[thredds] Certificate problems with thredds-docker

[Jim Fluke <james.fluke@xxxxxxxxxxxxx>]

Hello,

First, this is related to the previous questions I've posted here 
regarding authentication using a certificate. The difference is that I 
got that to work with the 5.5 release, but I can't get it to work with 
the 5.6 release. I want to go to the 5.6 release because of the new 
Tomcat CVEs.

I think I have narrowed this down to the certificate configuration in 
Tomcat. This is the server.xml certificate configuration that was 
working for me in thredds-docker 5.5 and Tomcat 9.0.97:
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
        This connector uses the APR/native implementation which always uses
        OpenSSL for TLS.
        Either JSSE or OpenSSL style configuration may be used. OpenSSL 
style
        configuration is used below.
   -->
<Connector 
server="Apache"secure="true"port="8443"protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"SSLEnabled="true">
<SSLHostConfig>
<Certificate 
certificateKeyFile="/usr/local/share/ca-certificates/privkey.pem"
certificateFile="/usr/local/share/ca-certificates/cert.pem"
certificateChainFile="/usr/local/share/ca-certificates/fullchain.pem"
type="RSA"/>
</SSLHostConfig>
</Connector>

Note I fixed the authentication problems I had previously by making sure 
the certificate was installed in the container's OS as well as 
configured for Tomcat.

But this configuration does not work for thredds-docker 5.6 and Tomcat 
10.1.42. Here is the error in the Tomcat Catalina log:
12-Jun-2025 23:29:09.855 WARNING [main] 
org.apache.catalina.startup.Catalina.parseServerXml Unable to load 
server configuration from [/usr/local/tomcat/conf/server.xml]
       org.xml.sax.SAXParseException; systemId: 
file:/usr/local/tomcat/conf/server.xml; lineNumber: 124; columnNumber: 
25; Error at line [124] column [25]: [Cannot invoke "org.apache.coyot
e.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" 
because "this.protocolHandler" is null]
               at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1948)
               at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1981)
               at 
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)
               at 
java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618)
               at 
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1728)
               at 
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2899)
               at 
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
               at 
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)
               at 
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)
               at 
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)
               at 
java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
               at 
java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)
               at 
java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)
               at 
org.apache.tomcat.util.digester.Digester.parse(Digester.java:1506)
               at 
org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:607)
               at 
org.apache.catalina.startup.Catalina.load(Catalina.java:697)
               at 
org.apache.catalina.startup.Catalina.load(Catalina.java:735)
               at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
               at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
               at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
               at 
java.base/java.lang.reflect.Method.invoke(Method.java:569)
               at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
               at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
       Caused by: java.lang.NullPointerException: Cannot invoke 
"org.apache.coyote.ProtocolHandler.addSslHostConfig(org.apache.tomcat.util.net.SSLHostConfig)" 
because "this.protocolHandler
" is null
               at 
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:883)
               at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
               at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
               at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
               at 
java.base/java.lang.reflect.Method.invoke(Method.java:569)
               at 
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:490)
               at 
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:144)
               at 
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1014)
               ... 20 more
12-Jun-2025 23:29:09.855 SEVERE [main] 
org.apache.catalina.startup.Catalina.start Cannot start server, server 
instance is not configured

Any suggestions would be appreciated!

Thanks,
Jim