Hello David, That error usually happens when the java process (tomcat) can not access the truststore file. May I ask you to check permissions and ownership of the truststore file? You can always add -Djavax.net.debug=all to your CATALINA_OPTS, it will give you way more information about the issue.
Hope it helps, Luis El mar., 8 sept. 2020 a las 9:58, David Weisgerber (< david.weisger...@ms-gmbh.de>) escribió: > Hi, > I have some weird problem or bug with the HTTPS Connector. In our product, > that ships with tomcat we want to achieve the following: > There is one keystore where the customer puts its server certificate for > HTTPs as well as (if intended) zero or one certificate for client > authentication. The certificate for client authentication can be > self-signed and the customer can setup its own certificate authority for > this. > For this I put the following code for configuring the connector in the > server.xml: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" bindOnInit="false" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234" > keyAlias="main" truststoreFile="/diagdata/keystore.jks" > truststorePassword="custo1234" /> > > (The real clientAuth is done in the deployed application because it is > more complicated, I just need the feature to be enabled). > This gives me the following error: > org.apache.catalina.LifecycleException: Protocol handler start failed > <2> at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1038) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at > org.apache.catalina.core.StandardService.startInternal(StandardService.java:438) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at org.apache.catalina.startup.Catalina.start(Catalina.java:633) > <2> at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > <2> at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > <2> at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > <2> at java.base/java.lang.reflect.Method.invoke(Method.java:564) > <2> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) > <2> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478) > <2>Caused by: java.lang.IllegalArgumentException: the trustAnchors > parameter must be non-empty > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) > <2> at org.apache.tomcat.util.net > .NioEndpoint.bind(NioEndpoint.java:217) > <2> at org.apache.tomcat.util.net > .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) > <2> at org.apache.tomcat.util.net > .AbstractEndpoint.start(AbstractEndpoint.java:1227) > <2> at > org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) > <2> at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) > <2> ... 12 more > <2>Caused by: java.security.InvalidAlgorithmParameterException: the > trustAnchors parameter must be non-empty > <2> at > java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) > <2> at > java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > <2> at > java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.getParameters(SSLUtilBase.java:494) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.getTrustManagers(SSLUtilBase.java:425) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.createSSLContext(SSLUtilBase.java:247) > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) > <2> ... 18 more > > The error goes away when I remove truststoreFile and truststorePassword. > Now comes the interesting part: The same configuration works under Windows > (with other paths of course) using the Windows-Store as truststore for > HTTPS connections to other servers. The same configuration worked with > Tomcat 8.5.4 and the error just popped up from version 8.5.5. The error > also seems not to be based on the java version, I tried it with Java 8 and > Java 14. Under Windows we use Java 9... > > Is this a Linux specific bug? What is a trust anchor anyway? > > Thanks in advance, > David > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
