-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 9/10/20 16:39, Daniel Skiles wrote: >> Also note that calling reloadSslHostConfigs does NOT re-read >> server.xml. It re-initializes the existing in-memory >> configuration. If you want to e.g. change the key alias, you'll >> have to make a JMX call to update the alias and THEN call >> reloadSslHostConfigs.> > *THAT *is probably my problem. Perhaps that method could have a better name, like reinitializeSSLHostConfigs. "reload" implies that it re-reads the server.xml which is not the case. At least the documentation should probabyl be better. In your case, where did you rediscover reloadSslHostConfigs? > Do you know which MBean and operation that is? It's this (you'll have to interpolate a bit of this to fir your environment): Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-[i oimpl]-[addr]-[port]",Host="[host]",name=[cert-type] My test one was: Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.0. 0.1-12345",Host="_default_",name=EC Attach to Tomcat using VisualVM or your JMX browser of choice and have a look at what's there. You'll want to "set" the value of the attribute "certificateKeyAlias", then call reloadSslHostConfigs. - -chris > On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Daniel, > > On 9/10/20 13:33, Daniel Skiles wrote: >>>> In this case, I didn't remove every certificate, but I did >>>> remove the certificate that was originally being referenced >>>> after adding a new certificate under a new alias. >>>> >>>> Original Keystore: Alias A Server.xml _default_ >>>> SSLHostConfig points to Alias A >>>> >>>> After Modification: Alias B Server.xml _default_ >>>> SSLHostConfig points to Alias B >>>> >>>> <Call reloadSslHostConfigs here> <Receive error> >>>> >>>> If that's not supported, I'll see if I can keep the aliases >>>> stable somehow. If there is a way to do it, I'd be >>>> interested in hearing > what it >>>> is. > > What are the real alias names? If you don't specify the key alias, > Tomcat will use the first private key it finds in the file (which > is essentially random, as Java keystores do not guarantee any kind > of read-ordering). > > What does your <Certificate> look like in server.xml? > > Can you also post the actual error and complete stack trace you > get? > > If you change the key's alias, you'll need to change the alias > listed in the <Certificate> unless you are using the default > first-key behavior . > > Also note that calling reloadSslHostConfigs does NOT re-read > server.xml. It re-initializes the existing in-memory configuration. > If you want to e.g. change the key alias, you'll have to make a JMX > call to update the alias and THEN call reloadSslHostConfigs. > > -chris > >>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Daniel, >>>> >>>> On 9/10/20 09:09, Daniel Skiles wrote: >>>>>>> Is it possible to change the keystore alias of the >>>>>>> _default_ SSLHostConfig's certificate while tomcat is >>>>>>> running? >>>>>>> >>>>>>> At present, I'm trying to move the _default_ >>>>>>> certificate from one certificate in my keystore, to >>>>>>> another. I modify the server.xml, then I call the >>>>>>> reloadSslHostConfigs MBean operation. The operation >>>>>>> throws an error that boils down to a >>>>>>> jsse.alias_no_key_entry error that comes back from the >>>>>>> JVM. >>>>>>> >>>>>>> Is this a technical limitation on SNI/SSLHostConfig, or >>>>>>> am I missing something here? >>>> >>>> Did you remove all server certificates from your keystore and >>>> then try to bounce the connector? That's not going to work >>>> because the connector requires a server key and certificate. >>>> >>>> Instead of "moving" the cert, consider copying the >>>> certificate instead. >>>> >>>> -chris >>>>> >>>>> ------------------------------------------------------------------ - --- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>>> >>>> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9bfz0ACgkQHPApP6U8 pFje3BAAkkX+/VQU+RA2s5OxiOYDSvOe1ewDsRj3VeXoRHr1aDbEp7PxNVVnmF1s /d/pHFOScrVksGy/hR3nbTZ7kk8NcXNsD2Vi0+YDejv9UuEB6GQw8ppjVMkPx6ei QjQYg+CQxybBbIeo5JlCIQy6I3+bRra3VJYrFzglRvKvl5/IxRIx4w1K35vyUcaq iyH7VynAP8O4VgV42ntJ+2gIq8Q+AE/2lEMKczK2ZblwbklJc+EYUZRRiuUIXHtH 0YoQWKa7914OJK/dR7ZdQWtj4JQX4djvnSXd055eeASNe6BPlXDkM4jNTcas64BA zqSZAv+SZIC/ttHL3t0dedmcbQ5T1ALV4cr9L2cWvInnCz76MB9qUd94PRehEOzm VCI9A/e2jN+6wCUy00jixBBgOEbj1s3NQSxgO+uP21QYhLPf0AoAgbNXLMKMvLmg 1TwOU3mXdxPq7KPR4aFIIvzpgWWo2SeY2uzjjwVVkjYq0psVAMFFM/cgfkmkF8Mk q7Q8p3um7q1K086/+MnhKI4254Z9O8zKuYAVdVmODrtlPAdikUQ58DqHd3Ug2sQZ aQcpgxTXUWqvSgr/mqAfQCDKhW5aJH/wmnaKse6p2uRjOOujMSg7S1x+KrPK4IMN Uj4+TRUDGGYM4o/izTTwEGCj2AnpoigyZTtr3fszDKN7f3Gs9oc= =U1rB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
