I'm running THREDDS 5.6 on top of Tomcat 10.1.36, not using Docker, and the
move from THREDDS 5.4 and Tomcat 9 had me scratching my head on the same
problem.
To get the SSL port 8443 connector to work I had to change
protocol="org.apache.coyote.http11.Http11*Apr*Protocol" to
protocol="org.apache.coyote.http11.Http11*Nio*Protocol".
Hopefully that works for you.
Thanks,
Chris Woelkers
IT Specialist
National Oceanic and Atmospheric Administration
Great Lakes Environmental Research Laboratory
4840 S State Rd | Ann Arbor, MI 48108
Office: 734-741-2446
Cell: 734-604-0059
Voice: 734-219-3815
On Tue, Jul 1, 2025 at 10:00 AM Jim Fluke <james.fluke@xxxxxxxxxxxxx> wrote:
> Hello,
>
> First, this is related to the previous questions I've posted here
> regarding authentication using a certificate. The difference is that I got
> that to work with the 5.5 release, but I can't get it to work with the 5.6
> release. I want to go to the 5.6 release because of the new Tomcat CVEs.
>
> I think I have narrowed this down to the certificate configuration in
> Tomcat. This is the server.xml certificate configuration that was working
> for me in thredds-docker 5.5 and Tomcat 9.0.97:
> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
> This connector uses the APR/native implementation which always uses
> OpenSSL for TLS.
> Either JSSE or OpenSSL style configuration may be used. OpenSSL
> style
> configuration is used below.
> -->
> <Connector server="Apache" secure="true" port="8443" protocol=
> "org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" >
> <SSLHostConfig>
> <Certificate certificateKeyFile=
> "/usr/local/share/ca-certificates/privkey.pem"
> certificateFile=
> "/usr/local/share/ca-certificates/cert.pem"
> certificateChainFile=
> "/usr/local/share/ca-certificates/fullchain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> Note I fixed the authentication problems I had previously by making sure
> the certificate was installed in the container's OS as well as configured
> for Tomcat.
>
> But this configuration does not work for thredds-docker 5.6 and Tomcat
> 10.1.42. Here is the error in the Tomcat Catalina log:
> 12-Jun-2025 23:29:09.855 WARNING [main]
> org.apache.catalina.startup.Catalina.parseServerXml Unable to load server
> configuration from [/usr/local/tomcat/conf/server.xml]
> org.xml.sax.SAXParseException; systemId:
> file:/usr/local/tomcat/conf/server.xml; lineNumber: 124; columnNumber:
> 25; Error at line [124] column [25]: [Cannot invoke "org.apache.coyot
> e.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)"
> because "this.protocolHandler" is null]
> at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1948)
> at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1981)
> at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)
> at
> java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618)
> at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1728)
> at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2899)
> at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
> at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)
> at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)
> at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)
> at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> at
> java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)
> at
> java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)
> at
> org.apache.tomcat.util.digester.Digester.parse(Digester.java:1506)
> at
> org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:607)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:697)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:735)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:569)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
> Caused by: java.lang.NullPointerException: Cannot invoke
> "org.apache.coyote.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)"
> because "this.protocolHandler
> " is null
> at
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:883)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:569)
> at
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:490)
> at
> org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:144)
> at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1014)
> ... 20 more
> 12-Jun-2025 23:29:09.855 SEVERE [main]
> org.apache.catalina.startup.Catalina.start Cannot start server, server
> instance is not configured
>
> Any suggestions would be appreciated!
>
> Thanks,
> Jim
>
> _______________________________________________
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> To subscribe: thredds-join@xxxxxxxxxxxxxxxx
> To unsubscribe: thredds-leave@xxxxxxxxxxxxxxxx
>