Chuck The tomcat keystore was the wrong file. Thanks for the hint. I had a tomcat.keystore and a keystore.tomcat. Better naming would have avoided the embarrassment of using a user-group.
Thanks for the assistance and your time Chip > From: chuck.caldar...@unisys.com > To: users@tomcat.apache.org > Date: Sun, 8 May 2011 10:08:23 -0500 > Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert > > > From: chip chipper [mailto:chipper7...@hotmail.com] > > Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert > > > May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule > > begin > > WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'maxSpareThreads' to '75' did not find a matching property. > > Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a > <Connector>. > > > May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule > > begin > > WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'liveDeploy' to 'false' did not find a matching property. > > Ditto for liveDeploy on a <Host>. > > > May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule > > begin > > WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting > > property 'debug' to '1' did not find a matching property. > > Ditto for debug on a <Context>. > > Looks like you have grabbed an ancient server.xml and tried to use it with > Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide > and set what you need properly. > > > May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init > > SEVERE: Failed to initialize end point associated with ProtocolHandler > > ["http-bio-8443"] > > java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. > > > My understanding of this is that there is an ASN.1 encoding error. > > The length is bigger than expected. > > Can you examine the certificates using keytool and see what it thinks of them? > > > keytool ... -keystore mykeystore > > > > openssl ... -out keystore.tomcat > > > > keytool ... -keystore tomcat.keystore > > I count three different keystore names here; which are we to believe? > > > <Connector protocol="org.apache.coyote.http11.Http11Protocol" > > port="8443" maxThreads="200" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="C:/cert/my.keystore" keystorePass="changeit" > > clientAuth="false" sslProtocol="TLS"/> > > And a fourth keystore name here. > > Also, what you have above does not correspond with the maxSpareThreads error > message displayed in the log. Either you're confusing everyone by reporting > one set of log entries along with an unrelated config, or you're not running > the config you think you are. It would be useful if you posted your entire > server.xml file, with comments removed. > > > <Listener className="org.apache.catalina.core.AprLifecycleListener" > > SSLEngine="off" /> > > You can't run APR with JSSE handling the SSL negotiation, so turning > SSLEngine off is not useful. Besides, you don't appear to have the > tcnative-1.dll installed, and you've forced use of the BIO connector, so > changing the AprLifeCycleListener is ineffective. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
