> Also note that calling reloadSslHostConfigs does NOT re-read server.xml. It re-initializes the existing in-memory configuration. If you want to e.g. change the key alias, you'll have to make a JMX call to update the alias and THEN call reloadSslHostConfigs.
*THAT *is probably my problem. Do you know which MBean and operation that is? On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Daniel, > > On 9/10/20 13:33, Daniel Skiles wrote: > > In this case, I didn't remove every certificate, but I did remove > > the certificate that was originally being referenced after adding a > > new certificate under a new alias. > > > > Original Keystore: Alias A Server.xml _default_ SSLHostConfig > > points to Alias A > > > > After Modification: Alias B Server.xml _default_ SSLHostConfig > > points to Alias B > > > > <Call reloadSslHostConfigs here> <Receive error> > > > > If that's not supported, I'll see if I can keep the aliases stable > > somehow. If there is a way to do it, I'd be interested in hearing > what it > > is. > > What are the real alias names? If you don't specify the key alias, > Tomcat will use the first private key it finds in the file (which is > essentially random, as Java keystores do not guarantee any kind of > read-ordering). > > What does your <Certificate> look like in server.xml? > > Can you also post the actual error and complete stack trace you get? > > If you change the key's alias, you'll need to change the alias listed > in the <Certificate> unless you are using the default first-key behavior > . > > Also note that calling reloadSslHostConfigs does NOT re-read > server.xml. It re-initializes the existing in-memory configuration. If > you want to e.g. change the key alias, you'll have to make a JMX call > to update the alias and THEN call reloadSslHostConfigs. > > - -chris > > > On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Daniel, > > > > On 9/10/20 09:09, Daniel Skiles wrote: > >>>> Is it possible to change the keystore alias of the _default_ > >>>> SSLHostConfig's certificate while tomcat is running? > >>>> > >>>> At present, I'm trying to move the _default_ certificate from > >>>> one certificate in my keystore, to another. I modify the > >>>> server.xml, then I call the reloadSslHostConfigs MBean > >>>> operation. The operation throws an error that boils down to > >>>> a jsse.alias_no_key_entry error that comes back from the > >>>> JVM. > >>>> > >>>> Is this a technical limitation on SNI/SSLHostConfig, or am I > >>>> missing something here? > > > > Did you remove all server certificates from your keystore and then > > try to bounce the connector? That's not going to work because the > > connector requires a server key and certificate. > > > > Instead of "moving" the cert, consider copying the certificate > > instead. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ahc4ACgkQHPApP6U8 > pFi2eRAAjhoX34ml8l52UTxCc0TdjcX9trDPqKLqceFLmaMLvW58F8xmDVcLCMtS > qJTbHeQZepnDq4H/knG5YqYvI10zVshdY94vb2QdPEp6bS8zXpFYPZ96/E1T8CKA > bMvhmITskOdeIVeV4dZbSDM/JvrUtoPe4cfWzzP8QLTXOfN2DgdH3wYmuivZjQXR > b86fTfzB4jwF96uDANV6TMmw5q7TNgvxwBllVnCuuv1Scoqdy3cNt10N6X2zCSPc > +cA5VETPeAwl8q+j9UPJr21kDzcny0nUhC1s+mkuiSAdMEiPaByeV2VbuqYhD3/7 > 2df/f7ssMaGP6XT76LqjpINmxuTEXngRl+FPXwE76+Q/PqBpkZnaqq8d2koRGum+ > scTK9sQkwzZzaLKtTH+9gMgozEup6SmowHKIcqifE+2IUcoH03bwbv16ulwQkqHZ > XidNj370sJkFVQpm8DUsMhUvL2s+znWusyZza7KWzgWvZdO0XVFn/1dvxB/NGB8E > 3wiRs6TVWyndZYV91k++mp3iYigDSmIwljd2gzLrZUJ1S5m7+NWT1hkpY7vxYWZ5 > 6l9hWmy6r3iVSnP4Oy+OedPC6RA08mXPhNAZEfyBNq/cfrfrXJLPaXItxS6dRPWv > 81J6z7r7RFJeeJLgqa0yTj9zasHZ6acgswWOg2I6/B6gVsJ5SVY= > =Uu1T > -----END PGP SIGNATURE----- >
