On 27/10/2014 05:58, Mихаил С. wrote: > Hello > > I'm using Apache Tomcat 7.0.56 + JmxRemoteLifecycleListener with SSL > on CentOS 6.5, results in the following error on startup: > > окт 24, 2014 6:00:17 PM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 1313 ms > окт 24, 2014 6:00:17 PM > org.apache.catalina.mbeans.JmxRemoteLifecycleListener createServer > SEVERE: The JMX connector server could not be created or failed to > start for the Platform server > java.io.IOException: Cannot bind to URL [rmi://localhost:7222/jmxrmi]: > javax.naming.CommunicationException [Root exception is > java.rmi.ConnectIOException: error during JRMP connection > establishment; nested exception is: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed:
That is the error message you get when the server certificate is not trusted. > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target] > at > javax.management.remote.rmi.RMIConnectorServer.newIOException(RMIConnectorServer.java:826) > at > javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:431) > at > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:313) > at > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:259) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347) > at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:724) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.startup.Catalina.start(Catalina.java:689) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455) > Caused by: javax.naming.CommunicationException [Root exception is > java.rmi.ConnectIOException: error during JRMP connection > establishment; nested exception is: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target] > at com.sun.jndi.rmi.registry.RegistryContext.bind(RegistryContext.java:143) > at com.sun.jndi.toolkit.url.GenericURLContext.bind(GenericURLContext.java:226) > at javax.naming.InitialContext.bind(InitialContext.java:419) > at > javax.management.remote.rmi.RMIConnectorServer.bind(RMIConnectorServer.java:643) > at > javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:426) > ... 15 more > Caused by: java.rmi.ConnectIOException: error during JRMP connection > establishment; nested exception is: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304) > at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202) > at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:341) > at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) > at com.sun.jndi.rmi.registry.RegistryContext.bind(RegistryContext.java:137) > ... 19 more > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at java.io.DataOutputStream.flush(DataOutputStream.java:123) > at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229) > ... 23 more > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) > ... 34 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > ... 40 more > > окт 24, 2014 6:00:17 PM org.apache.catalina.core.StandardService startInternal > INFO: Starting service Catalina > > The relevant configuration from server.xml: > > <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" > rmiRegistryPortPlatform="7222" rmiServerPortPlatform="7223" /> > > and java properties: > > -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password > -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access > \ > -Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/STORE.jks \ > -Djavax.net.ssl.keyStorePassword=PASSWORD \ > -Dcom.sun.management.jmxremote.registry.ssl=true \ > -Dcom.sun.management.jmxremote.ssl=true \ > -Dcom.sun.management.jmxremote.ssl.need.client.auth=false \ > -Djava.rmi.server.hostname=HOST > > In keystore - self-signed certificate. > If com.sun.management.jmxremote.ssl is changed to false everything > works as expected except without SSL. On Windows 7 everything works. Look for differences in the trust stores. Mark > > I'm running the same JMV on both platforms: > > Java version "1.7.0_51" > Java(TM) SE Runtime Environment (build 1.7.0_51-b13) > Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) > > How can I fix this error? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
