Spectrum OneClick Server Fails To Start After Upgrade By Throwing 'ERR_SSL_PROTOCOL_ERROR'
search cancel

Spectrum OneClick Server Fails To Start After Upgrade By Throwing 'ERR_SSL_PROTOCOL_ERROR'

book

Article ID: 419805

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

Stopped Tomcat / Webtomcat, processd, and rebooted, but the error persists:

SSL certificates are still loaded from prior to upgrade.  The cert keystore is still at $SPECROOT/custom/keystore/cacerts, and the internal certs are all still loaded in to it.

Environment

DX NetOps Spectrum all currently supported releases

Cause

The following error is shown repeatedly in the OneClick log ($SPECROOT/tomcat/logs/catalina.out or stdout.log in Windows):

2025-11-13 12:21:22,656 [http-nio-8443-exec-24] INFO  org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x030x010xd80x010x000x010xd40x030x03{0x1a+80xa00xa50xbdD50x19]0xb90xb5Y0xb60x11W0xeaX0xf80x880x160xef0xf7o"0xa2YS0x190xac0xb8 ]. HTTP method names must be tokens
...
...
...
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:9.0.110]
at java.lang.Thread.run(Thread.java:840) ~[?:?]

This indicates that Tomcat is running as HTTP not HTTPS when HTTPS is expected.

Resolution

At some point in the upgrade, the server.xml file got overwritten and set to HTTP.

Check it under:

$SPECROOT/tomcat/conf/server.xml

You should see a section with a connector port = 8443 (or non-HTTP 80/8080) that is uncommented such as:

    <Connector port="8443" URIEncoding="UTF-8"maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"enableLookups="true"disableUploadTimeout="true" tcpNoDelay="true"acceptCount="100"connectionTimeout="20000" scheme="https"secure="true"SSLEnabled="true" clientAuth="false"sslProtocol="TLS"sslEnabledProtocols="TLSv1.2,TLSv1.3"ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" keystoreFile="/opt/CA/OneClick/custom/keystore/cacerts" keystorePass="changeit"></Connector>

If it is commented, it'll have the following before and after it:

  <!--

 ...

    -->

HTTP connector should be commented, as per:

    <!--<Connector port="8080" redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" connectionTimeout="20000" />-->

Powered by Wolken Software