Re: [thredds] Certificate problems with thredds-docker

To: Jim Fluke <james.fluke@xxxxxxxxxxxxx>
Subject: Re: [thredds] Certificate problems with thredds-docker
From: Sean Arms <sarms@xxxxxxxx>
Date: Tue, 1 Jul 2025 09:31:37 -0600
Good morning Jim!

>From what I can see, support for the Http11AprProtocol protocol was removed
in Tomcat 9.1.x/10.1.x (TDS Docker image uses 10.1) (
https://tomcat.apache.org/tomcat-10.0-doc/api/org/apache/coyote/http11/Http11AprProtocol.html).
I believe you'll need to migrate that bit of xml config to use the
org.apache.coyote.http11.Http11NioProtocol protocol (
https://tomcat.apache.org/tomcat-10.1-doc/config/http.html). Perhaps something
like:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
    maxThreads="150" SSLEnabled="true" maxParameterCount="1000">
  <SSLHostConfig>
    <Certificate
certificateKeyFile="/usr/local/share/ca-certificates/privkey.pem"
        certificateFile="/usr/local/share/ca-certificates/cert.pem"

certificateChainFile="/usr/local/share/ca-certificates/fullchain.pem"
        type="RSA" />
  </SSLHostConfig>
</Connector>

Note that the attributes on the Connector element are slightly different.

Cheers,

Sean


On Tue, Jul 1, 2025 at 8:00 AM Jim Fluke <james.fluke@xxxxxxxxxxxxx> wrote:

> Hello,
>
> First, this is related to the previous questions I've posted here
> regarding authentication using a certificate. The difference is that I got
> that to work with the 5.5 release, but I can't get it to work with the 5.6
> release. I want to go to the 5.6 release because of the new Tomcat CVEs.
>
> I think I have narrowed this down to the certificate configuration in
> Tomcat. This is the server.xml certificate configuration that was working
> for me in thredds-docker 5.5 and Tomcat 9.0.97:
>    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
>         This connector uses the APR/native implementation which always uses
>         OpenSSL for TLS.
>         Either JSSE or OpenSSL style configuration may be used. OpenSSL
> style
>         configuration is used below.
>    -->
>    <Connector server="Apache" secure="true" port="8443" protocol=
> "org.apache.coyote.http11.Http11AprProtocol"
>               maxThreads="150" SSLEnabled="true" >
>        <SSLHostConfig>
>            <Certificate certificateKeyFile=
> "/usr/local/share/ca-certificates/privkey.pem"
>                         certificateFile=
> "/usr/local/share/ca-certificates/cert.pem"
>                         certificateChainFile=
> "/usr/local/share/ca-certificates/fullchain.pem"
>                         type="RSA" />
>        </SSLHostConfig>
>    </Connector>
>
> Note I fixed the authentication problems I had previously by making sure
> the certificate was installed in the container's OS as well as configured
> for Tomcat.
>
> But this configuration does not work for thredds-docker 5.6 and Tomcat
> 10.1.42. Here is the error in the Tomcat Catalina log:
> 12-Jun-2025 23:29:09.855 WARNING [main]
> org.apache.catalina.startup.Catalina.parseServerXml Unable to load server
> configuration from [/usr/local/tomcat/conf/server.xml]
>        org.xml.sax.SAXParseException; systemId:
> file:/usr/local/tomcat/conf/server.xml; lineNumber: 124; columnNumber:
> 25; Error at line [124] column [25]: [Cannot invoke "org.apache.coyot
> e.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)"
> because "this.protocolHandler" is null]
>                at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1948)
>                at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1981)
>                at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)
>                at
> java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618)
>                at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1728)
>                at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2899)
>                at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
>                at
> java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)
>                at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)
>                at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)
>                at
> java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>                at
> java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)
>                at
> java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)
>                at
> org.apache.tomcat.util.digester.Digester.parse(Digester.java:1506)
>                at
> org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:607)
>                at
> org.apache.catalina.startup.Catalina.load(Catalina.java:697)
>                at
> org.apache.catalina.startup.Catalina.load(Catalina.java:735)
>                at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>                at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>                at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>                at
> java.base/java.lang.reflect.Method.invoke(Method.java:569)
>                at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
>                at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
>        Caused by: java.lang.NullPointerException: Cannot invoke
> "org.apache.coyote.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)"
> because "this.protocolHandler
> " is null
>                at
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:883)
>                at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>                at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>                at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>                at
> java.base/java.lang.reflect.Method.invoke(Method.java:569)
>                at
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:490)
>                at
> org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:144)
>                at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1014)
>                ... 20 more
> 12-Jun-2025 23:29:09.855 SEVERE [main]
> org.apache.catalina.startup.Catalina.start Cannot start server, server
> instance is not configured
>
> Any suggestions would be appreciated!
>
> Thanks,
> Jim
>
> _______________________________________________
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> To subscribe: thredds-join@xxxxxxxxxxxxxxxx
> To unsubscribe: thredds-leave@xxxxxxxxxxxxxxxx
>
References:
- [thredds] Certificate problems with thredds-docker
  - From: Jim Fluke
2025 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: