NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Certificate problems with thredds-docker

  • To: "thredds@xxxxxxxxxxxxxxxx" <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Certificate problems with thredds-docker
  • From: Jim Fluke <james.fluke@xxxxxxxxxxxxx>
  • Date: Tue, 1 Jul 2025 07:59:58 -0600
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=colostate.edu; dmarc=pass action=none header.from=colostate.edu; dkim=pass header.d=colostate.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UyAg7OXN2lGfRZaaLmVs/sOf7U9MKzdZBu8Pkiyf7hg=; b=nWGOeXN9QcOxaDS/hOv8ipBSJjvVh4N4KMVuBMSxkYr2hmKlt19BQaop1pt5oPLS4tiG2IxOfZOS1ecNZHnV4IbDjatCR0jrg99CHQmFsB1V1ein33qNxI3hYNj5bfoZNbgHPMOmI5AHS+S840Pd5FLrHnmEWd0uC/wba5uzTMSbW2OLIFfETEDg4VFZMxmWwleGk6ZpwH87Ab2EDOHQWngiO89SKmEtZvJ+eYEFbpaTsAYDpIDw969E/bTWWK3PYlKpRZra/cf+bYatJbtQwpJcDjacwHVL1AC3ycnUhyoMtAveiIEGlKjkNiqsOIYP9YoZRYgWztOO//Vfl5v1NA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nr1nlA5uRVw0IxqRoHz5QP2a47Odp9JL1URkOQjlRzhITBGmK4aN0EGQCh5Qr14cwfs8mK+21AWZo5HU84tSQCKsD31Nn8zE3narfi9sjx1GhDnAUGjaoVgMAxzUCVhzDGvVaZup2Vdb16nNFB6h7fOasKtK21aqxynP5M1fdR5c9X/qXT51YzX1J7trQAL5BLPwMhgDcYmj8C2O+/I0wJILzlbwa6ow58vaIW/jSeMbtfT7vjYerSEiKthpLcD/uUbSukigT13tt8UrIW3pDw7QlhnWldvZ/nwvkEWvd9fsjxoxti1zM6+nnLDxjQ6J6slvthYfbIRS8ZUhM2gACA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=colostate.edu;
Hello,
First, this is related to the previous questions I've posted here regarding authentication using a certificate. The difference is that I got that to work with the 5.5 release, but I can't get it to work with the 5.6 release. I want to go to the 5.6 release because of the new Tomcat CVEs.
I think I have narrowed this down to the certificate configuration in Tomcat. This is the server.xml certificate configuration that was working for me in thredds-docker 5.5 and Tomcat 9.0.97: 
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
        This connector uses the APR/native implementation which always uses
        OpenSSL for TLS.
        Either JSSE or OpenSSL style configuration may be used. OpenSSL style 
        configuration is used below.
   -->
<Connector server="Apache"secure="true"port="8443"protocol="org.apache.coyote.http11.Http11AprProtocol" 
maxThreads="150"SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="/usr/local/share/ca-certificates/privkey.pem" 
certificateFile="/usr/local/share/ca-certificates/cert.pem"
certificateChainFile="/usr/local/share/ca-certificates/fullchain.pem"
type="RSA"/>
</SSLHostConfig>
</Connector>
Note I fixed the authentication problems I had previously by making sure the certificate was installed in the container's OS as well as configured for Tomcat.
But this configuration does not work for thredds-docker 5.6 and Tomcat 10.1.42. Here is the error in the Tomcat Catalina log: 12-Jun-2025 23:29:09.855 WARNING [main] org.apache.catalina.startup.Catalina.parseServerXml Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]        org.xml.sax.SAXParseException; systemId: file:/usr/local/tomcat/conf/server.xml; lineNumber: 124; columnNumber: 25; Error at line [124] column [25]: [Cannot invoke "org.apache.coyot e.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" because "this.protocolHandler" is null]                at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1948)                at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1981)                at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)                at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1728)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2899)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)                at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)                at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)                at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)                at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)                at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1506)                at org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:607)                at org.apache.catalina.startup.Catalina.load(Catalina.java:697)                at org.apache.catalina.startup.Catalina.load(Catalina.java:735)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                at java.base/java.lang.reflect.Method.invoke(Method.java:569)                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)        Caused by: java.lang.NullPointerException: Cannot invoke "org.apache.coyote.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" because "this.protocolHandler 
" is null
               at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:883)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)                at java.base/java.lang.reflect.Method.invoke(Method.java:569)                at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:490)                at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:144)                at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1014) 
               ... 20 more
12-Jun-2025 23:29:09.855 SEVERE [main] org.apache.catalina.startup.Catalina.start Cannot start server, server instance is not configured 

Any suggestions would be appreciated!

Thanks,
Jim
  • 2025 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: