> In your case, where did you rediscover reloadSslHostConfigs? To be honest, I wandered around in the JMX console until I found something that looked promising.
> You'll want to "set" the value of the attribute "certificateKeyAlias". Thank you for your help. I'll give that a try. On Fri, Sep 11, 2020 at 9:44 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Daniel, > > On 9/10/20 16:39, Daniel Skiles wrote: > >> Also note that calling reloadSslHostConfigs does NOT re-read > >> server.xml. It re-initializes the existing in-memory > >> configuration. If you want to e.g. change the key alias, you'll > >> have to make a JMX call to update the alias and THEN call > >> reloadSslHostConfigs.> > > *THAT *is probably my problem. > > Perhaps that method could have a better name, like > reinitializeSSLHostConfigs. "reload" implies that it re-reads the > server.xml which is not the case. At least the documentation should > probabyl be better. > > In your case, where did you rediscover reloadSslHostConfigs? > > > Do you know which MBean and operation that is? > > It's this (you'll have to interpolate a bit of this to fir your > environment): > > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-[cryptoimpl]-[i > oimpl]-[addr]-[port]",Host="[host]",name=[cert-type] > > My test one was: > Catalina:type=SSLHostConfigCertificate,ThreadPool="https-jsse-nio-127.0. > 0.1-12345",Host="_default_",name=EC > > Attach to Tomcat using VisualVM or your JMX browser of choice and have > a look at what's there. You'll want to "set" the value of the > attribute "certificateKeyAlias", then call reloadSslHostConfigs. > > - -chris > > > On Thu, Sep 10, 2020 at 4:00 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Daniel, > > > > On 9/10/20 13:33, Daniel Skiles wrote: > >>>> In this case, I didn't remove every certificate, but I did > >>>> remove the certificate that was originally being referenced > >>>> after adding a new certificate under a new alias. > >>>> > >>>> Original Keystore: Alias A Server.xml _default_ > >>>> SSLHostConfig points to Alias A > >>>> > >>>> After Modification: Alias B Server.xml _default_ > >>>> SSLHostConfig points to Alias B > >>>> > >>>> <Call reloadSslHostConfigs here> <Receive error> > >>>> > >>>> If that's not supported, I'll see if I can keep the aliases > >>>> stable somehow. If there is a way to do it, I'd be > >>>> interested in hearing > > what it > >>>> is. > > > > What are the real alias names? If you don't specify the key alias, > > Tomcat will use the first private key it finds in the file (which > > is essentially random, as Java keystores do not guarantee any kind > > of read-ordering). > > > > What does your <Certificate> look like in server.xml? > > > > Can you also post the actual error and complete stack trace you > > get? > > > > If you change the key's alias, you'll need to change the alias > > listed in the <Certificate> unless you are using the default > > first-key behavior . > > > > Also note that calling reloadSslHostConfigs does NOT re-read > > server.xml. It re-initializes the existing in-memory configuration. > > If you want to e.g. change the key alias, you'll have to make a JMX > > call to update the alias and THEN call reloadSslHostConfigs. > > > > -chris > > > >>>> On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Daniel, > >>>> > >>>> On 9/10/20 09:09, Daniel Skiles wrote: > >>>>>>> Is it possible to change the keystore alias of the > >>>>>>> _default_ SSLHostConfig's certificate while tomcat is > >>>>>>> running? > >>>>>>> > >>>>>>> At present, I'm trying to move the _default_ > >>>>>>> certificate from one certificate in my keystore, to > >>>>>>> another. I modify the server.xml, then I call the > >>>>>>> reloadSslHostConfigs MBean operation. The operation > >>>>>>> throws an error that boils down to a > >>>>>>> jsse.alias_no_key_entry error that comes back from the > >>>>>>> JVM. > >>>>>>> > >>>>>>> Is this a technical limitation on SNI/SSLHostConfig, or > >>>>>>> am I missing something here? > >>>> > >>>> Did you remove all server certificates from your keystore and > >>>> then try to bounce the connector? That's not going to work > >>>> because the connector requires a server key and certificate. > >>>> > >>>> Instead of "moving" the cert, consider copying the > >>>> certificate instead. > >>>> > >>>> -chris > >>>>> > >>>>> ------------------------------------------------------------------ > - --- > >>>>> > >>>>> > > > >>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: > >>>>> users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9bfz0ACgkQHPApP6U8 > pFje3BAAkkX+/VQU+RA2s5OxiOYDSvOe1ewDsRj3VeXoRHr1aDbEp7PxNVVnmF1s > /d/pHFOScrVksGy/hR3nbTZ7kk8NcXNsD2Vi0+YDejv9UuEB6GQw8ppjVMkPx6ei > QjQYg+CQxybBbIeo5JlCIQy6I3+bRra3VJYrFzglRvKvl5/IxRIx4w1K35vyUcaq > iyH7VynAP8O4VgV42ntJ+2gIq8Q+AE/2lEMKczK2ZblwbklJc+EYUZRRiuUIXHtH > 0YoQWKa7914OJK/dR7ZdQWtj4JQX4djvnSXd055eeASNe6BPlXDkM4jNTcas64BA > zqSZAv+SZIC/ttHL3t0dedmcbQ5T1ALV4cr9L2cWvInnCz76MB9qUd94PRehEOzm > VCI9A/e2jN+6wCUy00jixBBgOEbj1s3NQSxgO+uP21QYhLPf0AoAgbNXLMKMvLmg > 1TwOU3mXdxPq7KPR4aFIIvzpgWWo2SeY2uzjjwVVkjYq0psVAMFFM/cgfkmkF8Mk > q7Q8p3um7q1K086/+MnhKI4254Z9O8zKuYAVdVmODrtlPAdikUQ58DqHd3Ug2sQZ > aQcpgxTXUWqvSgr/mqAfQCDKhW5aJH/wmnaKse6p2uRjOOujMSg7S1x+KrPK4IMN > Uj4+TRUDGGYM4o/izTTwEGCj2AnpoigyZTtr3fszDKN7f3Gs9oc= > =U1rB > -----END PGP SIGNATURE----- >