RE: Need help on Tomcat 9.0.x release

2017-09-21 Thread Inderjeet Banwait 
Hi Violeta, Mark,

Thank you for clarifying.

Regards,
Inderjeet

-Original Message-
From: Violeta Georgieva [mailto:violet...@apache.org] 
Sent: Thursday, September 21, 2017 7:26 PM
To: Tomcat Users List
Subject: Re: Need help on Tomcat 9.0.x release

2017-09-21 16:17 GMT+03:00 Rémy Maucherat :
>
> On Thu, Sep 21, 2017 at 3:12 PM, Mark Thomas  wrote:
>
> > On 21/09/17 10:35, Inderjeet Banwait wrote:
> > > Hi Mark,
> > >
> > > Java EE 8 is already released .Can we expect a stable release by 
> > > the
end
> > of September 2017?
> >
> > Servlet 4.0 was released on 5 September 2017.
> > Java EE 8 platform was released on 18 September 2017.
> >
> > It would have been helpful if Oracle had mentioned either of those 
> > releases to the Servlet EG members.
> >
> > I've taken a very quick look and the relevant specifications for 
> > Tomcat
> > are:
> > - Java 8(complete)
> > - Servlet 4.0   (should be complete but need to check for last minute
> >  changes)
> > - JSP 2.3   (no change from Java EE 7 / Tomcat 8.x)
> > - EL 3.0(no change from Java EE 7 / Tomcat 8.x)
> > - WebSocket 1.1 (no change from Tomcat 8.x)
> > - JASPIC 1.1(no change from Java EE 7 / Tomcat 8.x)
> >
> >
> > The Tomcat team is a little busy elsewhere at the moment. A stable 
> > Tomcat 9 release in September is highly unlikely.
> >
> > Releases are typically on a monthly basis with the process starting 
> > at the beginning of the month. The September releases are complete 
> > for 9.0.x and 8.5.x and would have been announced if it wasn't for 
> > CVE-2017-12617.
> >
>
> Since we'll revote, we could include the option to vote the new 9.0 
> build as beta. Since it's very close to 8.5, I don't see any problem with 
> that.


+1

Regards, Violeta

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-21 Thread Mark Thomas 
On 22 September 2017 00:41:04 BST, "André Warnier (tomcat)"  
wrote:
>Hi.
>
>Could this also be the problem on the other thread "tomcat ssl setup"
>(tomcat 9) ?

Could be, yes. It looks like there are still some problems to iron out with the 
fix for keystrokes that contain keys with different passwords.

Mark


>
>log :
>
>08-Sep-2017 15:24:36.300 SEVERE [main] 
>org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
>to initialize 
>component [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Protocol handler initialization
>failed
>...
>Caused by: java.lang.IllegalArgumentException:
>java.security.KeyStoreException: Cannot 
>store non-PrivateKeys
> at 
>org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
>
>
>
>
>
> Forwarded Message 
>Subject: Re: "Cannot store non-PrivateKeys" exception moving from
>8.0.37 to 8.5.20 - Linux
>Date: Thu, 21 Sep 2017 23:39:09 +0100
>From: Mark Thomas 
>Reply-To: Tomcat Users List 
>To: Tomcat Users List 
>
>On 21/09/17 17:19, Sean Dawson wrote:
>> Hello,
>>
>> We migrated our application that was running fine on 8.0.37 to 8.5.20
>and
>> on startup we receive:
>>
>> java.lang.IllegalArgumentException: java.security.KeyStoreException:
>Cannot
>> store non-PrivateKeys
>
>Try 8.5.21. It is on the mirrors but you'll need to follow the browse
>link on the download page to find it.
>
>Mark
>
>>
>> I unfortunately deleted the logs and under time pressure we had to go
>back
>> to 8.0.37 so I don't have the full stacktrace. But I didn't see
>anything
>> else in them that looked helpful.
>>
>> I've googled and couldn't really get any good answers that applied to
>> us.This seemed a bit similar but we do have sslEnabled set (and the
>issue
>> is apparently fixed)...
>>
>> http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html
>>
>> I've tried modifying the connector based off the current 8.5
>> documentation.  But always get the above.
>>
>> We're on: CentOS release 6.9 (Final),
>> Java version "1.8.0_144"
>>
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>maxThreads="150" SSLEnabled="true"
>asyncTimeout="6"
>> compression="on"
>> scheme="https" secure="true" >
>> > sslEnabledProtocols="TLSv1,TSLv1.1,TLSv1.2"
>> sslProtocol="TLS"
>> certificateVerification="false" >
>> > certificateKeystorePassword="masked"
>>  type="RSA" />
>> 
>> 
>>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-21 Thread tomcat 

Hi.

Could this also be the problem on the other thread "tomcat ssl setup" (tomcat 
9) ?

log :

08-Sep-2017 15:24:36.300 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize 
component [Connector[HTTP/1.1-8443]]

 org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot 
store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)






 Forwarded Message 
Subject: Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 
8.5.20 - Linux
Date: Thu, 21 Sep 2017 23:39:09 +0100
From: Mark Thomas 
Reply-To: Tomcat Users List 
To: Tomcat Users List 

On 21/09/17 17:19, Sean Dawson wrote:

Hello,

We migrated our application that was running fine on 8.0.37 to 8.5.20 and
on startup we receive:

java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
store non-PrivateKeys


Try 8.5.21. It is on the mirrors but you'll need to follow the browse
link on the download page to find it.

Mark



I unfortunately deleted the logs and under time pressure we had to go back
to 8.0.37 so I don't have the full stacktrace. But I didn't see anything
else in them that looked helpful.

I've googled and couldn't really get any good answers that applied to
us.This seemed a bit similar but we do have sslEnabled set (and the issue
is apparently fixed)...

http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html

I've tried modifying the connector based off the current 8.5
documentation.  But always get the above.

We're on: CentOS release 6.9 (Final),
Java version "1.8.0_144"










-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-21 Thread Mark Thomas 
On 21/09/17 17:19, Sean Dawson wrote:
> Hello,
> 
> We migrated our application that was running fine on 8.0.37 to 8.5.20 and
> on startup we receive:
> 
> java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
> store non-PrivateKeys

Try 8.5.21. It is on the mirrors but you'll need to follow the browse
link on the download page to find it.

