Hi James,
Have a look at this. 
https://success.qualys.com/discussions/s/question/0D52L00004To0DUSAZ/your-ssl-server-test-incorrectly-reports-an-incomplete-chain
You might have the issue where your chain length is 1 when it should be 3. You 
may need to redo your certs.
Best Regards,
Jason Tan 
-----Original Message-----
From: James H. H. Lampert <jam...@touchtonecorp.com.INVALID> 
Sent: Thursday, May 18, 2023 10:00 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Too many certificates in chain?!? Help!

Ladies and Gentlemen:

I just had to revert a customer Tomcat server immediately after plugging in a 
new keystore.

It failed in protocol handler initialization.

   Caused by: java.lang.IllegalArgumentException: Too many certificates in 
chain   at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
  at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
 

  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246) 

  at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161) 

  at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
 

  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) 

  at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
 

  at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1074) 

  . . .

I've never seen anything like this before. According to KeyStore Explorer 
5.4.4, the chain consists of a root, an intermediate, and the signed 
certificate for the web site. And the root and intermediate are exactly the 
same root and intermediate as the last good keystore.

Can anybody shed any light on what went wrong?

Tomorrow morning, I'm going to try plugging the keystore into a Tomcat server 
on an AS/400 in the office, to see if I can reproduce it.

--
James H. H. Lampert

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to