Created attachment 786135 [details] server certificate Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: Start AS standalone server 1. Download attached war and keystore to /tmp/ 2. Execute CLI command /core-service=management/security-realm=jbossws-cli-tests-https-realm/:add Result {"outcome" => "success"} 3. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/:add(protocol="HTTP/1.1",scheme="https",secure=true, socket-binding=https,enabled=true) Result {"outcome" => "success"} 4. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/ssl=configuration:add(password="changeit",certificate-key-file="/tmp/server.keystore",verify-client=false, key-alias=tomcat, protocol=https) Result {"outcome" => "success"} 5. Execute CLI command deploy /tmp/test.war Result {"outcome" => "success","result" => {"step-1" => {"outcome" => "success"},"step-2" => {"outcome" => "success"}}} 6. open in browser https://localhost:8443/test/index.html Actual results: page is not loaded, connection hangs Expected results: either page is correctly loaded or operation result is reload required and page should not be available Additional info: after reload page is available
Created attachment 786136 [details] war with index.html
I'm also experiencing the same behavior when trying to add a native ssl connector. If I add the connector with two separate cli commands, then attempting to open a https URL results in connection hand and eventually timing out in the browser. Server restart fixes the issue. On the other hand, using the same two commands to within a batch, makes everything work correctly. The problem is that there is no error message in cli console or server log to indicate any problem. So user wouldn't know what's wrong. FYI here is how I do that: 1. change native="true" in server config 2. start server 3. generate self-signed certificate with openssl > openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout certs/localhost.key -out certs/localhost.cert 4. use the following cli commands: > /subsystem=web/connector=https:add(enabled="true", enable-lookups="false", secure="true", scheme="https", socket-binding="https", protocol="HTTP/1.1") > {"outcome" => "success"} > /subsystem=web/connector=https/configuration=ssl:add(name="native-https", certificate-file="/tmp/certs/localhost.cert", certificate-key-file="/tmp/certs/localhost.key") > {"outcome" => "success"} 5. try to open https URL As I already said, if I wrap the cli commands within batch/run-batch, then everything works correctly.
I think that is unknown bug and no possible to fix it. The connector starts without ssl and adding ssl doesn't tell to restart the server.
if you use http:// instead https:// you should get a working connection.
This could be quite easily fixed, by restart-parent service handler on ssl:add() operation. A workaround would be to add whole ssl connector configuration as part of batch.
Jean-Fredederic, Do you have a comment on Tomaz's suggestion? Can we try this for 6.2?
Tomaz gave me an example I have a patch I need to test...
Actually when adding ssl there is already a message: ++++ [standalone@localhost:9999 /] /subsystem=web/connector=https/:add(socket-binding=https,protocol="HTTP/1.1",scheme="https") {"outcome" => "success"} [standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration:add { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } +++
A quick try with "restart-parent service handler on ssl:add() " doesn't seem to work. I think we should move this one to 6.3.
Tomaz helped me today on the topic. It is working I will do the pull request soon.
See https://github.com/jbossas/jboss-eap/pull/662
Tried to re-approve for 6.2 based on comments 14, 15 from Brian and John.
Verified for EAP 6.2.0.CR2 preview using procedure described in comment#0 Result of command from step 4 is "Reload-required", page is not available before reload and is available after reload
Was not the fix to make the restart automatic on ssl add?
it does you need {allow-resource-service-restart=true }
cause: When adding a connector it is started immediately. So when a SSL connector in 2 steps (first the connector, then ssl to the connector) the connector was running without ssl. Note that a message is displayed asking for restart. the rest is in the BZ...
Russel, as far as I see now the change is that reload required is returned as status instead of success. It's not like connector is restarted by default.
The reload required was already returned but the connector wasn't restarted.