Mark

> 
> I unfortunately deleted the logs and under time pressure we had to go back
> to 8.0.37 so I don't have the full stacktrace. But I didn't see anything
> else in them that looked helpful.
> 
> I've googled and couldn't really get any good answers that applied to
> us.This seemed a bit similar but we do have sslEnabled set (and the issue
> is apparently fixed)...
> 
> http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html
> 
> I've tried modifying the connector based off the current 8.5
> documentation.  But always get the above.
> 
> We're on: CentOS release 6.9 (Final),
> Java version "1.8.0_144"
> 
> maxThreads="150" SSLEnabled="true" asyncTimeout="6"
> compression="on"
> scheme="https" secure="true" >
>  sslEnabledProtocols="TLSv1,TSLv1.1,TLSv1.2"
> sslProtocol="TLS"
> certificateVerification="false" >
>  certificateKeystorePassword="masked"
>  type="RSA" />
> 
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-21 Thread Peter Kreuser 


Peter Kreuser

> Am 21.09.2017 um 18:19 schrieb Sean Dawson :
> 
> Hello,
> 
> We migrated our application that was running fine on 8.0.37 to 8.5.20 and
> on startup we receive:
> 
> java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
> store non-PrivateKeys
> 
> I unfortunately deleted the logs and under time pressure we had to go back
> to 8.0.37 so I don't have the full stacktrace. But I didn't see anything
> else in them that looked helpful.
> 
> I've googled and couldn't really get any good answers that applied to
> us.This seemed a bit similar but we do have sslEnabled set (and the issue
> is apparently fixed)...
> 
> http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html
> 
> I've tried modifying the connector based off the current 8.5
> documentation.  But always get the above.
> 
> We're on: CentOS release 6.9 (Final),
> Java version "1.8.0_144"
> 
>maxThreads="150" SSLEnabled="true" asyncTimeout="6"
> compression="on"
>scheme="https" secure="true" >
>sslEnabledProtocols="TLSv1,TSLv1.1,TLSv1.2"
>sslProtocol="TLS"
>certificateVerification="false" >
>certificateKeystorePassword="masked"
> type="RSA" />
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [Bug 47410] Using Request#getStream() while reading parameters

2017-09-21 Thread Volkan Yazıcı 
Hrm... Now I see it. That is an unfortunate outcome of deep nesting.
Anyway... So there are two solutions proposed so far: 1) Reconstruct
payload from parameters [me] and 2) use ServletFileUpload to
persist+reinstantiate the request [Igal]. Both of them are nasty hacks with
their own shortcomings. Just to resolve this discussion:

1. Is there an easier/better way of doing this?
2. Would there be an easier/better way of doing this by making a relatively
small change in Tomcat?


On Thu, Sep 21, 2017 at 11:46 PM, Mark Thomas  wrote:

> On 21/09/17 22:33, Volkan Yazıcı wrote:
> > Would you mind elaborating your answer? I just want,
> > in org.apache.catalina.connector.Request, readPostBody() method to
> access
> > the request stream via getInputStream() rather than getStream(). Maybe I
> am
> > missing something but this looks legit to me.
>
> That will make no difference. It won't call your implementation because
> you are wrapping the request.
>
> Mark
>
>
> > On Thu, Sep 21, 2017 at 11:13 PM, Mark Thomas  wrote:
> >
> >> On 21/09/17 21:58, Volkan Yazıcı wrote:
> >>> Hey Igal,
> >>>
> >>> Today, I've tried to implement your proposal (consuming the InputStream
> >>> eagerly, wrapping the consumed byte[] as a re-consumable
> >>> ServletInputStream, and passing it to next filter) and hit by the same
> >>> Tomcat shortcoming: Since you've already consumed the original
> >> InputStream,
> >>> later on, any access to parameters will
> >>> trigger o.a.c.connector.Request#readPostBody() which in return will
> >> access
> >>> the original InputStream via o.a.c.connector.Request#getStream()
> >> discarding
> >>> the re-consumable you provided by overriding
> >>> javax.servlet.ServletRequest#getInputStream().
> >>> Long story short, consuming InputStream eagerly breaks the parameter
> >>> parsing. We still did not get a reply from Tomcat maintainers, but I
> >> still
> >>> do believe this to be a Tomcat shortcoming and can be easily resolved
> by
> >>> making sure o.a.c.connector.Request#readPostBody() uses
> >>> javax.servlet.ServletRequest#getInputStream() instead.
> >>
> >> That is not possible. A wrapped request has no access to any wrapper.
> >>
> >> Mark
> >>
> >>
> >>> Additionally,
> >>> "reading InputStream eagerly" solution assumes that you're the first
> >> filter
> >>> along the chain, which is not the case for Spring Boot applications.
> >>>
> >>> Best.
> >>>
> >>> On Tue, Sep 19, 2017 at 10:48 PM, Igal @ Lucee.org 
> >> wrote:
> >>>
>  Volkan,
> 
>  On 9/19/2017 11:21 AM, Volkan Yazıcı wrote:
> 
>  Hey Igal,
> 
>  Thanks for the response! I believe having more people suffering from
> the
>  same limitation makes it more clear that there is a shortcoming that
> >> needs
>  to addressed in Tomcat.
> 
>  The problem is that Tomcat is compliant with the Servlet
> specification,
>  and as Mark pointed out in the original ticket #47410 that is part of
> >> the
>  spec.
> 
>  Coming back to your project, thanks for the pointer. Though I have two
>  concerns: 1) It is [still] a Tomcat-specific solution and
> 
>  This is not a Tomcat-specific solution.  I use it with Jetty as well.
> >> It
>  does use a library from Apache for processing FileUpload, and if you
> are
>  running Tomcat you already have it in your classpath, but if you are
> >> not,
>  you need to add that jar.
> 
>  2) it consumes the entire InputStream regardless of whether the
> request
>  handler will use it or not.
> 
>  I've never had an issue with that, and am not sure what you are
> worried
>  about?  network traffic?  memory? (the FileUpload library writes the
>  contents to disk after a certain threshold), but if you're concerned
> >> with
>  that then you can write your own filter and model it after mine if you
> >> want
>  to hit the ground running.  Then you can break the read whenever you
> >> want,
>  though I really think that you're over-optimizing here.
> 
>  TBH I did not read your original emails with Chris in full, so I'm not
>  sure what your requirements are.
> 
> 
>  Best.
> 
>  On Tue, Sep 19, 2017 at 7:55 PM, Igal @ Lucee.org 
> >> wrote:
> 
> > Volkan,
> >
> > On 9/19/2017 10:47 AM, Volkan Yazıcı wrote:
> >
> >> Did not try (or consider) using a Tomcat Valve, since it would make
> >> the
> >> entire tool Tomcat-specific. I would rather find a way to solve the
> >> problem
> >> in a container agnostic way.
> >>
> > I had a similar issue so I wrote a simple Filter and named it
> > "RereadableServletRequestFilter":
> > https://github.com/isapir/servlet-filter-utils#rereadableser
> > vletrequestfilter
> >
> > HTH,
> >
> >
> > Igal
> >
> 
> 
>  Igal Sapir
>  Lucee Core Developer
>  Lucee.org 
> 
> >>>
> >>
> >>
> >> --

Re: [Bug 47410] Using Request#getStream() while reading parameters

2017-09-21 Thread Mark Thomas 
On 21/09/17 22:33, Volkan Yazıcı wrote:
> Would you mind elaborating your answer? I just want,
> in org.apache.catalina.connector.Request, readPostBody() method to access
> the request stream via getInputStream() rather than getStream(). Maybe I am
> missing something but this looks legit to me.

