HTTPS using port 443

How I got HTTPS working on port 443 on a Digital Ocean (Ubuntu) droplet

How to get Tomcat listen to port 443

April 9, 2019 by Alex

The internet can be your friend, or your worst enemy, when trying to troubleshoot basic configuration issues. One that serves over millions of forums and blogs is the infamous "https not working on port 443". Now the thing is, there is a gazillion reasons why it may not be working, so to help you in your search for the correct answer, this article assumes that you at least got it running on another port, which most likely will be port 8443.

Before we start...

Prior to reading the article I expect you to have at least some knowledge of and experience with:

  1. (Apache) Tomcat

  2. the Linux filesystem

Check your ports

Is your Tomcat running? Port 8843 works fine? Great! Then let's go through the basic stuff. Go to your Tomcat config folder (usually tomcat/conf/) and open server.xml. Look up the part that shows <Connector .. port=8443 ..> and make a copy of it changing the port number to 443 (making a copy is important as it will help you keep faith that everything is still working).

My server.xml contains (at least): 


<Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" clientAuth="false"
           SSLEnabled="true"  scheme="https" secure="true" sslProtocol="TLS"  
           keystoreFile="locationandnameofkeystorefile" keystorePass="mykeystorepassword" />

Also make sure your 80/8080 ports have a redirect to 443 like: 


<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"
           redirectPort="443" />

Now that we have this setup, restart Tomcat (sudo service tomcat restart) and wait a second or two. Next type lsof -i and look up a listener for port 8443 and remember the user listening to this port. In this example the user is called tomcat. Now try to find port 443, and you will either find that there is another user (process) listening to port 443, or another user (process) listening to *:https, or none of the beforementioned.

In case you did find a user listening to either port 443 or *:https, then you will need to stop this process. A common one that pops up often in explanations on the Internet is apache2. Apache2 is a very handy tool to support virtual hosts, but in your case you probably have just this one website you are trying to get up and running. So kill such a process (e.g. sudo service apache2 stop).

** Before we continue, we just shut down a specific process. However, when you reboot your system it is quite likely that the service will start again. To prevent this, remove it from startup by typing sudo systemctl disable apache2 where apache2 can be replaced by any (running) service you want to disable.

Next, check if you have a firewall running by typing sudo ufw status. If you are, make sure to allow 80 and 443 to be allowed to accept incoming (outgoing) requests. sudo ufw allow 443/tcp and sudo ufw allow 80/tcp. Mind that this is the minimal command to enable these ports, so invest some time in understanding what this actually does before regretting giving access.

But maybe you don't want a firewall in the first place in which case you can just as easily drop it sudo ufw disable.

The next thing you need to understand is that if your Tomcat user is not the actual root user, you will not be able to access the privileged range of ports under 1000. Now there are two ways to fix this problem, of which I would not recommend the first:

  1. Find your tomcat.service file find / | grep tomcat*), which I expect can be found in your /etc/systemd/system/ folder, and open it. This configuration file contains a line called "User=...". In my case, it says tomcat, but yours can be different. Now when you change this user to root and restart Tomcat, you will see that lsof -i suddenly shows port 443 to be listened to. Solved, right? No! From a security perspective, you should not have Tomcat run as root.

  2. The better solution is to use authbind. If you haven't already installed it, run sudo apt-get authbind. Now run the following commands one after the other:

    1. sudo touch /etc/authbind/byport/443
    2. sudo chmod 500 /etc/authbind/byport/443
    3. sudo chown tomcat /etc/authbind/byport/443

Almost there, just one more thing to do. In case you took a peak at the tomcat.service file, you may have noticed that there is a line saying "ExecStart=/opt/tomcat/bin/startup.sh". On your system this may or may not be in another folder, but you need to open this startup.sh file and change 

exec "$PRGDIR"/"$EXECUTABLE" start "$@"

into

exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
.

Restart Tomcat, run lsof -i and you will find Tomcat now listening to port 443.

Final words

Configuration is a bitch, and often forgotten once everything is up and running. This document should help you and me in case we ever need to do this monkey trick again.