Hello David,

That error usually happens when the java process (tomcat) can not access
the truststore file. May I ask you to check permissions and ownership of
the truststore file? You can always add -Djavax.net.debug=all to your
CATALINA_OPTS, it will give you way more information about the issue.

Hope it helps,

Luis







El mar., 8 sept. 2020 a las 9:58, David Weisgerber (<
david.weisger...@ms-gmbh.de>) escribió:

> Hi,
> I have some weird problem or bug with the HTTPS Connector. In our product,
> that ships with tomcat we want to achieve the following:
> There is one keystore where the customer puts its server certificate for
> HTTPs as well as (if intended) zero or one certificate for client
> authentication. The certificate for client authentication can be
> self-signed and the customer can setup its own certificate authority for
> this.
> For this I put the following code for configuring the connector in the
> server.xml:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" bindOnInit="false"
>                clientAuth="false" sslProtocol="TLS"
> keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234"
> keyAlias="main" truststoreFile="/diagdata/keystore.jks"
> truststorePassword="custo1234" />
>
> (The real clientAuth is done in the deployed application because it is
> more complicated, I just need the feature to be enabled).
> This gives me the following error:
> org.apache.catalina.LifecycleException: Protocol handler start failed
> <2>    at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
> <2>    at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> <2>    at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> <2>    at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> <2>    at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> <2>    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> <2>    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
> <2>Caused by: java.lang.IllegalArgumentException: the trustAnchors
> parameter must be non-empty
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> <2>    at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:217)
> <2>    at org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
> <2>    at org.apache.tomcat.util.net
> .AbstractEndpoint.start(AbstractEndpoint.java:1227)
> <2>    at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592)
> <2>    at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
> <2>    ... 12 more
> <2>Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> <2>    at
> java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> <2>    at
> java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> <2>    at
> java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.getParameters(SSLUtilBase.java:494)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.getTrustManagers(SSLUtilBase.java:425)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
> <2>    ... 18 more
>
> The error goes away when I remove truststoreFile and truststorePassword.
> Now comes the interesting part: The same configuration works under Windows
> (with other paths of course) using the Windows-Store as truststore for
> HTTPS connections to other servers. The same configuration worked with
> Tomcat 8.5.4 and the error just popped up from version 8.5.5. The error
> also seems not to be based on the java version, I tried it with Java 8 and
> Java 14. Under Windows we use Java 9...
>
> Is this a Linux specific bug? What is a trust anchor anyway?
>
> Thanks in advance,
> David
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Reply via email to