That will make no difference. It won't call your implementation because
you are wrapping the request.

Mark


> On Thu, Sep 21, 2017 at 11:13 PM, Mark Thomas  wrote:
> 
>> On 21/09/17 21:58, Volkan Yazıcı wrote:
>>> Hey Igal,
>>>
>>> Today, I've tried to implement your proposal (consuming the InputStream
>>> eagerly, wrapping the consumed byte[] as a re-consumable
>>> ServletInputStream, and passing it to next filter) and hit by the same
>>> Tomcat shortcoming: Since you've already consumed the original
>> InputStream,
>>> later on, any access to parameters will
>>> trigger o.a.c.connector.Request#readPostBody() which in return will
>> access
>>> the original InputStream via o.a.c.connector.Request#getStream()
>> discarding
>>> the re-consumable you provided by overriding
>>> javax.servlet.ServletRequest#getInputStream().
>>> Long story short, consuming InputStream eagerly breaks the parameter
>>> parsing. We still did not get a reply from Tomcat maintainers, but I
>> still
>>> do believe this to be a Tomcat shortcoming and can be easily resolved by
>>> making sure o.a.c.connector.Request#readPostBody() uses
>>> javax.servlet.ServletRequest#getInputStream() instead.
>>
>> That is not possible. A wrapped request has no access to any wrapper.
>>
>> Mark
>>
>>
>>> Additionally,
>>> "reading InputStream eagerly" solution assumes that you're the first
>> filter
>>> along the chain, which is not the case for Spring Boot applications.
>>>
>>> Best.
>>>
>>> On Tue, Sep 19, 2017 at 10:48 PM, Igal @ Lucee.org 
>> wrote:
>>>
 Volkan,

 On 9/19/2017 11:21 AM, Volkan Yazıcı wrote:

 Hey Igal,

 Thanks for the response! I believe having more people suffering from the
 same limitation makes it more clear that there is a shortcoming that
>> needs
 to addressed in Tomcat.

 The problem is that Tomcat is compliant with the Servlet specification,
 and as Mark pointed out in the original ticket #47410 that is part of
>> the
 spec.

 Coming back to your project, thanks for the pointer. Though I have two
 concerns: 1) It is [still] a Tomcat-specific solution and

 This is not a Tomcat-specific solution.  I use it with Jetty as well.
>> It
 does use a library from Apache for processing FileUpload, and if you are
 running Tomcat you already have it in your classpath, but if you are
>> not,
 you need to add that jar.

 2) it consumes the entire InputStream regardless of whether the request
 handler will use it or not.

 I've never had an issue with that, and am not sure what you are worried
 about?  network traffic?  memory? (the FileUpload library writes the
 contents to disk after a certain threshold), but if you're concerned
>> with
 that then you can write your own filter and model it after mine if you
>> want
 to hit the ground running.  Then you can break the read whenever you
>> want,
 though I really think that you're over-optimizing here.

 TBH I did not read your original emails with Chris in full, so I'm not
 sure what your requirements are.


 Best.

 On Tue, Sep 19, 2017 at 7:55 PM, Igal @ Lucee.org 
>> wrote:

> Volkan,
>
> On 9/19/2017 10:47 AM, Volkan Yazıcı wrote:
>
>> Did not try (or consider) using a Tomcat Valve, since it would make
>> the
>> entire tool Tomcat-specific. I would rather find a way to solve the
>> problem
>> in a container agnostic way.
>>
> I had a similar issue so I wrote a simple Filter and named it
> "RereadableServletRequestFilter":
> https://github.com/isapir/servlet-filter-utils#rereadableser
> vletrequestfilter
>
> HTH,
>
>
> Igal
>


 Igal Sapir
 Lucee Core Developer
 Lucee.org 

>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

2017-09-21 Thread tomcat 

Hi.

I just downloaded tomcat 9 myself (the windows zip version, but it should be the same), to 
look at the standard server.xml.


There is something which does not quite fit in all of this.
I can also not see, in the snippets of server.xml that you pasted, any obvious XML errors 
or imbricated comments.

Yet the logfile points to these lines..
Somehow the logfile which you uploaded to drop-box, does not seem to match the server.xml 
lines that you pasted here.


Ooooh, wait.
I know why it did not fit.

After looking again, more carefully, at the logfile that you posted, I see what was 
confusing : that logfile shows several starts and stops of tomcat. It just accumulates. I 
was looking just at the beginning, the first error that I found.

You have for example this :

08-Sep-2017 11:10:32.131 INFO [main] org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler ["http-nio-8080"]
08-Sep-2017 11:10:32.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler ["ajp-nio-8009"]
08-Sep-2017 11:10:32.137 INFO [main] org.apache.catalina.startup.Catalina.start Server 
startup in 18916 ms


Just before the error message that I was mentioning, which was :
08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError 
Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed 
character data or markup.
 org.xml.sax.SAXParseException; systemId: 
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 
6; The content of elements must consist of well-formed character data or markup.


But that was like 21 minutes later, after tomcat had been running for 21 
minutes.

Then after that there are a few more starts and stops, and a the lastest attempt, the 
problem is different :


08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing 
ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize 
component [Connector[HTTP/1.1-8443]]

 org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot 
store non-PrivateKeys
	at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)



So, here is what happened :

- when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it started fine, 
ending in the line
08-Sep-2017 10:05:03.371 INFO [main] org.apache.catalina.startup.Catalina.start Server 
startup in 482 ms


but then, you did not have the connector for port 8443 enabled yet.

