On 14/07/2016 15:09, i...@flyingfischer.ch wrote: > While testing locally the new 8.5 branch, I did experience some > inconsistency with self-sigend SSL certs. I did manage to resolve them > by installing Tomcat-Native library / APR, but maybe it is still worth > reporting in regard of the different behaviour for the same cert, > between Tomcat versions and configuartions. > > I didn't want to file a bug, since this very likely is a configuration > and/or self-signed cert problem. > > Thanks for considering. > > Markus > > Tomcat 8, works fine. > Tomcat 8.5 error => Alias name tomcat does not identify a key entry > > <Connector SSLEnabled="true" > URIEncoding="UTF-8" > clientAuth="false" > keystoreType="PKCS12" > keystoreFile="[path-to]/localhost.p12" > keystorePass="tomcat" > maxThreads="150" > port="8443" > protocol="HTTP/1.1" > scheme="https" > secure="true" > sslProtocol="TLS"/> > > --- > > Tomcat 8.5, same cert, starts fine but throws on first SSL invocation: > > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > > <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > port="8443" > URIEncoding="UTF-8" > clientAuth="false" > keystoreType="PKCS12" > keystoreFile="[path-to]/localhost.p12" > keystorePass="tomcat" > maxThreads="150" > scheme="https" > secure="true" > sslProtocol="TLS" />
Entirely expected. You haven't set SSLEnabled="true" so the connector is expecting HTTP, not HTTPS. > Tomcat 8.5, new cert > Tomcat-Native / APR disabled > > Failed to initialize end point associated with ProtocolHandler > ["https-jsse-nio-8443"] > java.security.KeyStoreException: Cannot store non-PrivateKeys > > Same cert works with Tomcat-Native / APR enabled > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" secure="true" scheme="https" > SSLEnabled="true" defaultSSLHostConfigName="localhost"> > <SSLHostConfig hostName="*.test.localhost"> > <Certificate certificateKeyFile="[path-to]/localhost.key" > certificateFile="[path-to]/localhost.crt" > type="RSA" /> > </SSLHostConfig> > </Connector> You don't say which 8.5.x version. While I can't repeat this exact error, I can create a similar problem with 8.5.4 where PEM files (ie the standard OpenSSL format) does not work with a JSSE connector. I've fixed this issue for 8.5.5 > Also works with protocol="org.apache.coyote.http11.Http11AprProtocol" > with Tomcat-Native / APR enabled That appears to confirm that it was the PEM -> JSSE conversion was broken since that is not required for APR/native. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
