>  Also note that calling reloadSslHostConfigs does NOT re-read server.xml.
It re-initializes the existing in-memory configuration. If you want to e.g.
change the key alias, you'll have to make a JMX call to update the alias
and THEN call reloadSslHostConfigs.

*THAT *is probably my problem.  Do you know which MBean and operation that
is?

On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/10/20 13:33, Daniel Skiles wrote:
> > In this case, I didn't remove every certificate, but I did remove
> > the certificate that was originally being referenced after adding a
> > new certificate under a new alias.
> >
> > Original Keystore: Alias A Server.xml _default_ SSLHostConfig
> > points to Alias A
> >
> > After Modification: Alias B Server.xml _default_ SSLHostConfig
> > points to Alias B
> >
> > <Call reloadSslHostConfigs here> <Receive error>
> >
> > If that's not supported, I'll see if I can keep the aliases stable
> > somehow.  If there is a way to do it, I'd be interested in hearing
> what it
> > is.
>
> What are the real alias names? If you don't specify the key alias,
> Tomcat will use the first private key it finds in the file (which is
> essentially random, as Java keystores do not guarantee any kind of
> read-ordering).
>
> What does your <Certificate> look like in server.xml?
>
> Can you also post the actual error and complete stack trace you get?
>
> If you change the key's alias, you'll need to change the alias listed
> in the <Certificate> unless you are using the default first-key behavior
> .
>
> Also note that calling reloadSslHostConfigs does NOT re-read
> server.xml. It re-initializes the existing in-memory configuration. If
> you want to e.g. change the key alias, you'll have to make a JMX call
> to update the alias and THEN call reloadSslHostConfigs.
>
> - -chris
>
> > On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Daniel,
> >
> > On 9/10/20 09:09, Daniel Skiles wrote:
> >>>> Is it possible to change the keystore alias of the _default_
> >>>> SSLHostConfig's certificate while tomcat is running?
> >>>>
> >>>> At present, I'm trying to move the _default_ certificate from
> >>>> one certificate in my keystore, to another.  I modify the
> >>>> server.xml, then I call the reloadSslHostConfigs MBean
> >>>> operation.  The operation throws an error that boils down to
> >>>> a jsse.alias_no_key_entry error that comes back from the
> >>>> JVM.
> >>>>
> >>>> Is this a technical limitation on SNI/SSLHostConfig, or am I
> >>>> missing something here?
> >
> > Did you remove all server certificates from your keystore and then
> > try to bounce the connector? That's not going to work because the
> > connector requires a server key and certificate.
> >
> > Instead of "moving" the cert, consider copying the certificate
> > instead.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ahc4ACgkQHPApP6U8
> pFi2eRAAjhoX34ml8l52UTxCc0TdjcX9trDPqKLqceFLmaMLvW58F8xmDVcLCMtS
> qJTbHeQZepnDq4H/knG5YqYvI10zVshdY94vb2QdPEp6bS8zXpFYPZ96/E1T8CKA
> bMvhmITskOdeIVeV4dZbSDM/JvrUtoPe4cfWzzP8QLTXOfN2DgdH3wYmuivZjQXR
> b86fTfzB4jwF96uDANV6TMmw5q7TNgvxwBllVnCuuv1Scoqdy3cNt10N6X2zCSPc
> +cA5VETPeAwl8q+j9UPJr21kDzcny0nUhC1s+mkuiSAdMEiPaByeV2VbuqYhD3/7
> 2df/f7ssMaGP6XT76LqjpINmxuTEXngRl+FPXwE76+Q/PqBpkZnaqq8d2koRGum+
> scTK9sQkwzZzaLKtTH+9gMgozEup6SmowHKIcqifE+2IUcoH03bwbv16ulwQkqHZ
> XidNj370sJkFVQpm8DUsMhUvL2s+znWusyZza7KWzgWvZdO0XVFn/1dvxB/NGB8E
> 3wiRs6TVWyndZYV91k++mp3iYigDSmIwljd2gzLrZUJ1S5m7+NWT1hkpY7vxYWZ5
> 6l9hWmy6r3iVSnP4Oy+OedPC6RA08mXPhNAZEfyBNq/cfrfrXJLPaXItxS6dRPWv
> 81J6z7r7RFJeeJLgqa0yTj9zasHZ6acgswWOg2I6/B6gVsJ5SVY=
> =Uu1T
> -----END PGP SIGNATURE-----
>

Reply via email to