- then you stopped tomcat, and you started it again at
08-Sep-2017 11:10:13.141 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log 
Server version:Apache Tomcat/9.0.0.M26


- and then you had this :
08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError 
Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed 
character data or markup.


so my guess is that you modified the server.xml, while tomcat was still running, and then 
you did a "shutdown.sh", to prepare to restart tomcat.


- And then there was that parse error.

And the reason is that the shutdown command, in fact starts another (small) instance of 
tomcat, to issue the shutdown command to the running instance.
But that shutdown instance also reads server.xml, and at that time you /did/ have a syntax 
error in it. So that is where this syntax error came from.


Later you apparently corrected the syntax, and restarted tomcat :

08-Sep-2017 15:24:34.889 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log 
Server version:Apache Tomcat/9.0.0.M26


and this time, there was no syntax error anymore in server.xml, but then there is this 
other problem :


08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing 
ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize 
component [Connector[HTTP/1.1-8443]]

 org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot 
store non-PrivateKeys
	at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)


but that seems to only prevent the SSL connector to start, and the logfile shows that 
tomcat continues to initialise anyway, with only the other connectors.


So that's why you can connect normally to port 8080.

I did not know that tomcat starts anyway, even if it encounters a severe problem with one 
of its connectors.


(And I must say that, as a sysadmin myself, I find this behaviour a bit 
questionable)(unless it is optional)


S

Re: [Bug 47410] Using Request#getStream() while reading parameters

2017-09-21 Thread Volkan Yazıcı 
Would you mind elaborating your answer? I just want,
in org.apache.catalina.connector.Request, readPostBody() method to access
the request stream via getInputStream() rather than getStream(). Maybe I am
missing something but this looks legit to me.

On Thu, Sep 21, 2017 at 11:13 PM, Mark Thomas  wrote:

> On 21/09/17 21:58, Volkan Yazıcı wrote:
> > Hey Igal,
> >
> > Today, I've tried to implement your proposal (consuming the InputStream
> > eagerly, wrapping the consumed byte[] as a re-consumable
> > ServletInputStream, and passing it to next filter) and hit by the same
> > Tomcat shortcoming: Since you've already consumed the original
> InputStream,
> > later on, any access to parameters will
> > trigger o.a.c.connector.Request#readPostBody() which in return will
> access
> > the original InputStream via o.a.c.connector.Request#getStream()
> discarding
> > the re-consumable you provided by overriding
> > javax.servlet.ServletRequest#getInputStream().
> > Long story short, consuming InputStream eagerly breaks the parameter
> > parsing. We still did not get a reply from Tomcat maintainers, but I
> still
> > do believe this to be a Tomcat shortcoming and can be easily resolved by
> > making sure o.a.c.connector.Request#readPostBody() uses
> > javax.servlet.ServletRequest#getInputStream() instead.
>
> That is not possible. A wrapped request has no access to any wrapper.
>
> Mark
>
>
> > Additionally,
> > "reading InputStream eagerly" solution assumes that you're the first
> filter
> > along the chain, which is not the case for Spring Boot applications.
> >
> > Best.
> >
> > On Tue, Sep 19, 2017 at 10:48 PM, Igal @ Lucee.org 
> wrote:
> >
> >> Volkan,
> >>
> >> On 9/19/2017 11:21 AM, Volkan Yazıcı wrote:
> >>
> >> Hey Igal,
> >>
> >> Thanks for the response! I believe having more people suffering from the
> >> same limitation makes it more clear that there is a shortcoming that
> needs
> >> to addressed in Tomcat.
> >>
> >> The problem is that Tomcat is compliant with the Servlet specification,
> >> and as Mark pointed out in the original ticket #47410 that is part of
> the
> >> spec.
> >>
> >> Coming back to your project, thanks for the pointer. Though I have two
> >> concerns: 1) It is [still] a Tomcat-specific solution and
> >>
> >> This is not a Tomcat-specific solution.  I use it with Jetty as well.
> It
> >> does use a library from Apache for processing FileUpload, and if you are
> >> running Tomcat you already have it in your classpath, but if you are
> not,
> >> you need to add that jar.
> >>
> >> 2) it consumes the entire InputStream regardless of whether the request
> >> handler will use it or not.
> >>
> >> I've never had an issue with that, and am not sure what you are worried
> >> about?  network traffic?  memory? (the FileUpload library writes the
> >> contents to disk after a certain threshold), but if you're concerned
> with
> >> that then you can write your own filter and model it after mine if you
> want
> >> to hit the ground running.  Then you can break the read whenever you
> want,
> >> though I really think that you're over-optimizing here.
> >>
> >> TBH I did not read your original emails with Chris in full, so I'm not
> >> sure what your requirements are.
> >>
> >>
> >> Best.
> >>
> >> On Tue, Sep 19, 2017 at 7:55 PM, Igal @ Lucee.org 
> wrote:
> >>
> >>> Volkan,
> >>>
> >>> On 9/19/2017 10:47 AM, Volkan Yazıcı wrote:
> >>>
>  Did not try (or consider) using a Tomcat Valve, since it would make
> the
>  entire tool Tomcat-specific. I would rather find a way to solve the
>  problem
>  in a container agnostic way.
> 
> >>> I had a similar issue so I wrote a simple Filter and named it
> >>> "RereadableServletRequestFilter":
> >>> https://github.com/isapir/servlet-filter-utils#rereadableser
> >>> vletrequestfilter
> >>>
> >>> HTH,
> >>>
> >>>
> >>> Igal
> >>>
> >>
> >>
> >> Igal Sapir
> >> Lucee Core Developer
> >> Lucee.org 
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

[ANN] End of life for Apache Tomcat Native 1.1.x

2017-09-21 Thread Mark Thomas 
The Apache Tomcat Team announces that support for Apache Tomcat Native
1.1.x will end on 30 September 2018.

This means that after 30 September 2018:
- releases from the 1.1.x branch are highly unlikely
- bugs affecting only the 1.1.x branch will not be addressed
- security vulnerability reports will not be checked against the 1.1.x
  branch
- Apache Tomcat releases of 7.0.x after this date may require 1.2.x as a
  minimum

Three months later (i.e. after 31 December 2018)
- the 1.1.x download pages will be removed
- the latest 1.1.x release will be removed from the mirror system
- the links to the 1.1.x documentation will be removed from
  tomcat.apache.org

The latest binary releases of 1.1.x for Microsoft Windows are not built
with a current version of OpenSSL and will therefore be removed from the
download pages with immediate effect.

Please also note the following additional information:

Tomcat 8.5.x and 9.0.x require a minimum of Tomcat Native 1.2.x and are
therefore unaffected by this notice.

Tomcat 8.0.x will reach end of life on 30 June 2018 and is therefore
unaffected by this notice.

Only Tomcat 7.0.x is affected by this notice.

Tomcat 7.0.x has shipped with Tomcat Native 1.2.x since 7.0.70 (June 2016).

All 1.1.x releases will always be available from the archive.

Tomcat Native 1.2.x is a drop-in replacement for 1.1.x although it does
require OpenSSL 1.0.2 as a minimum.

All Tomcat Native releases from 1.1.34 onwards have indicated that users
should use 1.2.x in preference to 1.1.x.

The most recent release of 1.1.x (1.1.34) was released in December 2015.
It is likely that 1.1.34 will be the final 1.1.x release unless a
security vulnerability is discovered in 1.1.x that cannot be worked
around without a new release.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [Bug 47410] Using Request#getStream() while reading parameters

2017-09-21 Thread Mark Thomas 
On 21/09/17 21:58, Volkan Yazıcı wrote:
> Hey Igal,
> 
> Today, I've tried to implement your proposal (consuming the InputStream
> eagerly, wrapping the consumed byte[] as a re-consumable
> ServletInputStream, and passing it to next filter) and hit by the same
> Tomcat shortcoming: Since you've already consumed the original InputStream,
> later on, any access to parameters will
> trigger o.a.c.connector.Request#readPostBody() which in return will access
> the original InputStream via o.a.c.connector.Request#getStream() discarding
> the re-consumable you provided by overriding
> javax.servlet.ServletRequest#getInputStream().
> Long story short, consuming InputStream eagerly breaks the parameter
> parsing. We still did not get a reply from Tomcat maintainers, but I still
> do believe this to be a Tomcat shortcoming and can be easily resolved by
> making sure o.a.c.connector.Request#readPostBody() uses
> javax.servlet.ServletRequest#getInputStream() instead.

That is not possible. A wrapped request has no access to any wrapper.

Mark


> Additionally,
> "reading InputStream eagerly" solution assumes that you're the first filter
> along the chain, which is not the case for Spring Boot applications.
> 
> Best.
> 
> On Tue, Sep 19, 2017 at 10:48 PM, Igal @ Lucee.org  wrote:
> 
>> Volkan,
>>
>> On 9/19/2017 11:21 AM, Volkan Yazıcı wrote:
>>
>> Hey Igal,
>>
>> Thanks for the response! I believe having more people suffering from the
>> same limitation makes it more clear that there is a shortcoming that needs
>> to addressed in Tomcat.
>>
>> The problem is that Tomcat is compliant with the Servlet specification,
>> and as Mark pointed out in the original ticket #47410 that is part of the
>> spec.
>>
>> Coming back to your project, thanks for the pointer. Though I have two
>> concerns: 1) It is [still] a Tomcat-specific solution and
>>
>> This is not a Tomcat-specific solution.  I use it with Jetty as well.  It
>> does use a library from Apache for processing FileUpload, and if you are
>> running Tomcat you already have it in your classpath, but if you are not,
>> you need to add that jar.
>>
>> 2) it consumes the entire InputStream regardless of whether the request
>> handler will use it or not.
>>
>> I've never had an issue with that, and am not sure what you are worried
>> about?  network traffic?  memory? (the FileUpload library writes the
>> contents to disk after a certain threshold), but if you're concerned with
>> that then you can write your own filter and model it after mine if you want
>> to hit the ground running.  Then you can break the read whenever you want,
>> though I really think that you're over-optimizing here.
>>
>> TBH I did not read your original emails with Chris in full, so I'm not
>> sure what your requirements are.
>>
>>
>> Best.
>>
>> On Tue, Sep 19, 2017 at 7:55 PM, Igal @ Lucee.org  wrote:
>>
>>> Volkan,
>>>
>>> On 9/19/2017 10:47 AM, Volkan Yazıcı wrote:
>>>
 Did not try (or consider) using a Tomcat Valve, since it would make the
 entire tool Tomcat-specific. I would rather find a way to solve the
 problem
 in a container agnostic way.

>>> I had a similar issue so I wrote a simple Filter and named it
>>> "RereadableServletRequestFilter":
>>> https://github.com/isapir/servlet-filter-utils#rereadableser
>>> vletrequestfilter
>>>
>>> HTH,
>>>
>>>
>>> Igal
>>>
>>
>>
>> Igal Sapir
>> Lucee Core Developer
>> Lucee.org 
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [Bug 47410] Using Request#getStream() while reading parameters

2017-09-21 Thread Volkan Yazıcı 
Hey Igal,

Today, I've tried to implement your proposal (consuming the InputStream
eagerly, wrapping the consumed byte[] as a re-consumable
ServletInputStream, and passing it to next filter) and hit by the same
Tomcat shortcoming: Since you've already consumed the original InputStream,
later on, any access to parameters will
trigger o.a.c.connector.Request#readPostBody() which in return will access
the original InputStream via o.a.c.connector.Request#getStream() discarding
the re-consumable you provided by overriding
javax.servlet.ServletRequest#getInputStream().
Long story short, consuming InputStream eagerly breaks the parameter
parsing. We still did not get a reply from Tomcat maintainers, but I still
do believe this to be a Tomcat shortcoming and can be easily resolved by
making sure o.a.c.connector.Request#readPostBody() uses
javax.servlet.ServletRequest#getInputStream() instead. Additionally,
"reading InputStream eagerly" solution assumes that you're the first filter
along the chain, which is not the case for Spring Boot applications.

Best.

