-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 8/6/20 13:03, James H. H. Lampert wrote: > On 8/6/20 9:37 AM, Christopher Schultz wrote: . . . >> As a short-term workaround, you can load your stuff into a >> keystore like this: >> >> $ openssl pkcs12 -export \ -inkey /etc/tomcat8/test.foo.net.key >> \ - >> >> $ openssl pkcs12 -export \ -in /etc/tomcat8/test.foo.net.crt \ >> -inkey /etc/tomcat8/test.foo.net.key \ -certfile >> /etc/tomcat8/test.foo.net.issuer.crt \ -out >> /etc/tomcat8/test.foo.net.p12 \ -chain >> >> Then reconfigure your <Certificate> to use your keystore. > > That could even be a permanent workaround if it can be done > non-interactively. It /can/ be done non-interactively. If you see this presentation on using Let's Encrypt with Tomcat, there are a few slides toward the end about automation. http://tomcat.apache.org/presentations.html#latest-lets-encrypt > How, I wonder, is it that the PEM files work just fine after the > "unwanted update" that bumped Tomcat up from 40 to 57, and pulled > in a slightly newer Java 1.8? Oh. I completely forgot to look at the version numbers. And now I know what the problem is, and why my mock-up test I just wrote works fine. See the changelog for 8.5.51: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.51_(ma rkt) Specifically, this entry: Add: Add support for RFC 5915 formatted, unencrypted EC key files when using a JSSE based TLS connector. (markt) When using an unencrypted EC key (as it seems you are using), Java doesn't know how to decode that type of file directly as we can with e.g. RSA non-encrypted keys. So we have to help it along by directly-parsing the ASN.1 [1] data and re-writing it into a form Java can understand. So you must use Tomcat 8.5.51 or later to use PEM-encoded non-encrypted Elliptic curve key files (got all that?). - -chris [1] There is a special place in hell reserved for everyone responsible for ASN.1 -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8sOXoACgkQHPApP6U8 pFjxYxAAxCiE18mXicHQJUUz8PUbhYa/aQEwdaj+IIPUpAhHExcb31Msa9Nw+xiC YTXHwb5L51Sr/FGKqDfSvl84DQYZipkudwo2uyhIDJR++6+qkbNvMiXlOw757UXi zkeQv91Cc6Q/rpaxiuifw2kUSejzl/yVxgAWb6XXS1RwRUwq2UEjM+aK3HvCm1C8 6yMkxi5E7ISxiQ1cui1IMGnov4BqIp+tJT+z+PlmtbBJAGHwY/DeW7hU2Yl1rn+B yI3ydhSxK7cRVzNbvRMrNXjLCF0Lo8S1b0K+lqF85DlO91koQQMMEBrt9X9Q8E5m xdV161SGfSV5N27JNTdHyI/OjL9ALGXyfBJcENP6J5ZaZ2xouO9XLd+jENyj0zAz 8r5wczDe3uPNiPAIGkm8eAP5O8qz48RZ/N7TKM/kpAlknb4B6zSZN0meteqopWu4 rkCvb4Z2YOU4EiqdtbxyJuoMaFzhgHquDQBZS0aKA56pVjHNi+adML/X9mCsQ+7Z khZpuSnOcq1pynqW8EuX4L6IZUtqX3K192kLOOvnNnj/Fys5MToj3259hXoz7LYn 2Pncj0E+Y7W3H54CviF0vj6nPmCFkOIaFfQ+/GdLexDrJ34LpNtkMyWAz3LPVYhh 8moCiMTDowX1UGPYmIJ+IlkdhsXBycmqToMBzgPnKlJKHUk5kuM= =5DNS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
