On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > William, > > On 10/21/16 6:08 PM, William Boyd wrote: > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > William, > > > > On 10/21/16 4:37 PM, William Boyd wrote: > >>>> Hello, > >>>> > >>>> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything > >>>> was working great until I enabled SSL with a self-signed > >>>> certificate. I am able to recreated the issue on 8.5.5. I > >>>> finally had to down graded to 8.5.4 to get SSL working with > >>>> identical configuration and cert. > >>>> > >>>> I want to be sure that this is not a known issue and that I'm > >>>> not doing something wrong before I create a bug report. > >>>> > >>>> Server version: Apache Tomcat/8.5.5 64-bit OS Name: > >>>> Windows 7 JVM Version: 1.8.0_102-b14 > >>>> > >>>> The cert was generated with this command: keytool > >>>> -genkeypair -keyalg RSA -alias tomcat -keystore > >>>> "C:/keys/keystore.jsk" -storepass changeit -validity 360 > >>>> -keysize 2048 -dname > >>>> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA > >>>> > >>>> Configuration includes adding > >>>> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS > > > > I think this might be the problem. Tomcat doesn't use > > javax.net.ssl.trustStore except as a backup in case you haven't > > specified a trust store in your <Connector>. You have pointed that > > system property at a keystore, not a trust store. Technically, > > they are the same format, but they are used for different things. > > > > If you need that for making your own outgoing TLS connections then > > leave it in there and we'll try to get it to work, otherwise it's > > just confusing and might cause Tomcat to do weird things. > > > >>>> and using this connector config > >>>> > >>>> <Connector port="8002" protocol="HTTP/1.1" > >>>> connectionTimeout="60000" maxThreads="200" > >>>> minSpareThreads="4" enableLookups="false" compression="on" > >>>> server="Apache" scheme="https" secure="true" > >>>> SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk" > >>>> keystorePass="changeit" keyAlias="tomcat" clientAuth="false" > >>>> sslProtocol="TLS"/> > > > > Looks good so far. > > > >>>> Here is the exception I get at startup > >>>> > >>>> 13-Oct-2016 15:05:17.309 SEVERE [main] > >>>> org.apache.coyote.AbstractProtocol.init Failed to initialize > >>>> end point associated with ProtocolHandler > >>>> ["https-openssl-nio-8001"] > >>>> java.lang.IllegalArgumentException: > >>>> java.security.InvalidAlgorithmParameterException: the > >>>> trustAnchors parameter must be non-empty at > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab > str > > > >>>> > actJsseEndpoint.java:103) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr > act > > > >>>> > JsseEndpoint.java:81) > >>>> > >>>> > > at > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > >>>> at > >>>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j > ava > > > >>>> > :866) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn > dpo > > > >>>> > int.java:213) > >>>> > >>>> > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > >>>> at > >>>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11 > Pro > > > >>>> > tocol.java:65) > >>>> > >>>> > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:9 > > > > > 44) > >>>> at > >>>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > >>>> > >>>> > > > >>>> > at > >>>> org.apache.catalina.core.StandardService.initInternal(StandardServi > ce. > > > >>>> > java:549) > >>>> > >>>> > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > >>>> > > > at > >>>> org.apache.catalina.core.StandardServer.initInternal(StandardServer > .ja > > > >>>> > va:873) > >>>> > >>>> > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > >>>> > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at > >>>> org.apache.catalina.startup.Catalina.load(Catalina.java:629) > >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > >>>> Method) at > >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp > l.j > > > >>>> > ava:62) > >>>> > >>>> > > at > >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc > ess > > > >>>> > orImpl.java:43) > >>>> > >>>> > > at java.lang.reflect.Method.invoke(Method.java:498) > >>>> at > >>>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > >>>> > >>>> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > >>>> Caused by: java.security.InvalidAlgorithmParameterException: > >>>> the trustAnchors parameter must be non-empty at > >>>> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.ja > va: > > > >>>> > 200) > >>>> > >>>> > > at > > java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > >>>> at > >>>> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParamete > rs. > > > >>>> > java:130) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.jav > a:3 > > > >>>> > 41) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil. > jav > > > >>>> > a:273) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(Ope > nSS > > > >>>> > LUtil.java:93) > >>>> > >>>> > > at > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab > str > > > >>>> > actJsseEndpoint.java:101) > >>>> > >>>> > > ... 