how to enable ssl on tomcat 8 embedded javascript/json/java webapp

Question

I've tried may things to get this working. I have a web app I'm developing. javascript front-end that talks via json to a java back-end. the entire thing runs on an embedded tomcat 8 instance. it works fine until i try to enable ssl/tls encryption.

before adding ssl

Tomcat tomcat = new Tomcat();
String webappDirLocation = "src/main/webapp/";

String webPort = System.getenv("PORT");
if (webPort == null || webPort.isEmpty()) {
    webPort = "8080";
}

tomcat.setPort(Integer.valueOf(webPort));
Connector connector = tomcat.getConnector();
connector.setURIEncoding("UTF-8");
tomcat.addWebapp("/", new File(webappDirLocation).getAbsolutePath());
System.out.println("configuring app with basedir: " + new File("./" + webappDirLocation).getAbsolutePath());

tomcat.start();
tomcat.getServer().await();

after I attempted to add ssl with self signed cert.

Tomcat tomcat = new Tomcat();
String tmp = "1q2w3e4r5t";
String filePathToStore = "src/main/app/ssl/keystore.jks";
char[] keystorePasswordCharArray = tmp.toCharArray();

Connector httpsConnector = new Connector();
httpsConnector.setPort(8843);
httpsConnector.setSecure(true);
httpsConnector.setScheme("https");
httpsConnector.setAttribute("keyAlias", "tomcat");
httpsConnector.setAttribute("keystorePass", keystorePasswordCharArray);
httpsConnector.setAttribute("keystoreFile", new File(filePathToStore));
httpsConnector.setAttribute("clientAuth", "false");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);

Service service = tomcat.getService();
service.addConnector(httpsConnector);
Connector defaultConnector = tomcat.getConnector();
defaultConnector.setRedirectPort(443);

String webappDirLocation = "src/main/webapp/";

Connector connector = tomcat.getConnector();
connector.setURIEncoding("UTF-8");
tomcat.addWebapp("/", new File(webappDirLocation).getAbsolutePath());
System.out.println("configuring app with basedir: " + new File("./" + webappDirLocation).getAbsolutePath());

tomcat.start();
tomcat.getServer().await();

I just want a simple web service that is ideally embedded so that deployment and configuration is simple.

to generate the keypair i used the command:

keytool -genkeypair -keystore keystore.jks -keyalg RSA -alias tomcat

I then copied the keystore.jks into my app/ssl/ directory.

it will run and compile with no errors. when i attempt to access the site at https:\\localhost Firefox complains with:

(Error code: ssl_error_rx_record_too_long) 

and the eclipse console will spit out a trace

Jan 06, 2016 9:14:25 PM org.apache.coyote.http11.AbstractHttp11Processor process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name   at          org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:228)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1010)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

the site is still accessible at http:\\localhost:443 What do i need to do to install the certificate? export from the key store and put it in my browser? i expected just a warning message.

continuing to troubleshoot i found a simple program called SSLPoke, this is the error i get:

java SSLPoke localhost 443
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
    at sun.security.ssl.InputRecord.read(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
    at sun.security.ssl.AppOutputStream.write(Unknown Source)
    at sun.security.ssl.AppOutputStream.write(Unknown Source)
    at SSLPoke.main(SSLPoke.java:23)

so it seems that my connection is not speaking https even though I'm listing there, still cant figure it out.

Answer 1

This is not related to the question asked but i got the same exception. I was trying to test my code(rest api call) and I was using https://localhost:2001 and I got Invalid character (CR or LF) found in method name.

The issue is I should be using http not https.

Answer 2

Take this with a grain of salt because I have never configured Tomcat.

With that said it looks like you've configured a server on 8843(did you mean to use 8443?) with your certificate but haven't configured it for 443. I think you'll need configuration for a 443 server as well. Right now if you connect on 443 you're probably not connecting encrypted and probably why you're receiving those errors.

In your original configuration you had the site running on port 80. Another suggestion would be run to try just running on 443. Change httpsConnector.setPort(8843); to httpsConnector.setPort(443);

Answer 3

I have the same problem.

Have you try to run this code on heroku ?

If, yes maybe you can use this :

https://robots.thoughtbot.com/set-up-cloudflare-free-ssl-on-heroku