RE: problem in starting tomcat
Here I am hs_err_pid file Sent from Mail for Windows 10 From: Coty Sutherland Sent: Tuesday, June 26, 2018 10:22 PM To: Tomcat Users List Subject: Re: problem in starting tomcat On Tue, Jun 26, 2018 at 12:27 PM, Prateek Yadav wrote: > Thanks for reply > I already tested it for more than one machine so hardware problem can not > be a case. > What happens if you don't specify that OnError call? Can you attach a fuller stack trace if not the entire hs_err_pid log (make sure there isn't anything sensitive in there)? If the JVM is crashing you should still get an hs_err_pid log, but given that the crash is in libc and we don't know what isegencore.sh is, removing it and getting a clearer stack trace would be nice. > > On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Prateek, > > > > On 6/25/18 11:20 PM, Prateek wrote: > > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk- > > > jdk-11(Early-Access) > > > > > > When I am trying to start my server I got following error as: A > > > fatal error has been detected by the Java Runtime Environment: # # > > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE > > > version: (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit > > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed > > > oops, g1 gc, linux-amd64) # Problematic frame: # C > > > [libc.so.6+0x8128a] strlen+0x2a > > > > Are you running any custom native code (including libtcnative)? If > > not, either the JVM or your hardware is to blame. > > > > First, I'd re-try with a release-quality JVM build instead of the > > "early access" build, which may have some bugs in it. If that doesn't > > help, it's time to look at your hardware. > > > > Run several rounds of memtest86+ on your hardware to see whether it > > finds any errors. If you find errors, you have a hardware failure in > > your CPU, motherboard, or memory, and you'll need to replace one or > > more components. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8 > > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR > > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep > > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu > > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg > > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs > > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62 > > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg > > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N > > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3 > > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U > > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg= > > =2XQn > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE version: (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed oops, g1 gc, linux-amd64) # Problematic frame: # C [libc.so.6+0x8128a] strlen+0x2a # # Core dump will be written. Default location: /localdisk/corefiles/core.%h.%e.%p # # If you would like to submit a bug report, please visit: # http://bugreport.java.com/bugreport/crash.jsp # --- S U M M A R Y Host: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz, 2 cores, 7G, Red Hat Enterprise Linux Server release 7.5 (Maipo) Time: Tue Jun 26 03:09:07 2018 UTC elapsed time: 0 seconds (0d 0h 0m 0s) --- T H R E A D --- Current thread (0x01491c70): JavaThread "Unknown thread" [_thread_in_vm, id=2412, stack(0x7fffbaa16000,0x7fffbab14000)] Stack: [0x7fffbaa16000,0x7fffbab14000], sp=0x7fffbab109b8, free space=1002k Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code) C [libc.so.6+0x8128a] strlen+0x2a V [libjvm.so+0x6030f1] ClassLoader::setup_bootstrap_search_path()+0x111 V [libjvm.so+0x60377a] classLoader_init1()+0x4a V [libjvm.so+0x882549] init_globals()+0x39 V [libjvm.so+0xde4247] Threads::create_vm(JavaVMInitArgs*, bool*)+0x327 V [libjvm.so+0x93f652] JNI_CreateJavaVM+0x52 siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x Registers: RAX=0x, RBX=0x, RCX=0x,
Re: Production Tomcat 8.5.5 suddenly started to give ClassNotFoundError
It turned out this problem was caused by a class constructor which started to give RuntimeException (it has some calculations based on DB data). That somehow caused ClassNotFoundException. I've solved the cause and had to reinstall tomcat (as after deleting "work" directory tomcat did not work properly). On Mon, Jun 18, 2018 at 7:46 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mladen, > > On 6/16/18 5:37 AM, Mladen Adamović wrote: > > Hi all, > > > > I have a production Tomcat server and this morning it started to > > give strange ClassNotFoundError for stuff which was working for > > years without a problem. > > > > I did redeploy app (by copying into the dir and deleting their > > ROOT), but it didn't solve the issue, same ClassNotFoundException. > > > > On the development machine I built a new release, checked that it > > worked in my localhost (it worked, no ClassNotFoundException), and > > stopped Tomcat on the production server, moved files from work to > > work_1 directory (that's specified as deleting the cache), copied > > the new WAR files into the destination and deleted the previous > > files. > > > > It didn't still solve the issue, now I got even bigger problem JSPs > > which were working fine previously now they don't work? > > > > What could cause this problem? How to fix it (without setting again > > new production tomcat from scratch)? > > It sounds to me like a botched upgrade from a