Hi Luis, My keystore (for HTTPs): -rw-r--r-- 1 root root 4067 Sep 8 10:27 /diagdata/keystore.jks General Java Keystore: -rw-r--r-- 1 root root 149549 Sep 8 09:32 /etc/ssl/certs/java/cacerts lrwxrwxrwx 1 root root 27 Apr 18 14:25 /usr/lib/jvm/java-14-openjdk-amd64/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
<6>Starting ProtocolHandler ["https-openssl-nio-8443"] javax.net.ssl|DEBUG|01|main|2020-09-08 10:39:18.507 CEST|SunX509KeyManagerImpl.java:160|found key for : main ( "certificate" : { "version" : "v3", "serial number" : "00 FC 1F BA 70 76 61 59 05", "signature algorithm": "SHA256withRSA", "issuer" : "CN=localhost", "not before" : "2020-09-08 10:27:50.000 CEST", "not after" : "2023-06-29 10:27:50.000 CEST", "subject" : "CN=localhost", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 81 53 CD 0B 4F 48 05 13 43 BF 30 59 0C 85 A3 20 .S..OH..C.0Y... 0010: 44 7D 01 9D D... ] ] } ]} ) <2>Failed to start component [Connector[HTTP/1.1-8443]] [...] keystore.jks is created by keytool -genkey -alias main -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "CN=localhost" -validity 1024 -keypass custo1234 -storepass custo1234 -keystore /diagdata/keystore.jks The interesting part, all of this works under Windows by using -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT ________________________________________ Von: Luis Rodríguez Fernández [uo67...@gmail.com] Gesendet: Dienstag, 8. September 2020 10:16 An: Tomcat Users List Betreff: Re: Truststore in HTTPS Connector does not work with Linux Hello David, That error usually happens when the java process (tomcat) can not access the truststore file. May I ask you to check permissions and ownership of the truststore file? You can always add -Djavax.net.debug=all to your CATALINA_OPTS, it will give you way more information about the issue. Hope it helps, Luis El mar., 8 sept. 2020 a las 9:58, David Weisgerber (< david.weisger...@ms-gmbh.de>) escribió: > Hi, > I have some weird problem or bug with the HTTPS Connector. In our product, > that ships with tomcat we want to achieve the following: > There is one keystore where the customer puts its server certificate for > HTTPs as well as (if intended) zero or one certificate for client > authentication. The certificate for client authentication can be > self-signed and the customer can setup its own certificate authority for > this. > For this I put the following code for configuring the connector in the > server.xml: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" bindOnInit="false" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234" > keyAlias="main" truststoreFile="/diagdata/keystore.jks" > truststorePassword="custo1234" /> > > (The real clientAuth is done in the deployed application because it is > more complicated, I just need the feature to be enabled). > This gives me the following error: > org.apache.catalina.LifecycleException: Protocol handler start failed > <2> at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1038) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at > org.apache.catalina.core.StandardService.startInternal(StandardService.java:438) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) > <2> at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > <2> at org.apache.catalina.startup.Catalina.start(Catalina.java:633) > <2> at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > <2> at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > <2> at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > <2> at java.base/java.lang.reflect.Method.invoke(Method.java:564) > <2> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) > <2> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478) > <2>Caused by: java.lang.IllegalArgumentException: the trustAnchors > parameter must be non-empty > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) > <2> at org.apache.tomcat.util.net > .NioEndpoint.bind(NioEndpoint.java:217) > <2> at org.apache.tomcat.util.net > .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) > <2> at org.apache.tomcat.util.net > .AbstractEndpoint.start(AbstractEndpoint.java:1227) > <2> at > org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) > <2> at > org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) > <2> ... 12 more > <2>Caused by: java.security.InvalidAlgorithmParameterException: the > trustAnchors parameter must be non-empty > <2> at > java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) > <2> at > java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > <2> at > java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.getParameters(SSLUtilBase.java:494) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.getTrustManagers(SSLUtilBase.java:425) > <2> at org.apache.tomcat.util.net > .SSLUtilBase.createSSLContext(SSLUtilBase.java:247) > <2> at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) > <2> ... 18 more > > The error goes away when I remove truststoreFile and truststorePassword. > Now comes the interesting part: The same configuration works under Windows > (with other paths of course) using the Windows-Store as truststore for > HTTPS connections to other servers. The same configuration worked with > Tomcat 8.5.4 and the error just popped up from version 8.5.5. The error > also seems not to be based on the java version, I tried it with Java 8 and > Java 14. Under Windows we use Java 9... > > Is this a Linux specific bug? What is a trust anchor anyway? > > Thanks in advance, > David > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org