I could use some help, After my pem issues (see prior emails in chain) I tried my hand at the keystore. I used the gradle task to build a generic keystore with ./gradlew createKeystore. This worked fine to get me through the rest of my build process. Now I am ready to deploy to a test cluster but I can not get my new keystore to work.
I created a keystore, generated new csr, and got the csr approved and retrieved my new certificates, and imported them (see keytool commands below). No errors during that process. Then I move the keystore to /etc/cas/ and update /etc/cas/properties with: server.ssl.key-store=/etc/cas/cas.jks server.ssl.key-store-password=REDACTED Which are the same settings used with the default "thekeystore" and password "changeit". However, every time I restart my CAS instance the embedded tomcat server throws the same errors as my pem attempts earlier in this email chain. I included a summary of the trace below. I'm very confused by this issue. I would love to simplify my deployment by keeping CAS and Tomcat together. Am I missing something very simple? Has anyone else had luck with their own keystore on the embedded tomcat instance? Is it because I have SANs in my cert or is something messed up with the key? Create new keystore and key: keytool -genkey -alias sso -keystore cas.jks -storepass 'REDACTED' -keyalg rsa -keysize 2048 -dname "CN=My host,O=my org,L=my localisty,S=Ohio,C=US,OU=Information Technology,EMAILADDRESS=my work email" -ext san=dns:host1,dns:host2,etc... Then the CSR: keytool -certreq -alias sso -keystore cas.jks -storepass 'REDACTED' -file my.csr Got it approved. Split the chain into individual cert files. Then imported the individual certificates with these commands: keytool -import -alias root -keystore cas.jks -storepass 'REDACTED' -file root.pem keytool -import -alias usertrust -keystore cas.jks -storepass 'REDACTED' -file usertrust.pem keytool -import -alias sso -keystore cas.jks -storepass 'REDACTED' -file host.pem Error summary: WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'> Exception in thread "main" java.lang.reflect.InvocationTargetException Caused by: org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop' Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed Caused by: java.lang.IllegalArgumentException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. On Monday, June 24, 2024 at 3:22:30 PM UTC-4 Jeremiah Garmatter wrote: > I tracked down a few PEM SSL options here: > https://apereo.github.io/cas/7.0.x/installation/Configuring-Servlet-Container-Embedded.html > Specifically, "server.ssl.certificate-private-key" and > "server.ssl.certificate". I put my self-signed cert and key paths into the > respective server.ssl setting but when I run the cas.war file I receive > java keystore errors. > The last errors relate to bad padding with a "PKCS12KeyStore". Looks like > the embedded Tomcat server wants a pkcs12 keystore only. Is there a way to > disable the keystore check so the embedded Tomcat will use the cert and key > I specified? > > The errors: > Exception in thread "main" java.lang.reflect.InvocationTargetException > at > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:118) > at java.base/java.lang.reflect.Method.invoke(Method.java:580) > at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:91) > at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:53) > at > org.springframework.boot.loader.launch.WarLauncher.main(WarLauncher.java:57) > Caused by: org.springframework.context.ApplicationContextException: Failed > to start bean 'webServerStartStop' > at > org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:287) > at > org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:467) > at java.base/java.lang.Iterable.forEach(Iterable.java:75) > at > org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:256) > at > org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:201) > at > org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:979) > at > org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:628) > at > org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) > at > org.springframework.boot.SpringApplication.refresh(SpringApplication.java:762) > at > org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:464) > at > org.springframework.boot.SpringApplication.run(SpringApplication.java:334) > at > org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:149) > at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:57) > at > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) > ... 4 more > Caused by: org.springframework.boot.web.server.WebServerException: Unable > to start embedded Tomcat server > at > org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:249) > at > org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) > at > org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:284) > ... 17 more > Caused by: java.lang.IllegalArgumentException: > standardService.connector.startFailed > at > org.apache.catalina.core.StandardService.addConnector(StandardService.java:222) > at > org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:306) > at > org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:234) > ... 19 more > Caused by: org.apache.catalina.LifecycleException: Protocol handler start > failed > at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1047) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171) > at > org.apache.catalina.core.StandardService.addConnector(StandardService.java:219) > ... 21 more > Caused by: java.lang.IllegalArgumentException: Get Key failed: Given final > block not properly padded. Such issues can arise if a bad key is used > during decryption. > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:199) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1286) > at > org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1372) > at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:635) > at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1044) > ... 23 more > Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given > final block not properly padded. Such issues can arise if a bad key is used > during decryption. > at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454) > at > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:93) > at java.base/java.security.KeyStore.getKey(KeyStore.java:1075) > at > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:393) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) > ... 29 more > Caused by: javax.crypto.BadPaddingException: Given final block not > properly padded. Such issues can arise if a bad key is used during > decryption. > at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861) > at > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941) > at > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734) > at > java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203) > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2244) > at > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370) > at > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257) > at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361) > ... 34 more > > On Monday, June 17, 2024 at 12:53:41 PM UTC-4 Jeremiah Garmatter wrote: > >> Has the APR functionality been removed or replaced on CAS 7's embedded >> Tomcat server? >> I wanted to use PEM encoded SSL certificates instead of the Java >> keystore. When I use the APR configurations in cas.properties I receive >> errors that the properties failed to bind and they are no longer recognized >> by CAS 7.0.4.1. Here are the configurations I tried: >> >> cas.server.tomcat.apr.enabled=true >> >> cas.server.tomcat.apr.ssl-certificate-file=/opt/workspace/cas7/my_certs/cert.pem >> >> cas.server.tomcat.apr.ssl-certificate-key-file=/opt/workspace/cas7/my_certs/key.pem >> >> This page doesn't mention any configurations for APR: >> https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-APR.html >> >> If this feature has been removed, is there another method to use PEM >> encoded SSL certs on the embedded Tomcat server? >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/427a8987-f384-45be-b0c4-61e0aaac1e10n%40apereo.org.
