Chris, Now this is taking a weird direction…
> Am 30.07.2019 um 16:57 schrieb Christopher Schultz > <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 7/30/19 05:19, logo wrote: >> Hi Chris, >> >> I am also trying to figure this out and get to the same error. >> >>> Am 25.07.2019 um 17:53 schrieb Joseph Dornisch >>> <kingcanut...@gmail.com <mailto:kingcanut...@gmail.com>>: >>> >>> Hello, >>> >>> I have a CRL configured in my tomcat server configuration. If I >>> update it and want to have Tomcat refresh it, I can login into >>> https://127.0.0.1/manager/html <https://127.0.0.1/manager/html> and click >>> the "Re-read" button >>> under "Configuration->Re-read TLS configuration files" and this >>> causes my CRL to be reread. It works great. >>> >>> However,I have read here, " >>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr >>> <https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr> <snip> >> If I query with the jmxproxy-Servlet I get to >> Catalina:type=ProtocolHandler,port=8443, but I cannot figure out >> the necessary address. How can I find it? Once I add an address >> (127.0.0.1, localhost or DNSs...) , I get exactly "OK - Number of >> results: 0". That may be the cause of the above >> java.lang.NullPointerException. >> >> If I omit the address it I get a detailed stacktrace, with all >> sorts of IO exceptions/Illegal argument exceptions that relate to >> the actual code of AbstractJsseEndpoint/AbstractEndpoint and >> reloadSslHostConfigs. >> >> Could you please help us here? If I only want to reload one >> specific HostConfig, how do I set the hostname parameter? >> >> I looked at your letsencrypt script >> https://people.apache.org/~schultz/ApacheCon%20NA%202018/lets-encrypt- >> <https://people.apache.org/~schultz/ApacheCon%20NA%202018/lets-encrypt-> > renew.sh, >> >> > but that requires the address already as a parameter... > > The best thing to do is connect with a JMX client such as VisualVM or > perhaps one that your IDE provides. If you connect, you can see what > JMX paths are actually available instead of just guessing at them. > > Use the screenshots in the Let's Encrypt presentation (and possibly > the related screenshots in the "Monitoring Apache Tomcat with JMX" > presentation as well) to help you find the correct protocol handler path > . > I used jconsole to get to the ProtocolHandler. There is an error opening the panel "Error setting Operation panel :org.apache.tomcat.util.net.SSLHostConfig“ And if I reload the SSLHostConfigs with the panel button I get the IllegalStateException - again. Now before you ask, there is my config: <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" allowTrace="false" maxThreads="150" SSLEnabled="true" compression="off" scheme="https" server="Apache Tomcat" secure="true" defaultSSLHostConfigName="host1" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" /> <SSLHostConfig hostName="host2" honorCipherOrder="true" certificateVerification="none" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="<redacted>" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="host3" honorCipherOrder="true" certificateVerification="none" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="<redacted>" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="host4" honorCipherOrder="true" certificateVerification="none" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="<redacted>" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="host5" honorCipherOrder="true" certificateVerification="none" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="<redacted>" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="host1" honorCipherOrder="true" certificateVerification="none" truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" truststorePassword="<redacted>" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts2" certificateKeystorePassword="<redacted>" certificateKeyAlias="docker" type="RSA" /> </SSLHostConfig> </Connector> Any idea why? Thanks Peter > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > <https://www.enigmail.net/> > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AWt4ACgkQHPApP6U8 > pFhqvxAAoRDPDxU1poECO+s/q/kcWXaoLKE0WrE4rmlasViRuuMdn7QtLJJZ7s0Q > MaKk0LeJ+p/fT9fAuQ0Ysm75MhLy88Xj6SvR60mroPQZM1ONkgQ9EzLyYWiMPgt0 > alPu0z5Nqk5CW4fl4El4tLFysdniRr7WfYUdt/inwhuJSGWylVMyzqAEIVpmMsHk > hpAoB+TWSPL8DLJMauLP64AF+gIO/RTfyM4dtC8yZJqXiSpntF8Eq5JtR2Q4y5UZ > ijzA/rMmpQB0I1yTpExicaveMfIWYZg/2rfGh1hh3dP4dyQ4dYR2ZalmRoEW6rhZ > zf+1nhmrByIuEoboozxgkDcLOfpXMCnG0yHtz8rAewcUci4UHabddcpLVlV+0Ilg > yOADCYwnU8gmnD6vb1fI0B0O8OMr/VyCbhsWklOUyFBmZD64XYC4rkmGQAVhRR97 > qWrV1/Rs09Oq1zY0zpzJnRD5xmumsi/uuJ6T7kEhaK1KdT6wkDImParq2n5dnhm/ > 3smAZDpS3Nh246oyldpVuxOJpQxEWfHX+GZyAZfAJ0t/OgNV/Xq61Cz0Mr4z5iML > fGKKpPxDB0DEWAm8RT11tyzAqk/Mwlx/KE+pxqIM+OCDY1rpkpMEYAIgFA8S1Hd5 > Y7cFNQC207nA6TuUOgnZeHzLVw2iqQIbSPqKTuwiT4j3fCbbCXQ= > =K62u > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org>
smime.p7s
Description: S/MIME cryptographic signature