On Tue, Sep 19, 2017 at 10:48 PM, Igal @ Lucee.org  wrote:

> Volkan,
>
> On 9/19/2017 11:21 AM, Volkan Yazıcı wrote:
>
> Hey Igal,
>
> Thanks for the response! I believe having more people suffering from the
> same limitation makes it more clear that there is a shortcoming that needs
> to addressed in Tomcat.
>
> The problem is that Tomcat is compliant with the Servlet specification,
> and as Mark pointed out in the original ticket #47410 that is part of the
> spec.
>
> Coming back to your project, thanks for the pointer. Though I have two
> concerns: 1) It is [still] a Tomcat-specific solution and
>
> This is not a Tomcat-specific solution.  I use it with Jetty as well.  It
> does use a library from Apache for processing FileUpload, and if you are
> running Tomcat you already have it in your classpath, but if you are not,
> you need to add that jar.
>
> 2) it consumes the entire InputStream regardless of whether the request
> handler will use it or not.
>
> I've never had an issue with that, and am not sure what you are worried
> about?  network traffic?  memory? (the FileUpload library writes the
> contents to disk after a certain threshold), but if you're concerned with
> that then you can write your own filter and model it after mine if you want
> to hit the ground running.  Then you can break the read whenever you want,
> though I really think that you're over-optimizing here.
>
> TBH I did not read your original emails with Chris in full, so I'm not
> sure what your requirements are.
>
>
> Best.
>
> On Tue, Sep 19, 2017 at 7:55 PM, Igal @ Lucee.org  wrote:
>
>> Volkan,
>>
>> On 9/19/2017 10:47 AM, Volkan Yazıcı wrote:
>>
>>> Did not try (or consider) using a Tomcat Valve, since it would make the
>>> entire tool Tomcat-specific. I would rather find a way to solve the
>>> problem
>>> in a container agnostic way.
>>>
>> I had a similar issue so I wrote a simple Filter and named it
>> "RereadableServletRequestFilter":
>> https://github.com/isapir/servlet-filter-utils#rereadableser
>> vletrequestfilter
>>
>> HTH,
>>
>>
>> Igal
>>
>
>
> Igal Sapir
> Lucee Core Developer
> Lucee.org 
>

RE: tomcat ssl setup

2017-09-21 Thread John Ellis 
One more thing Andre. I don't know if it matters or not but when I try to
access Tomcat 9 on the secure port of 8443
 I see it saying down in the bottom left hand corner of my browser-
"Performing a TLS handshake to 10.22.8.70..." but it never 
gives the webpage. However once I change the IP address to 10.22.8.70:8080
it immediately goes to the Tomcat 9 webpage. 

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, September 21, 2017 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 21.09.2017 17:17, John Ellis wrote:
> OK. As I said there is nothing on line 87 but here is line 114-
>
> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"

I think you need to provide a bit more context then.

Can you paste here, say, that same line, but with 10 lines before and 10
lines after, and tell at which line number this starts in server.xml (so
that we can compare with the log) ?

The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway.


>
>
>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, September 21, 2017 10:15 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
>
>
>
> On 21.09.2017 16:43, John Ellis wrote:
>> Thanks so much for the quick reply Andre. There doesn't appear to be
>> anything on line 87 but there is on line 114. See the screenshot I
>> took of the server.xml file below-
>>
>
> Unfortunately, this list strips most attachments, and in fact asks for
> text-only messages.
> (and to avoid top-posting)
>
> See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important
>
> Please paste the corresponding lines directly, as text, in your next
> message.
>
>
>> John Ellis
>>
>> 405.285.2500 office
>>
>> http://biz-e.io
>>
>> -Original Message-
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Wednesday, September 20, 2017 10:41 AM
>> To: users@tomcat.apache.org
>> Subject: Re: tomcat ssl setup
>>
>> On 20.09.2017 17:07, John Ellis wrote:
>>
>>   > All of what I have done so far has been in Tomcat version 9, which
>> I
>>
>>   > downloaded from the Apache Tomcat website. The way I start tomcat
>> is
>>
>>   > by running the command ./startup.sh from within the
>>
>>   > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the
>>
>>   > command ./shutdown.sh from the same directory.
>>
>>   >
>>
>> Ok, perfect. So there is only one tomcat9 we can be talking about, and
>> one server.xml file. And since this is a "standard tomcat", that
>> server.xml must be in .. let me look at the logfile again) ..
>>
>> 08-Sep-2017 10:05:02.911 INFO [main]
>>
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
>> application directory
>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>>
>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>>
>> and considering this :
>>
>> 08-Sep-2017 11:31:21.952 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 87 column 6: The content of elements must
>> consist of well-formed character data or markup.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 87; columnNumber:
>>
>> 6; The content of elements must consist of well-formed character data or
> markup.
>>
>> there is something on line 87, position 6, that he does not like.
>>
>> And further down also :
>>
>> 08-Sep-2017 13:17:36.947 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 114 column 6: The string "--" is not permitted
> within comments.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 114; columnNumber:
>>
>> 6; The string "--" is not permitted within comments.
>>
>> but maybe this is not in the server.xml file itself, but in something
>> else that the server.xml references there (like an external "XML entity"
> or something).
>>
>> Why don't you get those 2 lines from your server.xml and paste them here
:
>>
>> ...
>>
>>   > John Ellis
>>
>>   >
>>
>>   > 405.285.2500 office
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   > http://biz-e.io
>>
>>   >
>>
>>   >
>>
>>   > -Original Message-
>>
>>   > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>>
>>   > Sent: Wednesday, September 20, 2017 10:02 AM
>>
>>   > To: users@tomcat.apache.org 
>>
>>   > Subject: Re: tomcat ssl setup
>>
>>   >
>>
>>   > On 20.09.2017 15:20, John Ellis wrote:
>>
>>   >> Andre can you tell me which log file you are saying tells where
>> the
>>
>>   >> problem is?
>>
>>   >
>>
>>   > That's the one you uploaded to the dropbox

RE: tomcat ssl setup

2017-09-21 Thread John Ellis 
Andre I just realized that I forgot to do the same thing with line 114; here
are all the lines in the section that includes line 114- it starts at line
107 and ends at line 117.
Thanks again,

 

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, September 21, 2017 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 21.09.2017 17:17, John Ellis wrote:
> OK. As I said there is nothing on line 87 but here is line 114-
>
> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"

I think you need to provide a bit more context then.

Can you paste here, say, that same line, but with 10 lines before and 10
lines after, and tell at which line number this starts in server.xml (so
that we can compare with the log) ?

The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway.