20 more > > > > Tomcat is choking when trying to load the trust managers, which is > > synonymous with loading the data from the "trust store". You don't > > need a "trust store", otherwise you'd have specified is in the > > <Connector>. > > > > Try just removing that system property and see what happens. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > Hi Christopher, > > > > Thanks for the quick response. > > > > I tried your suggestion but when I connect to the site via https, > > tomcat returns a blank page with the SSLHandshakeException in it. > > I’m not entirely sure but this may be a result of our use of AXIS > > for communication between WARs in the deployed application. > > > > Caught Exception (javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target): ; > > nested exception is: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > > > The catalina log contains this stacktrace > > > > 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207] > > - org.apache.axis.AxisFault: ; nested exception is: > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target at > > org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > > ~[axis-1.4.jar:na] at > > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) > > > > > ~[axis-1.4.jar:na] > > : : Caused by: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target at > > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > ~[na:1.8.0_102] at > > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > > ~[na:1.8.0_102] at > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > > ~[na:1.8.0_102] at > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > > ~[na:1.8.0_102] at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j > ava:1509) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java > :216) > > > > > ~[na:1.8.0_102] > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > > ~[na:1.8.0_102] at > > sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > > ~[na:1.8.0_102] at > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > > ~[na:1.8.0_102] at > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j > ava:1375) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > > > > > ~[na:1.8.0_102] > > at > > org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFact > ory.java:186) > > > > > ~[axis-1.4.jar:na] > > at > > org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:19 > 1) > > > > > ~[axis-1.4.jar:na] > > at > > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.jav > a:404) > > > > > ~[axis-1.4.jar:na] > > at > > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) > > > > > ~[axis-1.4.jar:na] > > ... 38 common frames omitted Caused by: > > sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > > > > > ~[na:1.8.0_102] > > at > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java > :292) > > > > > ~[na:1.8.0_102] > > at sun.security.validator.Validator.validate(Validator.java:260) > > ~[na:1.8.0_102] at > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.ja > va:324) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImp > l.java:229) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMana > gerImpl.java:124) > > > > > ~[na:1.8.0_102] > > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j > ava:1491) > > > > > ~[na:1.8.0_102] > > ... 49 common frames omitted Caused by: > > sun.security.provider.certpath.SunCertPathBuilderException: unable > > to find valid certification path to requested target at > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui > lder.java:141) > > > > > ~[na:1.8.0_102] > > at > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertP > athBuilder.java:126) > > > > > ~[na:1.8.0_102] > > at > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > ~[na:1.8.0_102] at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > > > > > ~[na:1.8.0_102] > > ... 