TED SPRADLEY
2017-06-29 17:40:38 UTC
I've worked on this for three days and at this point am not sure where to
begin debugging.
I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
Tomcat Connector issue or a Tomcat import of the SSL Cert issue.
Any feedback is much appreciated.
Thank you in advance,
Ted S.
Server version: Apache Tomcat/7.0.68
Server built: Feb 8 2016 20:25:54 UTC
Server number: 7.0.68.0
OS Name: Linux
OS Version: 3.10.0-327.3.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_91-b14
JVM Vendor: Oracle Corporation
Important Points:
1. Apache was unable to be restarted without reboot.
2. After reboot requests to https://example.com/somecontext receive "502
Proxy Error"
3. I rekeyed SSL Certs and re-imported into Tomcat (command below)
4. Requests to https://example.com/somecontext still receive "502 Proxy
Error"
4. I suspect one problem may be with contents of the <VirtualHost
_default_:443> element
After a recent reboot I encountered the following issue.
Issue: Requests via browser client to https://example.com/somecontext
return -
-- begin browser page
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
-- end browser page
Unexpected Observed Behavior: Requests via browser client to
https://www.example.com/ return the default index.html for the server.
Requests via command line client curl https://www.example.com/ return "502
Proxy Error"
This server has been in production for seven months correctly responding
to requests on ports 80 & 443 (with secure content). I updated content and
wanted to change to redirecting incoming requests from port 80 to port 443.
When I attempted to restart Apache, Apache failed to kill the running
process. I issued 'kill'. Then tried to start. Apache failed to start. I
restored the <VirtualHost *:80> container to the state listed below, then
tried to start Apache. Apache failed to start. I rebooted the server, then
started Apache.
Then any request via browser behaved as above. I then rekeyed the SSL Cert
and re-imported the cert into Tomcat with:
$ openssl pkcs12 -export -in /etc/pki/tls/certs/example.com.crt -inkey
/etc/pki/
tls/private/example.key -out examplecert.p12 -name tomcat -CAfile
/etc/pki/tls/certs/ca_bundle.crt -caname root -chain
Configuration files content:
-- begin virtualhost.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://example.com:8081/
ProxyPassReverse / http://example.com:8081/
ProxyPass /somecontext http://example.com:8081/somecontext
ProxyPassReverse /somecontext http://example.com:8081/somecontext
</VirtualHost>
<VirtualHost *:80>
ServerName www.exampledefaultdomain.com
ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
ErrorLog "/etc/httpd/logs/examplessl_error.log"
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCertificateChainFile /path/to/certs/ca_bundle.crt
ProxyPass / http://example.com:8443/
ProxyPassReverse / http://example.com:8443/
ProxyPass /somecontext http://example.com:8443/somecontext
ProxyPassReverse /somecontext http://example.com:8443/somecontext
</VirtualHost>
-- end virtualhost.conf
-- begin ssl.conf -
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCACertificateFile /path/to/certs/ca_bundle.crt
</VirtualHost>
-- end ssl.conf -
-- begin Tomcat server.xml Connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
proxyName="www.example.com"
proxyPort="443"
keystoreFile="conf/.keystore"
clientAuth="false"
sslProtocol="TLS"
xpoweredBy="false"
server="Apache TomEE" />
-- end Tomcat server.xml Connector:
$ openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=example.com
$ apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:35)
alias example.com
wild alias *.example.com
*:80 is a NameVirtualHost
default server www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
port 80 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
alias example.com
wild alias *.example.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
begin debugging.
I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
Tomcat Connector issue or a Tomcat import of the SSL Cert issue.
Any feedback is much appreciated.
Thank you in advance,
Ted S.
Server version: Apache Tomcat/7.0.68
Server built: Feb 8 2016 20:25:54 UTC
Server number: 7.0.68.0
OS Name: Linux
OS Version: 3.10.0-327.3.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_91-b14
JVM Vendor: Oracle Corporation
Important Points:
1. Apache was unable to be restarted without reboot.
2. After reboot requests to https://example.com/somecontext receive "502
Proxy Error"
3. I rekeyed SSL Certs and re-imported into Tomcat (command below)
4. Requests to https://example.com/somecontext still receive "502 Proxy
Error"
4. I suspect one problem may be with contents of the <VirtualHost
_default_:443> element
After a recent reboot I encountered the following issue.
Issue: Requests via browser client to https://example.com/somecontext
return -
-- begin browser page
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
-- end browser page
Unexpected Observed Behavior: Requests via browser client to
https://www.example.com/ return the default index.html for the server.
Requests via command line client curl https://www.example.com/ return "502
Proxy Error"
This server has been in production for seven months correctly responding
to requests on ports 80 & 443 (with secure content). I updated content and
wanted to change to redirecting incoming requests from port 80 to port 443.
When I attempted to restart Apache, Apache failed to kill the running
process. I issued 'kill'. Then tried to start. Apache failed to start. I
restored the <VirtualHost *:80> container to the state listed below, then
tried to start Apache. Apache failed to start. I rebooted the server, then
started Apache.
Then any request via browser behaved as above. I then rekeyed the SSL Cert
and re-imported the cert into Tomcat with:
$ openssl pkcs12 -export -in /etc/pki/tls/certs/example.com.crt -inkey
/etc/pki/
tls/private/example.key -out examplecert.p12 -name tomcat -CAfile
/etc/pki/tls/certs/ca_bundle.crt -caname root -chain
Configuration files content:
-- begin virtualhost.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://example.com:8081/
ProxyPassReverse / http://example.com:8081/
ProxyPass /somecontext http://example.com:8081/somecontext
ProxyPassReverse /somecontext http://example.com:8081/somecontext
</VirtualHost>
<VirtualHost *:80>
ServerName www.exampledefaultdomain.com
ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
ErrorLog "/etc/httpd/logs/examplessl_error.log"
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCertificateChainFile /path/to/certs/ca_bundle.crt
ProxyPass / http://example.com:8443/
ProxyPassReverse / http://example.com:8443/
ProxyPass /somecontext http://example.com:8443/somecontext
ProxyPassReverse /somecontext http://example.com:8443/somecontext
</VirtualHost>
-- end virtualhost.conf
-- begin ssl.conf -
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCACertificateFile /path/to/certs/ca_bundle.crt
</VirtualHost>
-- end ssl.conf -
-- begin Tomcat server.xml Connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
proxyName="www.example.com"
proxyPort="443"
keystoreFile="conf/.keystore"
clientAuth="false"
sslProtocol="TLS"
xpoweredBy="false"
server="Apache TomEE" />
-- end Tomcat server.xml Connector:
$ openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=example.com
$ apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:35)
alias example.com
wild alias *.example.com
*:80 is a NameVirtualHost
default server www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
port 80 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
alias example.com
wild alias *.example.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org