log :
ERROR [org.apache.struts.upload.CommonsMultipartRequestHandler] (ajp-127.0.0.1-8009-6) Failed to parse multipart request
org.apache.commons.fileupload.FileUploadException: Processing of multipart/form-data request failed. null
at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:384)
at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:268)
at org.apache.struts.upload.CommonsMultipartRequestHandler.handleRequest(CommonsMultipartRequestHandler.java:182)
at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:389)
at org.apache.struts.chain.commands.servlet.PopulateActionForm.populate(PopulateActionForm.java:45)
at org.apache.struts.chain.commands.AbstractPopulateActionForm.execute(AbstractPopulateActionForm.java:57)
at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:48)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:304)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:190)
at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:280)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1858)
Server.xml file :
<Service name="jboss.web">
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}"
connectionTimeout="20000" redirectPort="8443" />

I'm assuming that you are uploading a big file and it's taking time to upload.
I would suggest to add the following to Connector with the following:
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}"
connectionTimeout="60000" redirectPort="8443"
connectionUploadTimeout="36000000" disableUploadTimeout="false" />
(See this related SO Question).
I hope this helps.

Not able to configure SSL with Tomcat 7

I am trying to configure SSL with Tomcat 7 but not able to do so. Please guide.
Command for generating SSL certificate:
C:\Java\jdk1.7.0_40\bin>keytool -genkeypair -alias tomcat-keystore -keyalg RSA -keystore C:\my.keystore
server.xml
<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\my.keystore" keystorePass="abc"
clientAuth="false" keyAlias="tomcat-keystore" sslProtocol="TLS"/>
The problem is that if I put https://wwww.secdevapp.net:8443 the browser says "The webpage is not available" and I see the error in the catalina.log file (mentioned below) but http://www.secdevapp.net:8080 works fine.
Tomcat Error Log:
Mar 26, 2014 11:22:04 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more

Commenting out the APR listener in server.xml line:27 does the trick in Windows OS.
Found the solution from http://java.dzone.com/articles/ssl-your-tomcat-7
The APR is a native library that you may install during Tomcat installation. It does tie your Tomcat to your OS but "provide superior scalability and performance". This is a good thing to do for your production environment. In other environments, I don't see the point.

Check the port on your server. Is tomcat/java actually listening on
port 8443?
Check the tomcat logs, usually in tomcat/logs directory. What does
the access log say?
Did you restart tomcat after using that Connector? What does
catalina.log say?