On 28/03/2019 16:50, Ethan Jensen wrote: > On Fri, Mar 22, 2019 at 1:13 PM Ethan Jensen <sr.agent.r...@gmail.com> > wrote: > >> On Fri, Mar 22, 2019 at 12:51 PM Mark Thomas <ma...@apache.org> wrote: >> >>> On 22/03/2019 17:18, Ethan Jensen wrote: >>>> On Fri, Mar 22, 2019 at 11:07 AM Ethan Jensen <sr.agent.r...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org> wrote: >>>>> >>>>>> On 22/03/2019 16:40, Ethan Jensen wrote: >>>>>>> OS: Windows Server 2012 R2 >>>>>>> JDK: Oracle JDK 1.8.0_201 >>>>>>> >>>>>>> Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in >>>>>>> >>>>>>> Failed to initialize connector [Connector[HTTP/1.1-443]] >>>>>>> >>>>>>> when using the exact same configuration. Tomcat's >>> .../conf/server.xml >>>>>> is >>>>>>> unchanged. Did a configuration parameter change or get renamed? The >>>>>>> exception is fairly cryptic from my point of view. >>>>>> >>>>>> <snip/> >>>>>> >>>>>>> Caused by: java.lang.IllegalArgumentException: ObjectIdentifier() -- >>>>>> data >>>>>>> isn't an object ID (tag = 48) >>>>>>> at >>>>>>> org.apache.tomcat.util.net >>>>>> .AprEndpoint.createSSLContext(AprEndpoint.java:404) >>>>>>> at org.apache.tomcat.util.net >>>>>> .AprEndpoint.bind(AprEndpoint.java:368) >>>>>>> at >>>>>>> org.apache.tomcat.util.net >>>>>> .AbstractEndpoint.init(AbstractEndpoint.java:1105) >>>>>>> at >>>>>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) >>>>>>> at >>>>>>> >>>>>> >>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) >>>>>>> at >>>>>>> >>> org.apache.catalina.connector.Connector.initInternal(Connector.java:993) >>>>>>> ... 13 more >>>>>> >>>>>> Looks like a certificate in a format JSSE can't handle. If you can >>>>>> provide the steps (e.g. OpenSSL commands) to recreate a >>> key/certificate >>>>>> in that format we should be able to reproduce it and figure out a fix. >>>>>> >>>>>> Mark >>>>>> >>>>>> >>>>> Mark, >>>>> >>>>> These are the steps I used to create my certificate a couple of years >>> ago >>>>> (3 year validity). >>>>> >>>>> 1. Generate CSR: >>>>> >>>>> openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key >>>>> >>>>> 2. Create a certificate chain file, using the certificates from CA: >>>>> >>>>> cat CERT.crt > chain_certs.pem && >>>>> echo "" >> chain_certs.pem && >>>>> cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem && >>>>> echo "" >> chain_certs.pem && >>>>> cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem && >>>>> echo "" >> chain_certs.pem >>>>> >>>>> 3. Use openssl to package the certificate chain and private key into a >>>>> PKCS#12 container: >>>>> >>>>> openssl pkcs12 -export -out cert.p12 -inkey cert.key -in >>> chain_certs.pem >>>>> -name "cert_name" >>>>> >>>>> >>>>> >>>> Also, it should be noted that for the APR connector, I'm using the raw >>>> individual certificate/chain/key files for the configuration parameters. >>>> The pkcs12 step I only use with the NIO fallback connector (currently >>>> commented out in my server.xml) in the event the APR connector is >>> broken. >>> >>> Thanks for the additional info. Those steps are effectively identical to >>> the ones we use to create the test certificates for Tomcat. >>> >>> It looks like the difference is the encryption you are using for the >>> private key. What are you using? I've tried a few different ones here >>> and while JSSE can't process the PEM file it throws a KeyStoreException >>> which causes Tomcat to pass the cert directly to OpenSSL. >>> >>> I'd like to be able to reproduce this before I patch it although I do >>> have a patch in mind for you to test based on the stack trace. >>> >>> Mark >>> >>> >>> >> I'm not quite clear what you mean here Can you elaborate?: >> >> "It looks like the difference is the encryption you are using for the >> private key. What are you using?" >> >> I'm assuming whatever is the default (I generated the certificate on a >> CentOS 7 host). Using the steps I outlined above, the only thing it asked >> me for was an Export Password to be tied to the private key. Perhaps some >> special characters in that password are tripping things up with the new >> JSSE configuration? >> >> -- >> Ethan >> >> > > Mark, > > Did you need any additional information from me regarding this config? Or > did you get everything you needed?
Sorry, I missed replying to this. Can you post the header of your private key file? It should look something like: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78 Thanks, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
