James,
Am 2020-01-09 00:58, schrieb James H. H. Lampert:
I wrote:
Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt"
and ".key" files directly, instead of the Java Keystore file?
On 12/30/19 1:41 PM, Peter Kreuser wrote:
Correct!
I tried an experiment this afternoon:
I made a copy of the existing server.xml file, and I changed the active
connector from this (keystore file and alias redacted for privacy,
ciphers and compressibleMimeTypes clauses redacted because they're
quite long, and not relevant here):
<Connector port="8443" proxyPort="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="[REDACTED]"
maxThreads="1000" socket.appReadBufSize="1024"
socket.appWriteBufSize="1024" bufferSize="1024"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
clientAuth="false" sslProtocol="TLS" />
to this:
<Connector port="8443" proxyPort="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="[REDACTED]"
maxThreads="1000" socket.appReadBufSize="1024"
socket.appWriteBufSize="1024" bufferSize="1024"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig ciphers="[REDACTED]"
certificateVerification="none" sslProtocol="TLS">
<Certificate certificateFile="[REDACTED].cer"
certificateKeyFile="[REDACTED].key"
certificateChainFile="[REDACTED].ca.crt" />
</SSLHostConfig>
</Connector>
and restarted Tomcat, and it failed to open the port, producing this
in catalina.out:
08-Jan-2020 23:14:09.026 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to
initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize
component [Connector[HTTP/1.1-8443]]
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store
non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store
non-PrivateKeys
at
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
at
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
... 20 more
I recently came across a similar problem (at least the same error
message), where the key was in an unsupported format (first line of the
file: "BEGIN EC PRIVATE KEY"; Mark is working on a solution for this).
What type of private key are you using? all files PEM encoded?
Besides this your config seems to be OK.
Maybe you want to add
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
to the connector - just to be sure of the implementation.
Peter
Can anybody explain what I did wrong? These are fully-qualified paths
to the certificate, chain, and key files. [REDACTED].ca.crt contains a
certificate chain; [REDACTED].cer contains a certificate, and
[REDACTED].key contains a private key, and they all work in Apache
httpd, on the same box.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
