Hi James, Have a look at this. https://success.qualys.com/discussions/s/question/0D52L00004To0DUSAZ/your-ssl-server-test-incorrectly-reports-an-incomplete-chain You might have the issue where your chain length is 1 when it should be 3. You may need to redo your certs. Best Regards, Jason Tan -----Original Message----- From: James H. H. Lampert <jam...@touchtonecorp.com.INVALID> Sent: Thursday, May 18, 2023 10:00 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Too many certificates in chain?!? Help!
Ladies and Gentlemen: I just had to revert a customer Tomcat server immediately after plugging in a new keystore. It failed in protocol handler initialization. Caused by: java.lang.IllegalArgumentException: Too many certificates in chain at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074) . . . I've never seen anything like this before. According to KeyStore Explorer 5.4.4, the chain consists of a root, an intermediate, and the signed certificate for the web site. And the root and intermediate are exactly the same root and intermediate as the last good keystore. Can anybody shed any light on what went wrong? Tomorrow morning, I'm going to try plugging the keystore into a Tomcat server on an AS/400 in the office, to see if I can reproduce it. -- James H. H. Lampert --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org