[thredds] Certificate problems with thredds-docker

  • To: "thredds@xxxxxxxxxxxxxxxx" <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Certificate problems with thredds-docker
  • From: Jim Fluke <james.fluke@xxxxxxxxxxxxx>
  • Date: Tue, 1 Jul 2025 07:59:58 -0600
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=colostate.edu; dmarc=pass action=none header.from=colostate.edu; dkim=pass header.d=colostate.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UyAg7OXN2lGfRZaaLmVs/sOf7U9MKzdZBu8Pkiyf7hg=; b=nWGOeXN9QcOxaDS/hOv8ipBSJjvVh4N4KMVuBMSxkYr2hmKlt19BQaop1pt5oPLS4tiG2IxOfZOS1ecNZHnV4IbDjatCR0jrg99CHQmFsB1V1ein33qNxI3hYNj5bfoZNbgHPMOmI5AHS+S840Pd5FLrHnmEWd0uC/wba5uzTMSbW2OLIFfETEDg4VFZMxmWwleGk6ZpwH87Ab2EDOHQWngiO89SKmEtZvJ+eYEFbpaTsAYDpIDw969E/bTWWK3PYlKpRZra/cf+bYatJbtQwpJcDjacwHVL1AC3ycnUhyoMtAveiIEGlKjkNiqsOIYP9YoZRYgWztOO//Vfl5v1NA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nr1nlA5uRVw0IxqRoHz5QP2a47Odp9JL1URkOQjlRzhITBGmK4aN0EGQCh5Qr14cwfs8mK+21AWZo5HU84tSQCKsD31Nn8zE3narfi9sjx1GhDnAUGjaoVgMAxzUCVhzDGvVaZup2Vdb16nNFB6h7fOasKtK21aqxynP5M1fdR5c9X/qXT51YzX1J7trQAL5BLPwMhgDcYmj8C2O+/I0wJILzlbwa6ow58vaIW/jSeMbtfT7vjYerSEiKthpLcD/uUbSukigT13tt8UrIW3pDw7QlhnWldvZ/nwvkEWvd9fsjxoxti1zM6+nnLDxjQ6J6slvthYfbIRS8ZUhM2gACA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=colostate.edu;
Hello,

First, this is related to the previous questions I've posted here regarding authentication using a certificate. The difference is that I got that to work with the 5.5 release, but I can't get it to work with the 5.6 release. I want to go to the 5.6 release because of the new Tomcat CVEs.

I think I have narrowed this down to the certificate configuration in Tomcat. This is the server.xml certificate configuration that was working for me in thredds-docker 5.5 and Tomcat 9.0.97:
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
        This connector uses the APR/native implementation which always uses
        OpenSSL for TLS.
        Either JSSE or OpenSSL style configuration may be used. OpenSSL style
        configuration is used below.
   -->
<Connector server="Apache"secure="true"port="8443"protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="/usr/local/share/ca-certificates/privkey.pem"
certificateFile="/usr/local/share/ca-certificates/cert.pem"
certificateChainFile="/usr/local/share/ca-certificates/fullchain.pem"
type="RSA"/>
</SSLHostConfig>
</Connector>

Note I fixed the authentication problems I had previously by making sure the certificate was installed in the container's OS as well as configured for Tomcat.

But this configuration does not work for thredds-docker 5.6 and Tomcat 10.1.42. Here is the error in the Tomcat Catalina log: 12-Jun-2025 23:29:09.855 WARNING [main] org.apache.catalina.startup.Catalina.parseServerXml Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]        org.xml.sax.SAXParseException; systemId: file:/usr/local/tomcat/conf/server.xml; lineNumber: 124; columnNumber: 25; Error at line [124] column [25]: [Cannot invoke "org.apache.coyot e.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" because "this.protocolHandler" is null]                at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1948)                at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1981)                at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)                at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1728)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2899)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)                at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)                at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)                at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1506)                at org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:607)                at org.apache.catalina.startup.Catalina.load(Catalina.java:697)                at org.apache.catalina.startup.Catalina.load(Catalina.java:735)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                at java.base/java.lang.reflect.Method.invoke(Method.java:569)                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)        Caused by: java.lang.NullPointerException: Cannot invoke "org.apache.coyote.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" because "this.protocolHandler
" is null
               at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:883)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                at java.base/java.lang.reflect.Method.invoke(Method.java:569)                at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:490)                at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:144)                at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1014)
               ... 20 more
12-Jun-2025 23:29:09.855 SEVERE [main] org.apache.catalina.startup.Catalina.start Cannot start server, server instance is not configured

Any suggestions would be appreciated!

Thanks,
Jim
  • 2025 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: