I recently set up a new build server for Cantina which needed an SSL certificate installed. Having not done this in a while on Tomcat (and never on Tomcat 6), I found it to be a little challenging. In the end, I found that some of the optional methods described in the Tomcat documentation didn’t work for me, so I wanted to share which method did and how I got there.
My first step was getting an SSL cert. We have done a lot of business with Register.com, so we opted to get it through them. We ended up getting a wildcard cert so we could use it across all our subdomains. The package came with 5 files: the private key, the certificate, 2 intermediate certificates, and the root certificate. After getting the files, I checked out the documentation they provided. I followed this documentation for adding the certificates to a new keystore and setting up the connector.
After restarting Tomcat, I browsed to the URL and found it didn’t come up. Looking at the logs, I saw the following error:
SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
This is a common error which essentially says "you messed up the SSL configuration somehow". So I immediately brought up the Tomcat 6 documentation on SSL installation to compare with the Register.com docs. Tomcat 6 has a new feature it can use for SSL called APR, short for "Apache Portable Runtime". APR allows Tomcat to access advanced server features and native functionality. For SSL purposes, it allows Tomcat to use OpenSSL. Having much more experience with Apache and OpenSSL, I opted for using this feature.
After looking at the Tomcat docs again and doing a little Googling, I found out that I needed to install the native libraries on Debian. I did this with the following command:
sudo apt-get install libtcnative-1
I then went back to the Register.com documentation, this time for Apache. Following those instructions, I executed the following command to combine the intermediate and root certificates:
cat Intermediary_Certificate_2.crt Intermediary_Certificate_1.crt Root_Certificate.crt > cantina.co.ca.crt
I also renamed some of the files to be more consistent:
mv certificate.crt cantina.co.crt
mv cantinaco.key cantina.co.key
I uploaded the new file, the private key, and the certificate file to the tomcat configuration directory at /var/lib/tomcat6/conf. I then opened Tomcat’s server.xml file. At the top of this file, there is a section similar to the following:
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
Following the Tomcat docs, I uncommented the APR listener. I then located the connector for port 8080 and commented it out, since this server is SSL only. Next, I located the commented out SSL connector for port 8443, uncommented it and modified it to look like the following:
scheme="https" secure="true" SSLEnabled="true"
enableLookups="false" clientAuth="false" sslProtocol="TLS"/>
Finally, I needed to make the site accessible through port 443 instead of 8443. I find that on a Linux box, the easiest way to do this is through IP Tables, rather than installing Apache as a proxy. So I executed the following command:
iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
After a quick restart of Tomcat, I found that everything worked as expected. I then followed the Debian Wiki instructions for how to save the IPTables rules.