-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David,
On 9/9/20 02:46, David Weisgerber wrote: > Hi Christopher, > >> This should be okay, though it is a little unusual to use the >> same keystore for both "keys" and "trusted certs". Can you >> confirm the contents + types of everything in the keystore? > > After your approach from the end of your response, I exported the > certificate of main and stored it as dummy: > root@d3bf84b82698:/diagdata# keytool -list -keystore keystore.jks > Enter keystore password: Keystore type: PKCS12 Keystore provider: > SUN > > Your keystore contains 2 entries > > dummy, Sep 9, 2020, trustedCertEntry, Certificate fingerprint > (SHA-256): > 07:C1:D4:06:AC:0E:55:C2:25:41:FE:0E:35:9D:9C:8C:03:42:E4:D2:AA:74:1E:0 E:21:11:3A:97:CE:A2:AD:22 > > main, Sep 8, 2020, PrivateKeyEntry, > Certificate fingerprint (SHA-256): > 07:C1:D4:06:AC:0E:55:C2:25:41:FE:0E:35:9D:9C:8C:03:42:E4:D2:AA:74:1E:0 E:21:11:3A:97:CE:A2:AD:22 > > root@d3bf84b82698:/diagdata# > > This gives me the same error message as before. Ugh. That *does* point toward a bug in Tomcat itself or something odd with the JVM. >> Are you really using Tomcat 8.5.4 and 8.5.5? If so, you are like >> 4 years out of date and there are published security >> vulnerabilities affecting your Tomcat version. Can you try with >> 8.5.latest which is currently 8.5.57? > > No, we automatically ship the latest 8.5 tomcat version. However > for our docker based distribution I was sure that this feature > worked at some time (I think I used tomcat 8.0 for this). I tried > it with the latest 8.5.57 on Windows, there everything works > correctly. I just checked all the versions to see when the "bug" > was introduced. Did you find it? I took a quick look at the 8.5.x changelog and nothing jumped-out at me. >>> Is this a Linux specific bug? > >> That would be unusual, but certainly possible. Are you *sure* >> this works with no other changes other than: >> >> 1. Switching to Windows or 2. Switching to Tomcat 8.5.4? >> >> My guess is that the keystore is not bit-for-bit identical to >> your Windows or Tomcat 8.5.4 environments. > > Yes, I copied the keystore that works for Windows and copied it to > the docker test environment. The windows keystore gives me the > same error message. Rats. Thanks for confirming. >> $ keytool -exportcert -alias 'www.example.com' -rfc -keystore >> /diagdata/keystore.jks ====BEGIN CERTIFICATE===== blah blah blah >> =====END CERTIFICATE===== >> >> $ keytool -importcert -alias 'dummy' -keystore >> /diagdata/keystore.jks [paste cert here] > > I tried this but it did not help... Grr. The good news is that the latest version does work, so it must have been fixed at some point. :) - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9Yz04ACgkQHPApP6U8 pFhHBg//fZf2gI1jEa4r4aXeBOu+i1B2cSwUUChQACPWw6wVFf2KbP8K2XNpz3Dh f3eEk1QQ8ApeZUDq2FfdT9twH4tTfzuYPJZF44Mzig/CNF9hR8VB18hGt+ezuIdk pqGcoYECM6OnE2B1wKwFm18NZkyZ87XKXOgMCqjkApH/KgmzYgLnbSw7ZnoH9lZG hhBYKS1pqcDOgfIbFgV7TS9LnooJlkr2f2IXzx5ohXeAbBQ7/uSWZJ3KmZa/eXIk lquqCgluuPh21vlhhXDERS0I+Eogto8BNpIQZaRnjsv4SAXu4VnhV7RGB4n4RhjW v9bowgAqR4El4UI+CXhE5UJnxAtmXQ3LvEyAtLQ53BEDNiLpHl1Gub/u14QDbHUW 3dXXGNhpWTB7TVm3ILmRFFQWLTmPFgMSwplWSB3Z9goHsshy6PgVTx/aUkPdUOLS 6f9A5pBAfG0PvaGxUEgfvvrMGX3uDYu9yFtnQmoX1ooDCOdGOvGWJDXpb6uf3Byg n/vHSjpaFGqnNm9uRVcT01sqEt5sBBRO/m8oIQJK7sSV8kGojaYRTDlE0zOX0Ydd E5h0B7sp4CKhfCLBH88/SUoP1V2/o5Z1VwyquqW6+UsmI/nsaopIe0A/jmT8eDcI 2YavTgS9OdKZRFYOeed1IzWU0VKsog2TWmJT5s7Vuj29SBHknP0= =j+Ie -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
