I have a very specific question: a self-made certificate works on my Tomcat installation , that is, the connection to port 443 is NOT refused (but of course it is not valid on any browser, Google chrome for example says that the connection is insecure)
However, I installed a free zeroSSL certificate and then the connection is refused to port 443. Why? (I changed port 8080 to 80 and 8443 to 443 in the server.xml file)
By the way, I already had installed a free certificate from zeroSSL on another Server (Windows 8). and it works fine.
Port numbers below 4096 are privileged ports on most OS's, and that includes Windows, You'd have to run Tomcat under an administrative user account, and I don't recommend that as it's a major security exposure.
In most cases what I recommend is actually not to have Tomcat handle SSL at all, but to front Tomcat with a Reverse Proxy Server.
Basically, a Reverse Proxy acts as a webserver, but it's actually a forwarding point for one or more backend servers in addition to being easier to set up for secure communications. The Apache and Nginx webapp servers are often used for this purpose, although as far as I know, you can set up IIS to do so as well. I haven't worked with IIS since the beginning of the millenium, so I'm hazy on what it can do these days.
The regular webapp servers used for proxies start as priivileged users and then downshift their identities. There's no "write once/run anywhere" way to do that in Java and Tomcat is written 100% in Java, which is why it can't run securely on the front line.
Incidentally, while the security advantages of a reverse proxy server have always been good, the fact that such a server can host multiple apps and domains is especially useful now that so many applications run in Spring Boot and/or containers.
The one thing to note, though, is that the cert format used by Java is not the same as what servers like Apache and Nginx use. So you either have to get certs in the proper format or convert the ones you've already obtained.
Science is the process of replacing what we "know" with what is TRUE. Politics, alas, often prefers to be the opposite.
Tim Holloway wrote:I haven't worked with IIS since the beginning of the millenium, so I'm hazy on what it can do these days.
I had to set up an IIS server in front of JBoss quite recently. If I recall correctly you have to install a plugin, but after that's it's actually pretty easy.
Matthew Bendford wrote:Never heared of ZeroSSL - have you tried Let's Encrypt?
My wild guess in the blue: The required root-cert isn't available for ZeroSSL. While the root certs for Let's Encrypt are part of current VMs.
That would explaina browser error that Tony is already having with self-signed certificates. The server itself should just work.
Tony, I'm guessing that Tomcat is having issues with the certificate. What format is it in? I've been able to setup HTTPS in Tomcat using a PFX file, maybe your format is different and not supported by Java.
I am not a newbie in computer science, but really, it took me many hours to resolve the problem of adding https to a Tomcat 9 server (i'm a newbie in that domain, yeah!). The problem is not that it is particularly difficult, but finding the right track. There are so many offers in the Internet for (semi)-free certificates .
The previous post here lead me on the right track: "have you tried Let's Encrypt?" by Matthew Bendford. I then found a great page that explains the whole process clearly: