Hi, The error message is not very helpful, but I think this error happens because the clientAuth in Connector has been replaced by certificateVerification in SSLHostConfig and they cannot be specified at the same time. See the following page: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
So try removing the clientAuth and set the certificateVerification to "required". I have not tried this myself though. -- Endi S. Dewata ----- Original Message ----- > On 14.1.2019 18.06, Alexander Scheel wrote: > > > > > > ----- Original Message ----- > >> From: "Timo Aaltonen" <tjaal...@ubuntu.com> > >> To: pki-users@redhat.com > >> Sent: Friday, January 11, 2019 2:44:32 AM > >> Subject: [Pki-users] Problems with java11 > >> > >> > >> Hi > >> > >> I've migrated Debian to use java11 in every component Dogtag needs, but > >> while > >> the tomcat instance seems to get up (to be configured), it can't be > >> properly > >> reached: > >> > >> 2019-01-10 18:00:30 pkispawn : INFO Checking server at > >> https://sid1.leon.tyrell:8443/ca > >> 2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL > >> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",) > >> 2019-01-10 18:01:56 configuration : ERROR Server failed to restart > >> > >> > >> and there's this on catalina.out: > >> > >> WARNING: The JSSE TLS 1.3 implementation does not support authentication > >> after the initial handshake and is there > >> fore incompatible with optional client authentication > >> SEVERE: Failed to initialize component > >> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]] > >> org.apache.catalina.LifecycleException: Protocol handler initialization > >> failed > >> at > >> > >> org.apache.catalina.connector.Connector.initInternal(Connector.java:979) > >> at > >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> at > >> > >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:535) > >> at > >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> at > >> > >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060) > >> at > >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:588) > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:611) > >> at > >> > >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > >> Method) > >> at > >> > >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >> at > >> > >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> at java.base/java.lang.reflect.Method.invoke(Method.java:566) > >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306) > >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491) > >> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does > >> not identify a key entry > >> at > >> > >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) > >> at > >> > >> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) > >> at > >> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) > >> at > >> > >> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085) > >> at > >> > >> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098) > >> at > >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557) > >> at > >> > >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) > >> at > >> > >> org.apache.catalina.connector.Connector.initInternal(Connector.java:976) > >> ... 13 more > >> Caused by: java.io.IOException: Alias name [sslserver] does not identify a > >> key entry > >> at > >> > >> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248) > >> at > >> > >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) > >> ... 20 more > >> > >> how to fix that? If this is fixed, Dogtag might finally end up in a Debian > >> release :) > >> > > > > So my 2c. on this issue -- I don't have a reproducing setup at the moment > > but... > > > > TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It > > technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend > > for > > TLS auth in Tomcat vs. using JSS/NSS). > > > > So it appears that JSSE lacks support for optional client authentication > > as per the error message: > > > >> WARNING: The JSSE TLS 1.3 implementation does not support authentication > >> after the initial handshake and is therefore incompatible with optional > >> client authentication > > > > In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth > > parameter, so we use the default of "want": > > > > https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/server.xml#L151 > > https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/util/net/jss/TomcatJSS.java#L72 > > > > > > You'll probably want to ship clientAuth="true" as a work around on JDK 11+ > > and document that clientAuth="want" will not work for the time being. On > > the > > other hand, this ~does~ require end users to set up client authentication > > to > > access the page... > > Doing this (and fixing pki-migrate to not remove that setting) then resulted > in this: > > SEVERE: End event threw exception > java.lang.reflect.InvocationTargetException > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373) > at > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944) > at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown > Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) > at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) > at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown > Source) > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439) > at org.apache.catalina.startup.Catalina.load(Catalina.java:566) > at org.apache.catalina.startup.Catalina.load(Catalina.java:611) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491) > Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig > elements were provided for the host name [_default_]. Host names must be > unique. > at > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248) > at > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203) > at > > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542) > at > > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834) > ... 25 more > > WARNING: Unable to load server configuration from > [/var/lib/pki/pki-tomcat/conf/server.xml] > org.xml.sax.SAXParseException; systemId: > file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 188; columnNumber: > 25; Error at (188, 25) : Multiple SSLHostConfig elements were provided for > the host name [_default_]. Host names must be unique. > at > > org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862) > at > > org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947) > at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown > Source) > at > > org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown > Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) > at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) > at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) > at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown > Source) > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439) > at org.apache.catalina.startup.Catalina.load(Catalina.java:566) > at org.apache.catalina.startup.Catalina.load(Catalina.java:611) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491) > Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig > elements were provided for the host name [_default_]. Host names must be > unique. > at > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248) > at > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203) > at > > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542) > at > > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373) > at > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944) > ... 18 more > > SEVERE: Cannot start server. Server instance is not configured. > > > and this is in server.xml: > > 182 <SSLHostConfig sslProtocol="SSL" > 183 certificateVerification="optional" > 184 > trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"> > 185 <Certificate certificateKeystoreType="pkcs11" > 186 certificateKeystoreProvider="Mozilla-JSS" > 187 certificateKeyAlias="sslserver"/> > 188 </SSLHostConfig> > > > Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be > > released, > > so this issue will be fixed as JSS/NSS should support this type of optional > > client authentication (but will need to be tested). > > Any idea when that would be? Debian 10 will be frozen in a month. > > > -- > t > > _______________________________________________ > Pki-users mailing list > Pki-users@redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
