Ssl – YouTrack on Tomcat 7 using SSL

mod-proxymod-sslssltomcattomcat7

I have a running YouTrack instance deployed using Tomcat 7 and it works fine on http://example.com:8080/youtrack

Apache is already configured to support SSL for the main domain (I have .pem file). Both https://example.com and http://example.com are accessible without any problems.

The port 8443 is already used by some other service (https://example.com:8443 shows me Plesk admin panel).

Now I'd like to set up YouTrack to use https://youtrack.example.com

How can I achieve this?

Do I need to configure Tomcat to support SSL (generate separate key etc.),
or just proxy the requests from Apache to Tomcat?

I guess the first step would be to configure YouTrack to be accessible on https://example.com:8444/youtrack,
then proxy the requests using Apache's mod_proxy.

How can I do this?

My /var/lib/tomcat7/conf/server.conf is default, without any changes: http://pastie.org/9385045

My /usr/share/tomcat7/bin/setenv.sh contains the entry to change the YouTrack default URL:
-Djetbrains.youtrack.baseUrl=http://youtrack.example.com

Virtual hosts configuration:

$ cat /etc/apache2/sites-enabled/default

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/default
    <Directory />
            Options FollowSymLinks
            AllowOverride All
    </Directory>
    <Directory /var/www/default>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

SSL host:

$ cat /etc/apache2/sites-enabled/default-ssl

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com

DocumentRoot /var/www/default
<Directory />
    Options FollowSymLinks
    AllowOverride All
</Directory>
<Directory /var/www/default>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

SSLEngine on


SSLCertificateFile    /etc/ssl/certs/mailserver.pem
SSLCertificateKeyFile /etc/ssl/private/mailserver.pem

#SSLVerifyClient require
#SSLVerifyDepth  10

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

Best Answer

Looks like a better choice over mod_proxy would be mod_jk.

See Working with mod_jk.

Problem

You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file

Curl output may look like this:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Getting the Script

curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh

Using the script

./crt_to_keystore.sh <path_to_crt> <path_to_key>

RAW Contents of Script

#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "\x1B[01;34m[*]\x1B[0m $1"; }
function print_good { echo -e "\x1B[01;32m[*]\x1B[0m $1"; }
function print_error { echo -e "\x1B[01;31m[*]\x1B[0m $1"; }
function print_notification { echo -e "\x1B[01;33m[*]\x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%s\n' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
    [ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}

#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
  [ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
  [ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name!  Exiting....";
  print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";

# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw

# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"  
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)

#######################################
# Functions used by main execution
function gd_check_cert {
    # Verify gd_bundle.crt exists
    [ ! -f "$1" ] && print_error "$1 not found!  Downloading..." && wget https://certs.godaddy.com/repository/$1;
    [ ! -f "$1" ] && die "$1 must exist in current path!  Exiting....";
    [ -f "$1" ] && print_status "found $1 in current path"
}

function verify_before_execution {
    printline
    #verify godaddy cert
    gd_check_cert $gdbundle

    #Check to make sure the user provided valid files

    file_must_exist ${crt}
    file_must_exist ${key}

    move_file_if_exist ${keystore}
}

function import_godaddy_root {
    print_status "Importing gd_bundle.crt to java key store..."

    ${KEYTOOL} -import \
    -alias root \
    -keystore ${keystore} \
    -trustcacerts \
    -file ${gdbundle} \
    -keypass ${pw} \
    -storepass ${pw}  >/dev/null 2>/dev/null
    [ ! $? -eq 0 ] && die "Error running command... Exiting!";
}

function export_to_p12 {
    printline
    print_status "Exporting your key and cert to pkcs12 format..."
    ${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}

    [ ! $? -eq 0 ] && die "Error running command... Exiting!";

}

function import_p12_file {
    print_status "Importing p12 file to java key store..."
    ${KEYTOOL} -importkeystore \
    -srcalias 1 \
    -destalias tomcat \
    -srckeystore ${p12} \
    -srcstoretype PKCS12 \
    -srcstorepass ${pw} \
    -destkeystore ${keystore} \
    -keypass ${pw} \
    -storepass ${pw} \
    -dest‐storepass ${pw} >/dev/null 2>/dev/null
    [ ! $? -eq 0 ] && die "Error running command... Exiting!";
}

function print_msg_after_creation {
    printline
    print_good "Keystore ${keystore} creation complete!"
    printline
    print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
    printline
}

#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation

Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/

Tomcat – Apache SSL reverse proxy to a Embed Tomcat

It sounds like you may want to try to edit the server.xml for your Tomcat application, and where the Connector port is defined, add something like:

proxyName="mysite.example.com" proxyPort="443" scheme="https" secure="true"

Best Answer

Related Solutions

Ssl – how to install ssl on tomcat 7

Problem

Getting the Script

Using the script

RAW Contents of Script

Tomcat – Apache SSL reverse proxy to a Embed Tomcat

Related Topic