Re: Tomcat manager keystore reload

Tue, 30 Jul 2019 14:44:09 -0700 

Chris,

Now this is taking a weird direction…


> Am 30.07.2019 um 16:57 schrieb Christopher Schultz 
> <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>>:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Peter,
> 
> On 7/30/19 05:19, logo wrote:
>> Hi Chris,
>> 
>> I am also trying to figure this out and get to the same error.
>> 
>>> Am 25.07.2019 um 17:53 schrieb Joseph Dornisch
>>> <kingcanut...@gmail.com <mailto:kingcanut...@gmail.com>>:
>>> 
>>> Hello,
>>> 
>>> I have a CRL configured in my tomcat server configuration. If I
>>> update it and want to have Tomcat refresh it, I can login into 
>>> https://127.0.0.1/manager/html <https://127.0.0.1/manager/html> and click 
>>> the "Re-read" button
>>> under "Configuration->Re-read TLS configuration files" and this
>>> causes my CRL to be reread. It works great.
>>> 
>>> However,I have read here, " 
>>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr 
>>> <https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encr>


<snip>


>> If I query with the jmxproxy-Servlet I get to 
>> Catalina:type=ProtocolHandler,port=8443, but I cannot figure out
>> the necessary address. How can I find it? Once I add an address
>> (127.0.0.1, localhost or DNSs...) , I get exactly "OK - Number of
>> results: 0". That may be the cause of the above
>> java.lang.NullPointerException.
>> 
>> If I omit the address it I get a detailed stacktrace, with all
>> sorts of IO exceptions/Illegal argument exceptions that relate to
>> the actual code of AbstractJsseEndpoint/AbstractEndpoint and
>> reloadSslHostConfigs.
>> 
>> Could you please help us here? If I only want to reload one
>> specific HostConfig, how do I set the hostname parameter?
>> 
>> I looked at your letsencrypt script 
>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/lets-encrypt- 
>> <https://people.apache.org/~schultz/ApacheCon%20NA%202018/lets-encrypt->
> renew.sh,
>> 
>> 
> but that requires the address already as a parameter...
> 
> The best thing to do is connect with a JMX client such as VisualVM or
> perhaps one that your IDE provides. If you connect, you can see what
> JMX paths are actually available instead of just guessing at them.
> 
> Use the screenshots in the Let's Encrypt presentation (and possibly
> the related screenshots in the "Monitoring Apache Tomcat with JMX"
> presentation as well) to help you find the correct protocol handler path
> .
> 

I used jconsole to get to the ProtocolHandler. There is an error opening the 
panel
"Error setting Operation panel :org.apache.tomcat.util.net.SSLHostConfig“

And if I reload the SSLHostConfigs with the panel button I get the 
IllegalStateException - again.

Now before you ask, there is my config:

<Connector port="8443"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  allowTrace="false"
  maxThreads="150"
  SSLEnabled="true"
  compression="off"
  scheme="https"
  server="Apache Tomcat"
  secure="true"
  defaultSSLHostConfigName="host1" >
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" 
compression="on" />
  <SSLHostConfig
    hostName="host2"
    honorCipherOrder="true"
    certificateVerification="none"
    protocols="TLSv1.2+TLSv1.3"
    
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
    <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
    certificateKeystorePassword="<redacted>"
    certificateKeyAlias="tomcat"
    type="RSA" />
  </SSLHostConfig>
  <SSLHostConfig
    hostName="host3"
    honorCipherOrder="true"
    certificateVerification="none"
    protocols="TLSv1.2+TLSv1.3"
    
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
    <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
    certificateKeystorePassword="<redacted>"
    certificateKeyAlias="tomcat"
    type="RSA" />
  </SSLHostConfig>
  <SSLHostConfig
    hostName="host4"
    honorCipherOrder="true"
    certificateVerification="none"
    protocols="TLSv1.2+TLSv1.3"
    
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
    <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
    certificateKeystorePassword="<redacted>"
    certificateKeyAlias="tomcat"
    type="RSA" />
  </SSLHostConfig>
  <SSLHostConfig
    hostName="host5"
    honorCipherOrder="true"
    certificateVerification="none"
    protocols="TLSv1.2+TLSv1.3"
    
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
    <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
    certificateKeystorePassword="<redacted>"
    certificateKeyAlias="tomcat"
    type="RSA" />
  </SSLHostConfig>
  <SSLHostConfig
    hostName="host1"
    honorCipherOrder="true"
    certificateVerification="none"
    truststoreFile="${catalina.base}/conf/ssl/cacerts.jks"
    truststorePassword="<redacted>"
    protocols="TLSv1.2+TLSv1.3"
    
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
    <Certificate 
certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts2"
    certificateKeystorePassword="<redacted>"
    certificateKeyAlias="docker"
    type="RSA" />
  </SSLHostConfig>
</Connector>

Any idea why?

Thanks

Peter

> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ 
> <https://www.enigmail.net/>
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AWt4ACgkQHPApP6U8
> pFhqvxAAoRDPDxU1poECO+s/q/kcWXaoLKE0WrE4rmlasViRuuMdn7QtLJJZ7s0Q
> MaKk0LeJ+p/fT9fAuQ0Ysm75MhLy88Xj6SvR60mroPQZM1ONkgQ9EzLyYWiMPgt0
> alPu0z5Nqk5CW4fl4El4tLFysdniRr7WfYUdt/inwhuJSGWylVMyzqAEIVpmMsHk
> hpAoB+TWSPL8DLJMauLP64AF+gIO/RTfyM4dtC8yZJqXiSpntF8Eq5JtR2Q4y5UZ
> ijzA/rMmpQB0I1yTpExicaveMfIWYZg/2rfGh1hh3dP4dyQ4dYR2ZalmRoEW6rhZ
> zf+1nhmrByIuEoboozxgkDcLOfpXMCnG0yHtz8rAewcUci4UHabddcpLVlV+0Ilg
> yOADCYwnU8gmnD6vb1fI0B0O8OMr/VyCbhsWklOUyFBmZD64XYC4rkmGQAVhRR97
> qWrV1/Rs09Oq1zY0zpzJnRD5xmumsi/uuJ6T7kEhaK1KdT6wkDImParq2n5dnhm/
> 3smAZDpS3Nh246oyldpVuxOJpQxEWfHX+GZyAZfAJ0t/OgNV/Xq61Cz0Mr4z5iML
> fGKKpPxDB0DEWAm8RT11tyzAqk/Mwlx/KE+pxqIM+OCDY1rpkpMEYAIgFA8S1Hd5
> Y7cFNQC207nA6TuUOgnZeHzLVw2iqQIbSPqKTuwiT4j3fCbbCXQ=
> =K62u
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> <mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> <mailto:users-h...@tomcat.apache.org>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to