lower version (e.g. 7.0, > 8.0) to 8.5 if JSPs are no longer working. > > Compare the following files in your environment to what Tomcat ships > with out of the box: > > conf/context.xml > conf/web.xml > > There should be no changes between what you have on your disk and what > comes with Tomcat. > > If there are no changes, then look at your own application's > WEB-INF/web.xml to see if you ave somehow overridden the *.jsp > mapping. Finally, look in your application's META-INF/context.xml to > see if there is anything JSP-related in there. (There probably > shouldn't be anything in there, but it's better to check). > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsn8A8ACgkQHPApP6U8 > pFhSaQ//fq2mr5JbsF9xueie/HHaO6lr7fwtK1VAJJObxbjCYWjVY4oly79QB5VU > lJJUi34WcZ3oBUBMGrwxThyg1+ll6IwzVJ5mh5GF0HAfwuYwUsNHhXf871a/uNqG > nGjpqQhbAFOHikZzZLdvLcgHJpVjXc24lI1C/R49gRGAhMOnYI1L3UjaLRF1SCNS > ZQrVQjWfwDpZLD0IDcsQxA0e5tR+xV3vr1bV4iNsqC7sjXcVWjf/OGLngmAenedL > ehIV9P15YceY1DCZOl8xbzFAJ4tJQvtE/s0dxvkUTZ4YXaf2zE5W/nFyVdHBhJ8C > U0oZWkvnLQv2u28MlzqK4cpA85Cpko+Y7ZDWxOIoiGhSVhBvdW3LwI0apphwIqMX > S3BA471kRzDUBgNNLU288HMF+4D7kk6MuaTJyzXLUM1vdy6fH16Hl7yYWaispj31 > 29vfNR2RfLdLhJ7SJ2v9FskciMkwD5LYCBL8Pybi8xUDeLyy/IrrwaNq3OrIUTIy > oAjRYd8R6rym3VB0WBvI4NlZxL2vhU2bJnDIsUGPljOuxntL/P3o19hcoqQwB3nM > Z/l9Tk5wJpSJjhlljOds3wOYHzJQR8OFAxW0kShgh3Pl9o3c2hU4o3Ff6zYKYnom > B5aRSAgGxeU9n+2DATwEakVq29ykB6o+gCIy91LmcXlEwyPdlqA= > =4Wmr > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Alias name does not identify a key entry
Ok, I worked it out. I had to extract all the intermediate certificates from the root/intermediate certificate, and import them separately. Thanks for all your help, I have it up and running now! -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:25 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry I got the same error, C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password: C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore password: Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore password: keytool error: java.lang.Exception: Failed to establish chain from reply -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:08 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry >Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org B
RE: Alias name does not identify a key entry
I got the same error, C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password: C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore password: Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore password: keytool error: java.lang.Exception: Failed to establish chain from reply -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:08 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry >Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any one using Tomcat Server Side Include (SSI) support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/26/18 1:48 PM, Mark Thomas wrote: > Hi, > > I'm currently working on an old bug to improve the SSI support in > Tomcat [1]. Note that the original bug dates back to 2010. > > I'm going to fix [1] if I can. SSI support is part of the current > release and the functionality is missing. > > However, I got to wondering just how many folks are actually using > SSI. Does it make sense to deprecate SSI support in 9.0.x and > remove it in 10.0.x? It isn't a big deal to maintain support if it > is required but neither do I think we should continue to maintain > somethign no-one needs. > > So, is anyone using SSI in Tomcat? +1 to deprecate-and-remove SSI is: 1. little used 2. easy to configure insecurely 3. more conveniently-configured using another component (e.g. httpd) 4. better-implemented as a servlet/JSP/whatever I think the Internet moved-on from SSIs around 2001. It's time Tomcat did as well. I wouldn't object to a Tomcat sub-project for SSIs or even a non-Apache GitHub project to implement SSIs as a set of container-agnostic Filter/Servlet implementations or whatever. But I don't think it belongs in the container code anymore. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygXwACgkQHPApP6U8 pFgI1xAAp6+tZ/1BlkO2/gDd+Sm9N68dYXbxoQFp7cIMlfX6L57d9KlboVotMncT 4Ax5hUeVkzgGuJQvFCvSVlNvwQppv+jfpf9GIRfXLIjMj/OTNhqGOASDv9PQGXTn RrOIMqwJy2AME8MNOJKuqo2ugbWp6PA+Dqq9W14ffa7ng5UGwfXUhlPEuD5g7R0Z X0mVzJ+dUwaFDDrCW44xDCZtFDU6RaP4YaA4aBfjZTEkW5Al9bT3ul4C0jHAW2BU 3rNfLxhj89ywDp6JAP2mD6FmZL3F+QUk3FUxPD/SAcBXQwNweEsvkGvOq+5k5aUi ycWkbbbFh5IIQ6ZkEmq5XG4RDCwwN3NEg3rnOpeF0f/tnYs/jEbtnHV2ZYa6NzMG GTzwyijkA6UQ5s4LVTWy3zP8TARgXh2e+t24TClrQnrjYTFepFdcPr4G8kxAz/x+ LEsLsEJRmzkMDDzyyV5Ae8qyoIm7w+4RrzprV+fHbn/ksTxQxweXOEBy6nncix1G VMYsNstvXwMNGE0EEmboUZ2Ovvd+qY5i/zw0NYTcsUyLcZ/sTVujwatg3drBhvd3 nJhCgQgnS+bTbqlWlRgs0JnvGS6CZ4J2nLwOwz2rI7MzMgxCL6d8xWR5BS+3lb34 FQRYLskm+Ltm64DnrEyjtuWfUH5TcY2D8A0OS+RMhf/mFAijfYc= =vuWi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Alias name does not identify a key entry
>Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore >>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as >> the first step. That will update the self-signed >certificate >> with the CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps > as before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore > -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed > to establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following > are just from whatever I've found online. Most of the articles seem > pretty dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Any one using Tomcat Server Side Include (SSI) support?
Hi, I'm currently working on an old bug to improve the SSI support in Tomcat [1]. Note that the original bug dates back to 2010. I'm going to fix [1] if I can. SSI support is part of the current release and the functionality is missing. However, I got to wondering just how many folks are actually using SSI. Does it make sense to deprecate SSI support in 9.0.x and remove it in 10.0.x? It isn't a big deal to maintain support if it is required but neither do I think we should continue to maintain somethign no-one needs. So, is anyone using SSI in Tomcat? Mark [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=53387 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
On 26/06/18 18:32, Cybulski, Adam M wrote: > Can you aim me at a guide to this? The steps I've been following are just > from whatever I've found online. Most of the articles seem pretty dated. http://tomcat.apache.org/presentations.html Look for the TLS generation presentation from the 2016 webinar series. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Alias name does not identify a key entry
Hi Chris, Thanks for the help, >> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >That last step should have been to import using the same alias as the first >step. That will update the self-signed >certificate with the CA-signed >certificate. I deleted the keystore and the certs and started over so there wouldn't be any garbage data in it, I followed all the same steps as before, but when I get to this one I used the command: keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" It returned the error: keytool error: java.lang.Exception: Failed to establish chain from reply >> Any help you can give me in resolving this error is greatly >> appreciated. >You should switch from JKS/JCEKS to PKCS12 keystores, since those >Java-specific ones are being deprecated and >(not quickly enough) dropped from >Java. Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated. -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 12:14 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 11:03 AM, Cybulski, Adam M wrote: > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm > unable to start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" redirectPort="8443" /> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass" > keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to > initialize end point associated with ProtocolHandler > ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: > java.io.IOException: Alias name meg does not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint > (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate > fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead: > tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint > (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 ^^^ This one. > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore > c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file > c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore > -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate. > Any help you can give me in resolving this error is greatly > appreciated. You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8 pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4 v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL 5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60 fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0 jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3 fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg= =q1tu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem in starting tomcat
On Tue, Jun 26, 2018 at 12:27 PM, Prateek Yadav wrote: > Thanks for reply > I already tested it for more than one machine so hardware problem can not > be a case. > What happens if you don't specify that OnError call? Can you attach a fuller stack trace if not the entire hs_err_pid log (make sure there isn't anything sensitive in there)? If the JVM is crashing you should still get an hs_err_pid log, but given that the crash is in libc and we don't know what isegencore.sh is, removing it and getting a clearer stack trace would be nice. > > On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Prateek, > > > > On 6/25/18 11:20 PM, Prateek wrote: > > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk- > > > jdk-11(Early-Access) > > > > > > When I am trying to start my server I got following error as: A > > > fatal error has been detected by the Java Runtime Environment: # # > > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE > > > version: (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit > > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed > > > oops, g1 gc, linux-amd64) # Problematic frame: # C > > > [libc.so.6+0x8128a] strlen+0x2a > > > > Are you running any custom native code (including libtcnative)? If > > not, either the JVM or your hardware is to blame. > > > > First, I'd re-try with a release-quality JVM build instead of the > > "early access" build, which may have some bugs in it. If that doesn't > > help, it's time to look at your hardware. > > > > Run several rounds of memtest86+ on your hardware to see whether it > > finds any errors. If you find errors, you have a hardware failure in > > your CPU, motherboard, or memory, and you'll need to replace one or > > more components. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8 > > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR > > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep > > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu > > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg > > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs > > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62 > > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg > > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N > > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3 > > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U > > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg= > > =2XQn > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > >
Re: problem in starting tomcat
Prateek, On 6/26/2018 9:27 AM, Prateek Yadav wrote: Thanks for reply I already tested it for more than one machine so hardware problem can not be a case. On 6/25/2018 8:20 PM, Prateek wrote: My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk- jdk-11(Early-Access) When I am trying to start my server I got following error as: A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE version: (11.0+18) (build ) # Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option PermSize; support was removed in 8.0 Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option MaxPermSize; support was removed in 8.0 You are running Java 11EA but your config settings seem to be circa Java 7 (per PermSize warnings). I second Chris' suggestion to use a well tested "release version" of the JVM, but at the very least you should try to remove all of the unnecessary config settings. Igal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem in starting tomcat
Thanks for reply I already tested it for more than one machine so hardware problem can not be a case. On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Prateek, > > On 6/25/18 11:20 PM, Prateek wrote: > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk- > > jdk-11(Early-Access) > > > > When I am trying to start my server I got following error as: A > > fatal error has been detected by the Java Runtime Environment: # # > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE > > version: (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed > > oops, g1 gc, linux-amd64) # Problematic frame: # C > > [libc.so.6+0x8128a] strlen+0x2a > > Are you running any custom native code (including libtcnative)? If > not, either the JVM or your hardware is to blame. > > First, I'd re-try with a release-quality JVM build instead of the > "early access" build, which may have some bugs in it. If that doesn't > help, it's time to look at your hardware. > > Run several rounds of memtest86+ on your hardware to see whether it > finds any errors. If you find errors, you have a hardware failure in > your CPU, motherboard, or memory, and you'll need to replace one or > more components. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8 > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62 > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3 > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg= > =2XQn > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Programmatically unlocking an account?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 6/25/18 8:49 PM, Alex O'Ree wrote: > Actually I figured it out. It is possible via the mx bean. I'd like > to request that the method isLocked be changed to public in a > future version. In spite of my affinity for JMX, I completely forgot about it in this case! Sorry for the confusion. Presumably, you want both isLocked(String) and unlock(String) to be made public? Looks like Mark did exactly that with his latest commit. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZyEACgkQHPApP6U8 pFhdOBAAlfMA4PeO4EsdyO5XI7RC4erocWAm0Ws8j6w3Q5kzMIQIgc1knKrdBHvP gNCoNk39gcdrbF7PzcQMSByaBCf9m09Omgd8plcv3ND/TTCOUbsStwKJpevQQF0E ZwFxrNWg8CgsEjJNxgNqWEUm++LIFGGXA9HNeV41cdCBd3E2jQBbuB3CD9Y5VNxm RawLNOvlIpjLrx0uTmdH1LeQQ2XdjuiMMZIP/vxqQO2uxO5IogF7JYRCdsxGpd/f DQ4ADT8tWjM3vcWwj7BL7vo/D5VCYD3rhOLFIje0lF+7+ZsfCjpkvI+AA+8eo+C6 lmaUFNj8vkEWV61KUmgPXSMiTGKZ+7kaMG7BcW6VyavrGkJWWfnJ4TDUrzZzpkYs NGU3OdruTVwJKufho1PTxv3HF6i4m6SfcsJE/1Y/md9BPhbl1rYU07q+cN54UJfy P9vFkXieYaCYUOCTpJsWC9GWJcs4E6aCPNTEiC1ycL2KS81y3aGewizl8Plnh/FD sQ+ZZbqIVGieo40jskpjjzSFaZxp7JWGb+Y0Iu+TjW6BWJthfMj6tDlZBAQwitXQ D5usdsBNF+qNACKxBmizcgtUG+5J/2+JVvGQ2iFltnF7kN8ahjZy6TkdAzT3NHTy hbajJa8URa6pRymAa5Kzk6kqJlgEEPAHL/anRzjY8J93AZ7LaN4= =MBiJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 11:03 AM, Cybulski, Adam M wrote: > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm > unable to start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" redirectPort="8443" /> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass" > keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to > initialize end point associated with ProtocolHandler > ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: > java.io.IOException: Alias name meg does not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint > (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate > fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead: > tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint > (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 ^^^ This one. > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore > c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file > c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore > -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate. > Any help you can give me in resolving this error is greatly > appreciated. You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8 pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4 v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL 5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60 fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0 jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3 fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg= =q1tu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem in starting tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Prateek, On 6/25/18 11:20 PM, Prateek wrote: > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk- > jdk-11(Early-Access) > > When I am trying to start my server I got following error as: A > fatal error has been detected by the Java Runtime Environment: # # > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE > version: (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed > oops, g1 gc, linux-amd64) # Problematic frame: # C > [libc.so.6+0x8128a] strlen+0x2a Are you running any custom native code (including libtcnative)? If not, either the JVM or your hardware is to blame. First, I'd re-try with a release-quality JVM build instead of the "early access" build, which may have some bugs in it. If that doesn't help, it's time to look at your hardware. Run several rounds of memtest86+ on your hardware to see whether it finds any errors. If you find errors, you have a hardware failure in your CPU, motherboard, or memory, and you'll need to replace one or more components. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8 pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62 S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg= =2XQn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
El mar., 26 jun. 2018 a las 17:03, Cybulski, Adam M () escribió: > > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to > start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" >redirectPort="8443" /> > >protocol="HTTP/1.1" >maxThreads="150" >scheme="https" >secure="true" >SSLEnabled="true" >keystoreFile="c:\tomcat8\meg.keystore" >keystorePass="keystorepass" >keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize > end point associated with ProtocolHandler ["https-openssl-nio-8443"] > java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does > not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, > Certificate fingerprint (SHA1): > 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 > meg, Jun 25, 2018, trustedCertEntry, > Certificate fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: > 6F:24:D1:59 > tomcat, Jun 25, 2018, PrivateKeyEntry, > Certificate fingerprint (SHA1): > AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 > > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr > -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts > -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > Any help you can give me in resolving this error is greatly appreciated. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Hi I guess that meg entry should be a PrivateKeyEntry ( public certificate + private key ) , not a trustedCertEntry I think that meg_library_albany_edu_cert.cer only contains a public certificate Honestly, I use openssl to create .p12 key stores Something like openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "meg" -CAfile MY-CA-CERT.crt -caname myCA -chain Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Alias name does not identify a key entry
Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to start the SSL connector. My connector syntax is as follows: To which I receive this error in Catalina.log: SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry However, meg is in my keystore: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: 84:C8:16:82 I used these steps to manage the certs: keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates. keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Any help you can give me in resolving this error is greatly appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programmatically unlocking an account?
On 26/06/18 01:49, Alex O'Ree wrote: > Actually I figured it out. It is possible via the mx bean. I'd like to > request that the method isLocked be changed to public in a future version. Done in 9.0.x for 9.0.11 onwards. Mark > > The use case is not a typical one but I'd like admins to know if a service > account is locked out for some reason and to be able to reset it if > necessary. The timeout is 15 minutes but the account is frequently used by > service processes which causes the timeout to continually get reset (unless > I am misunderstanding the code) > > On Mon, Jun 25, 2018, 7:13 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Alex, > > On 6/25/18 3:24 PM, Alex O'Ree wrote: Is it possible to programmatically unlock an account that's been locked via the lockoutrealm and the simple xml user store? > > Regardless of the user-storage mechanism, the answer is no. > If so, how? > > Sorry. > > What's the use-case, here? Support gets a call saying "please unlock > this account"? What's the lock-timeout in your environment? > > -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org