-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 8/5/20 19:46, James H. H. Lampert wrote:
> I've now proceeded to the "real" server, with the Tomcat portion of
> the procedure refined to give me plenty of "undo" capability. And
> it turns out I need it.
>
> It seems that with the unwanted update to 7.0.57 that happened on
> launching the test spot instances, the Let's Encrypt certs worked
> just fine.
>
> But applying the procedure to the *real* development instance
> (7.0.40) blew up in my face, failing to open the connectors. Here
> is an excerpt from catalina.out, showing the stacktraces.
>
>> 05-Aug-2020 23:00:52.189 INFO [main]
>> org.apache.catalina.startup.VersionLoggerListener.log Server
>> version: Apache Tomcat/8.5.40
>>
>> [snip]
>>
>> 05-Aug-2020 23:00:52.195 INFO [main]
>> org.apache.catalina.startup.VersionLoggerListener.log JVM
>> Version: 1.8.0_201-b09
>>
>> [snip]
>>
>> Caused by: java.security.KeyStoreException: Cannot store
>> non-PrivateKeys at
>> sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.jav
a:261)
>>
>>
>>
at
>> sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore
.java:56)
>>
>>
>>
at
>> sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDel
egator.java:117)
>>
>>
>>
at
>> sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(Ja
vaKeyStore.java:70)
>>
>>
>>
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
>> at
>> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.jav
a:313)
*sigh*
Okay,
>>
this is a confluence of:
1. You are using PEM files instead of a Java keystore
1a. Tomcat handles this by creating an in-memory KeyStore and loading
your key + certificate into it
2. Java 1.8 doesn't like non-private keys in KeyStores for some reason
2a. Java somehow thinks your key + cert aren't "private" :(
- From your other thread, I think you are doing this:
<Certificate certificateFile="/etc/tomcat8/test.foo.net.crt"
certificateKeyFile="/etc/tomcat8/test.foo.net.key"
certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"
/>
I think the problem is that there is no "password". Here is the line
of code bombing:
// Switch to in-memory key store
ksUsed = KeyStore.getInstance("JKS");
ksUsed.load(null, null);
ksUsed.setKeyEntry(keyAlias,
privateKeyFile.getPrivateKey(), keyPass.toCharArray(),
chain.toArray(new Certificate[0]));
It's the call to setKeyEntry which fails. The key alias is "tomcat"
unless you have explicitly set the alias. The cert and key are
obvious, but the keypass is probably empty.. or something.
The default key password is whatever the keystore password is. The
default keystore password is "changeit". So I think this is why we
aren't getting an NPE when we call keyPass.toCharArray.
This works in other scenarios. Not sure what is the exact problem with
yours.
ks.load(null, null) looks suspicious. Maybe it's not okay to use a
non-initialized KeyStore object. But I think maybe it should be:
ks.load(null, keyPass.toCharArray());
I'll have too play with this a little locally to see what the problem is
.
As a short-term workaround, you can load your stuff into a keystore
like this:
$ openssl pkcs12 -export \
-inkey /etc/tomcat8/test.foo.net.key \
-
$ openssl pkcs12 -export \
-in /etc/tomcat8/test.foo.net.crt \
-inkey /etc/tomcat8/test.foo.net.key \
-certfile /etc/tomcat8/test.foo.net.issuer.crt \
-out /etc/tomcat8/test.foo.net.p12 \
-chain
Then reconfigure your <Certificate> to use your keystore.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sMeQACgkQHPApP6U8
pFh4HA/+KZTBU0ghzVqLmalXNJN3P89/FrhJqJWOfQyn3noqUBRhFsyDcOK0z+uR
HxC85OClpZ1LaJwNE4LRArG26chWTGMQm4Z7u1UzhWtz0pIa7wijGj3fQx/EXmQW
ePdOlAcAJnFKUZJr5giDAT+Sl8OC76NbfaN/fz6gqESXxqdxRxHPTrGBVgHol7v1
p4fNiU0T+cw2wQNwq30tHT378wNsC2xozotw/vdr2EQbX7HK/S+tRFJziupUcHzt
cJAWymUiE6Vfw19zSRGF/Fp9s9o/fCaCJKSVl2CEMbR8MdytjmTaQspAK9CXXXpo
Ue8wDuDMNRB6afq3ftoNYJQwfNCvOADTw5L0Xwr5hb+r8xnRBZQQodtBNVznZ1Of
6lnkrqVAYpuUklDCbpWTB52LjE08IRhTaBCJPuueQL9Yxlt4nO2NndJHLTvANB0L
sqEbmRLsROD/eDCaSq7VZzWAnu17C1iO0i7ztsr3JUjregY9EoCs/YOxX71jicHF
10B4HMmqX18DuJtWTSiMQSvy3JqVcCPOIGBRIWxTKS93xGsr5MeAYnBxKrsOJuF1
L+uD56u2pZwkkT3HHiHfXB/db+1mE5GugkY3qBIrOMaTUtS+UPddxpOu59fgPhvC
e9SPhx9pEgUlfuFcFvbWwhv9K1mlAx8PcZMZrwGPEO1ibjfqSaU=
=Fprl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
