----- Original Message ----- > >>> The error message is not very helpful, but I think this error > >>> happens because the clientAuth in Connector has been replaced > >>> by certificateVerification in SSLHostConfig and they cannot be > >>> specified at the same time. See the following page: > >>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html > >>> > >>> So try removing the clientAuth and set the certificateVerification > >>> to "required". I have not tried this myself though. > >> > >> nope, still get the same > > > > Could you show me the entire Connector element and its children? > > Make sure all attributes replaced by SSLHostConfig have been > > deleted from the Connector element (see the above link). > > <Connector name="Secure" > port="8443" > protocol="org.dogtagpki.tomcat.Http11NioProtocol" > SSLEnabled="true" > scheme="https" > secure="true" > connectionTimeout="80000" > keepAliveTimeout="300000" > maxHttpHeaderSize="8192" > acceptCount="100" > maxThreads="150" > minSpareThreads="25" > enableLookups="false" > disableUploadTimeout="true" > enableOCSP="false" > ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"; > ocspResponderCertNickname="ocspSigningCert cert-pki-ca" > ocspCacheSize="1000" > ocspMinCacheEntryDuration="7200" > ocspMaxCacheEntryDuration="14400" > ocspTimeout="10" > strictCiphers="true" > sslVersionRangeStream="tls1_1:tls1_2" > sslVersionRangeDatagram="tls1_1:tls1_2" > > sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA _WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" > > serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" > passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" > > passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" > certdbDir="/var/lib/pki/pki-tomcat/alias"> > > <SSLHostConfig sslProtocol="SSL" > certificateVerification="required" > > trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"> > <Certificate certificateKeystoreType="pkcs11" > certificateKeystoreProvider="Mozilla-JSS" > certificateKeyAlias="sslserver"/> > </SSLHostConfig> > > </Connector> > > > I don't see what should be dropped from Connector..
Are you getting this error: java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key entry or this error? java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique. If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot find the SSL server certificate. We may not have a solution since we do not support Java 11 yet. If it's the second one, that message is coming from Tomcat when validating the server.xml. Is certificateVerification the only thing you change in that file? You might want to try adding defaultSSLHostConfigName to Connector and hostName to SSLHostConfig, but I'm really not sure what's going on. See also this page: https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multiple-sslhostconfig-elements-were-provided-for-the-ho If you put any of these deprecated attributes in the Connector directive, tomcat assumes you are using the old way and auto creates a SSLHostConfig itself, which then conflicts with the one you are creating. -- Endi S. Dewata _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
