Hi Christopher, > This should be okay, though it is a little unusual to use the same keystore > for both "keys" and "trusted certs". > Can you confirm the contents + types of everything in the keystore?
After your approach from the end of your response, I exported the certificate of main and stored it as dummy: root@d3bf84b82698:/diagdata# keytool -list -keystore keystore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries dummy, Sep 9, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 07:C1:D4:06:AC:0E:55:C2:25:41:FE:0E:35:9D:9C:8C:03:42:E4:D2:AA:74:1E:0E:21:11:3A:97:CE:A2:AD:22 main, Sep 8, 2020, PrivateKeyEntry, Certificate fingerprint (SHA-256): 07:C1:D4:06:AC:0E:55:C2:25:41:FE:0E:35:9D:9C:8C:03:42:E4:D2:AA:74:1E:0E:21:11:3A:97:CE:A2:AD:22 root@d3bf84b82698:/diagdata# This gives me the same error message as before. > Are you really using Tomcat 8.5.4 and 8.5.5? If so, you are like 4 years out > of date and there are published security vulnerabilities affecting your > Tomcat version. Can you try with 8.5.latest which is currently 8.5.57? No, we automatically ship the latest 8.5 tomcat version. However for our docker based distribution I was sure that this feature worked at some time (I think I used tomcat 8.0 for this). I tried it with the latest 8.5.57 on Windows, there everything works correctly. I just checked all the versions to see when the "bug" was introduced. >> Is this a Linux specific bug? > That would be unusual, but certainly possible. Are you *sure* this works with > no other changes other than: > > 1. Switching to Windows > or > 2. Switching to Tomcat 8.5.4? > > My guess is that the keystore is not bit-for-bit identical to your Windows or > Tomcat 8.5.4 environments. Yes, I copied the keystore that works for Windows and copied it to the docker test environment. The windows keystore gives me the same error message. > $ keytool -exportcert -alias 'www.example.com' -rfc -keystore > /diagdata/keystore.jks ====BEGIN CERTIFICATE===== blah blah blah =====END > CERTIFICATE===== > > $ keytool -importcert -alias 'dummy' -keystore /diagdata/keystore.jks [paste > cert here] I tried this but it did not help... Thanks, David