55 common frames omitted > > > If you need to make outgoing TLS connections to servers with > certificates not trusted by Java's stock trust store, you'll have to > supply your own. Do you have anything in the trust store other than > the server's key and certificate? Are you making loopback connections? > > I'm surprised that this either worked in the past or is failing now. > I'm not sure which makes more sense. There's no particular reason why > I "keystore" couldn't be used as a "truststore"... the only difference > is that "keystores" usually contain keys and certs, while > "truststores" usually only contain certificates. > > I wonder if it has something to do with the aliases used or something. > > If in fact using the keystore as a trust store is tripping-up Tomcat, > I'd say that's a bug that needs to be fixed. > > Try this: whatever certificate you need to TRUST needs to be in your > trust store. Try creating a new keystore that contains nothing but the > certificate you expect to trust, then configure *that* as your trust > store (system property), leaving the keystore as-is -- configured as > Tomcat's keystore. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYDTaRAAoJEBzwKT+lPKRYFy4QAI5vHVUofkmImGCO3gth+fQ6 > tYk2FatDLqGk332UGZnzLbrJxPXNE+DazzPjOyaIMETFzxInY9z32ABqQqWIZRp0 > ItZtLPuUsQTh108UIGU1yVaEG2XhFAE90QfO63JEI5r/d6gzI+lNj6Kfv0aEMNNG > dgvTxUIjBCrEzBekoEPwP3XtYZSGtr2u+CxxO+OMKNKiLLWEGQQHk/CRZjAgosPy > iHsEjAQiDvkqkRaJTMyqpbx43CM/eS5X1facftvWsdYiVTsXgzwgEH3vQXLTuByw > XGjH4IwFsvT92AJ/0C1FgQHcXasGF6HwYKkPMHI/s1cZWMwKmFaDT0EeMdrxC9ll > EbrXui6VQi8Hf3ya5nFWRwrvlN51PshortQ7eEx2MOP7XQFeHr6i8k+5LCmeQBcQ > +STseFmbSIFyUu2SjDKIDluIUWppJhGodIH84hJMj8UCtXlGbE9u2D7wIloQz1El > GzJuooYP6P+Rm5PWaGuT5WNnVAfNkAJ0h9B8CRBc+KQkXYDBFlD3XFx1zL46iU+x > aFWi2UqJJhNKXW3j111HP31CA77XJCHHsbJpwotqEwO3+1ChToK7WV+3tUBzax3w > i8UB+b38e7y2ZlT0B2D5wHu/aPJ+Sx2w/ThJmz5wgpU7EshNkSUW1TBmz7MCFvgW > fJ071CkiXAb1UnBxchZT > =VMdG > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Chris, I tested a couple things to no avail. I can confirm that I've successfully used this configuration with JDK 1.6.0_45, 1.7.0_80, 1.8.0_102 and Tomcat 6.0.10, 7.0.56, 8.5.4. Here's what I tested: 1. I recreated the keystore with the alias localhost and got the same error: IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 2. I restored the tomcat alias, exported the certificate and set my system property to point to that tomcat.crt file. This caused the following stacktrace java.lang.IllegalArgumentException: java.io.IOException: Invalid keystore format at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) at org.apache.catalina.connector.Connector.initInternal(Connector.java:944) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136) at org.apache.tomcat.util.net.SSLHostConfig.getTruststore(SSLHostConfig.java:614) at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:256) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ... 20 more 2. I tried setting the system property to point to keystore.jsk and tomcat keystoreFile to tomcat.crt and got the same stacktrace above. Below are listings of my keystore.jsk and tomcat.crt file generated from the JRE 8 keytool ------------------------------------------------------------------------------------------- keystore.jsk ------------------------------------------------------------------------------------------- Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: tomcat Creation date: Oct 24, 2016 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA Serial number: 220d2cc Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT 2017 Certificate fingerprints: MD5: 5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61 SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:F4:A1:4D:91:5B:BD:4F:1A:F2:16 SHA256: 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:F4:BD:E6:90:CE:61:90:30:B2:3D:67:57 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 22 EA 63 DB 74 90 D1 F7 28 56 E9 B3 87 74 7A 14 ".c.t...(V...tz. 0010: 0A 62 1A AE .b.. ] ] ******************************************* ******************************************* ------------------------------------------------------------------------------------------- tomcat.crt ------------------------------------------------------------------------------------------- Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA Serial number: 220d2cc Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT 2017 Certificate fingerprints: MD5: 5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61 SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:F4:A1:4D:91:5B:BD:4F:1A:F2:16 SHA256: 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:F4:BD:E6:90:CE:61:90:30:B2:3D:67:57 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 22 EA 63 DB 74 90 D1 F7 28 56 E9 B3 87 74 7A 14 ".c.t...(V...tz. 0010: 0A 62 1A AE .b.. ] ] Regards Will
