On 15.1.2019 21.03, Endi Sukma Dewata wrote: > ----- Original Message ----- >>>>> The error message is not very helpful, but I think this error >>>>> happens because the clientAuth in Connector has been replaced >>>>> by certificateVerification in SSLHostConfig and they cannot be >>>>> specified at the same time. See the following page: >>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html >>>>> >>>>> So try removing the clientAuth and set the certificateVerification >>>>> to "required". I have not tried this myself though. >>>> >>>> nope, still get the same >>> >>> Could you show me the entire Connector element and its children? >>> Make sure all attributes replaced by SSLHostConfig have been >>> deleted from the Connector element (see the above link). >> >> <Connector name="Secure" >> port="8443" >> protocol="org.dogtagpki.tomcat.Http11NioProtocol" >> SSLEnabled="true" >> scheme="https" >> secure="true" >> connectionTimeout="80000" >> keepAliveTimeout="300000" >> maxHttpHeaderSize="8192" >> acceptCount="100" >> maxThreads="150" >> minSpareThreads="25" >> enableLookups="false" >> disableUploadTimeout="true" >> enableOCSP="false" >> ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"; >> ocspResponderCertNickname="ocspSigningCert cert-pki-ca" >> ocspCacheSize="1000" >> ocspMinCacheEntryDuration="7200" >> ocspMaxCacheEntryDuration="14400" >> ocspTimeout="10" >> strictCiphers="true" >> sslVersionRangeStream="tls1_1:tls1_2" >> sslVersionRangeDatagram="tls1_1:tls1_2" >> >> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RS A_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" >> >> serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" >> passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" >> >> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" >> certdbDir="/var/lib/pki/pki-tomcat/alias"> >> >> <SSLHostConfig sslProtocol="SSL" >> certificateVerification="required" >> >> trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"> >> <Certificate certificateKeystoreType="pkcs11" >> certificateKeystoreProvider="Mozilla-JSS" >> certificateKeyAlias="sslserver"/> >> </SSLHostConfig> >> >> </Connector> >> >> >> I don't see what should be dropped from Connector.. > > Are you getting this error: > > java.lang.IllegalArgumentException: Alias name [sslserver] does not identify > a key > entry > > or this error? > > java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were > provided > for the host name [_default_]. Host names must be unique. > > If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) > cannot > find the SSL server certificate. We may not have a solution since we do not > support > Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS 4.5.1, I thought they did support Java 11.. so something is missing still then.. > If it's the second one, that message is coming from Tomcat when validating the > server.xml. Is certificateVerification the only thing you change in that > file? You > might want to try adding defaultSSLHostConfigName to Connector and hostName to > SSLHostConfig, but I'm really not sure what's going on. > > See also this page: > https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multiple-sslhostconfig-elements-were-provided-for-the-ho > > If you put any of these deprecated attributes in the Connector directive, > tomcat > assumes you are using the old way and auto creates a SSLHostConfig itself, > which > then conflicts with the one you are creating. > > -- > Endi S. Dewata > -- t _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