>
>
>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, September 21, 2017 10:15 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
>
>
>
> On 21.09.2017 16:43, John Ellis wrote:
>> Thanks so much for the quick reply Andre. There doesn't appear to be
>> anything on line 87 but there is on line 114. See the screenshot I
>> took of the server.xml file below-
>>
>
> Unfortunately, this list strips most attachments, and in fact asks for
> text-only messages.
> (and to avoid top-posting)
>
> See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important
>
> Please paste the corresponding lines directly, as text, in your next
> message.
>
>
>> John Ellis
>>
>> 405.285.2500 office
>>
>> http://biz-e.io
>>
>> -Original Message-
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Wednesday, September 20, 2017 10:41 AM
>> To: users@tomcat.apache.org
>> Subject: Re: tomcat ssl setup
>>
>> On 20.09.2017 17:07, John Ellis wrote:
>>
>>   > All of what I have done so far has been in Tomcat version 9, which
>> I
>>
>>   > downloaded from the Apache Tomcat website. The way I start tomcat
>> is
>>
>>   > by running the command ./startup.sh from within the
>>
>>   > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the
>>
>>   > command ./shutdown.sh from the same directory.
>>
>>   >
>>
>> Ok, perfect. So there is only one tomcat9 we can be talking about, and
>> one server.xml file. And since this is a "standard tomcat", that
>> server.xml must be in .. let me look at the logfile again) ..
>>
>> 08-Sep-2017 10:05:02.911 INFO [main]
>>
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
>> application directory
>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>>
>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>>
>> and considering this :
>>
>> 08-Sep-2017 11:31:21.952 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 87 column 6: The content of elements must
>> consist of well-formed character data or markup.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 87; columnNumber:
>>
>> 6; The content of elements must consist of well-formed character data or
> markup.
>>
>> there is something on line 87, position 6, that he does not like.
>>
>> And further down also :
>>
>> 08-Sep-2017 13:17:36.947 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 114 column 6: The string "--" is not permitted
> within comments.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 114; columnNumber:
>>
>> 6; The string "--" is not permitted within comments.
>>
>> but maybe this is not in the server.xml file itself, but in something
>> else that the server.xml references there (like an external "XML entity"
> or something).
>>
>> Why don't you get those 2 lines from your server.xml and paste them here
:
>>
>> ...
>>
>>   > John Ellis
>>
>>   >
>>
>>   > 405.285.2500 office
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   > http://biz-e.io
>>
>>   >
>>
>>   >
>>
>>   > -Original Message-
>>
>>   > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>>
>>   > Sent: Wednesday, September 20, 2017 10:02 AM
>>
>>   > To: users@tomcat.apache.org 
>>
>>   > Subject: Re: tomcat ssl setup
>>
>>   >
>>
>>   > On 20.09.2017 15:20, John Ellis wrote:
>>
>>   >> Andre can you tell me which log file you are saying tells where
>> the
>>
>>   >> problem is?
>>
>>   >
>>
>>   > That's the one you uploaded to the dropbox :
>>
>>   >   >>
>>
>>   >
>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0
>>
>>   >
>>
>>   > I have of course no idea at this point, which tom

RE: tomcat ssl setup

2017-09-21 Thread John Ellis 
Sure this is starting with line number 73 thru line 101 so I could get the
entire sections-







John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, September 21, 2017 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 21.09.2017 17:17, John Ellis wrote:
> OK. As I said there is nothing on line 87 but here is line 114-
>
> SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"

I think you need to provide a bit more context then.

Can you paste here, say, that same line, but with 10 lines before and 10
lines after, and tell at which line number this starts in server.xml (so
that we can compare with the log) ?

The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway.


>
>
>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, September 21, 2017 10:15 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
>
>
>
> On 21.09.2017 16:43, John Ellis wrote:
>> Thanks so much for the quick reply Andre. There doesn't appear to be
>> anything on line 87 but there is on line 114. See the screenshot I
>> took of the server.xml file below-
>>
>
> Unfortunately, this list strips most attachments, and in fact asks for
> text-only messages.
> (and to avoid top-posting)
>
> See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important
>
> Please paste the corresponding lines directly, as text, in your next
> message.
>
>
>> John Ellis
>>
>> 405.285.2500 office
>>
>> http://biz-e.io
>>
>> -Original Message-
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Wednesday, September 20, 2017 10:41 AM
>> To: users@tomcat.apache.org
>> Subject: Re: tomcat ssl setup
>>
>> On 20.09.2017 17:07, John Ellis wrote:
>>
>>   > All of what I have done so far has been in Tomcat version 9, which
>> I
>>
>>   > downloaded from the Apache Tomcat website. The way I start tomcat
>> is
>>
>>   > by running the command ./startup.sh from within the
>>
>>   > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the
>>
>>   > command ./shutdown.sh from the same directory.
>>
>>   >
>>
>> Ok, perfect. So there is only one tomcat9 we can be talking about, and
>> one server.xml file. And since this is a "standard tomcat", that
>> server.xml must be in .. let me look at the logfile again) ..
>>
>> 08-Sep-2017 10:05:02.911 INFO [main]
>>
>> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
>> application directory
>> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>>
>> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>>
>> and considering this :
>>
>> 08-Sep-2017 11:31:21.952 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 87 column 6: The content of elements must
>> consist of well-formed character data or markup.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 87; columnNumber:
>>
>> 6; The content of elements must consist of well-formed character data or
> markup.
>>
>> there is something on line 87, position 6, that he does not like.
>>
>> And further down also :
>>
>> 08-Sep-2017 13:17:36.947 SEVERE [main]
>> org.apache.tomcat.util.digester.Digester.fatalError
>>
>> Parse Fatal Error at line 114 column 6: The string "--" is not permitted
> within comments.
>>
>> org.xml.sax.SAXParseException; systemId:
>>
>> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
> 114; columnNumber:
>>
>> 6; The string "--" is not permitted within comments.
>>
>> but maybe this is not in the server.xml file itself, but in something
>> else that the server.xml references there (like an external "XML entity"
> or something).
>>
>> Why don't you get those 2 lines from your server.xml and paste them here
:
>>
>> ...
>>
>>   > John Ellis
>>
>>   >
>>
>>   > 405.285.2500 office
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   >
>>
>>   > http://biz-e.io
>>
>>   >
>>
>>   >
>>
>>   > -Original Message-
>>
>>   > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>>
>>   > Sent: Wednesday, September 20, 2017 10:02 AM
>>
>>   > To: users@tomcat.apache.org 
>>
>>   > Subject: Re: tomcat ssl setup
>>
>>   >
>>
>>   > On 20.09.2017 15:20, John Ellis wrote:
>>
>>   >> Andre can you tell me which log file you are saying tells where
>> the
>>
>>   >> problem is?
>>
>>   >
>>
>>   > That's the one you uploaded to the dropbox :
>>
>>   >   >>
>>
>>   >
>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0
>>
>>   >
>>
>>   > I have of course no idea at this point, which tomcat or which
>>
>>   > server.xml this was related to, but i suppose you do.
>>
>

Re: tomcat ssl setup

2017-09-21 Thread tomcat 

On 21.09.2017 17:17, John Ellis wrote:

OK. As I said there is nothing on line 87 but here is line 114-

SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"


I think you need to provide a bit more context then.

Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and 
tell at which line number this starts in server.xml (so that we can compare with the log) ?


The error messages in the log were apparently about comments (between ), so if 
these lines are (or contain) comments, copy them anyway.







John Ellis

405.285.2500 office




http://biz-e.io

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Thursday, September 21, 2017 10:15 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup



On 21.09.2017 16:43, John Ellis wrote:

Thanks so much for the quick reply Andre. There doesn't appear to be
anything on line 87 but there is on line 114. See the screenshot I
took of the server.xml file below-



Unfortunately, this list strips most attachments, and in fact asks for
text-only messages.
(and to avoid top-posting)

See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important

Please paste the corresponding lines directly, as text, in your next
message.



John Ellis

405.285.2500 office

http://biz-e.io

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, September 20, 2017 10:41 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 20.09.2017 17:07, John Ellis wrote:

  > All of what I have done so far has been in Tomcat version 9, which
I

  > downloaded from the Apache Tomcat website. The way I start tomcat
is

  > by running the command ./startup.sh from within the

  > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the

  > command ./shutdown.sh from the same directory.

  >

Ok, perfect. So there is only one tomcat9 we can be talking about, and
one server.xml file. And since this is a "standard tomcat", that
server.xml must be in .. let me look at the logfile again) ..

08-Sep-2017 10:05:02.911 INFO [main]

org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory
[/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]

so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml

and considering this :

08-Sep-2017 11:31:21.952 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 87 column 6: The content of elements must
consist of well-formed character data or markup.

org.xml.sax.SAXParseException; systemId:

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:

87; columnNumber:


6; The content of elements must consist of well-formed character data or

markup.


there is something on line 87, position 6, that he does not like.

And further down also :

08-Sep-2017 13:17:36.947 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 114 column 6: The string "--" is not permitted

within comments.


org.xml.sax.SAXParseException; systemId:

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:

114; columnNumber:


6; The string "--" is not permitted within comments.

but maybe this is not in the server.xml file itself, but in something
else that the server.xml references there (like an external "XML entity"

or something).


Why don't you get those 2 lines from your server.xml and paste them here :

...

  > John Ellis

  >

  > 405.285.2500 office

  >

  >

  >

  >

  > http://biz-e.io

  >

  >

  > -Original Message-

  > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]

  > Sent: Wednesday, September 20, 2017 10:02 AM

  > To: users@tomcat.apache.org 

  > Subject: Re: tomcat ssl setup

  >

  > On 20.09.2017 15:20, John Ellis wrote:

  >> Andre can you tell me which log file you are saying tells where
the

  >> problem is?

  >

  > That's the one you uploaded to the dropbox :

  >   >>

  >
https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

  >

  > I have of course no idea at this point, which tomcat or which

  > server.xml this was related to, but i suppose you do.

  >

  > I am not seeing it but I may not be even looking for the right thing.

  > I

  >> did open the server.xml file up in an XML file editor program and
it

  >> didn't give any errors.

  >

  > Then it must be that this tomcat who wrote the logfile, is not
looking

  > at the same server.xml file than the one you're looking at.

  > (Or else your XML file editor is not really good)

  >

  > How do you start this tomcat, on your server ?

  > And where did you get this tomcat from ? Is it the one from the
tomcat

  > website ?

  >

  >>

  >> John Ellis

  >>

  >> 405.285.2500 office

  >>

  >>

  >>

  >>

  >> http://biz-e.io

  >>

  >>

  >> -Original Message-

  >> From: André Warnier (tomcat) [mailto:a...@ice-s

"Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-21 Thread Sean Dawson 
Hello,

We migrated our application that was running fine on 8.0.37 to 8.5.20 and
on startup we receive:

java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
store non-PrivateKeys

I unfortunately deleted the logs and under time pressure we had to go back
to 8.0.37 so I don't have the full stacktrace. But I didn't see anything
else in them that looked helpful.

I've googled and couldn't really get any good answers that applied to
us.This seemed a bit similar but we do have sslEnabled set (and the issue
is apparently fixed)...

http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html

I've tried modifying the connector based off the current 8.5
documentation.  But always get the above.

We're on: CentOS release 6.9 (Final),
Java version "1.8.0_144"

RE: tomcat ssl setup

2017-09-21 Thread John Ellis 
OK. As I said there is nothing on line 87 but here is line 114-

SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem"



John Ellis

405.285.2500 office


    

http://biz-e.io

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, September 21, 2017 10:15 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup



On 21.09.2017 16:43, John Ellis wrote:
> Thanks so much for the quick reply Andre. There doesn't appear to be 
> anything on line 87 but there is on line 114. See the screenshot I 
> took of the server.xml file below-
>

Unfortunately, this list strips most attachments, and in fact asks for
text-only messages.
(and to avoid top-posting)

See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important

Please paste the corresponding lines directly, as text, in your next
message.


> John Ellis
>
> 405.285.2500 office
>
> http://biz-e.io
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Wednesday, September 20, 2017 10:41 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
>
> On 20.09.2017 17:07, John Ellis wrote:
>
>  > All of what I have done so far has been in Tomcat version 9, which 
> I
>
>  > downloaded from the Apache Tomcat website. The way I start tomcat 
> is
>
>  > by running the command ./startup.sh from within the
>
>  > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the
>
>  > command ./shutdown.sh from the same directory.
>
>  >
>
> Ok, perfect. So there is only one tomcat9 we can be talking about, and 
> one server.xml file. And since this is a "standard tomcat", that 
> server.xml must be in .. let me look at the logfile again) ..
>
> 08-Sep-2017 10:05:02.911 INFO [main]
>
> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
> application directory 
> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]
>
> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml
>
> and considering this :
>
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
>
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
>
>org.xml.sax.SAXParseException; systemId:
>
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
87; columnNumber:
>
> 6; The content of elements must consist of well-formed character data or
markup.
>
> there is something on line 87, position 6, that he does not like.
>
> And further down also :
>
> 08-Sep-2017 13:17:36.947 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
>
> Parse Fatal Error at line 114 column 6: The string "--" is not permitted
within comments.
>
>org.xml.sax.SAXParseException; systemId:
>
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber:
114; columnNumber:
>
> 6; The string "--" is not permitted within comments.
>
> but maybe this is not in the server.xml file itself, but in something 
> else that the server.xml references there (like an external "XML entity"
or something).
>
> Why don't you get those 2 lines from your server.xml and paste them here :
>
> ...
>
>  > John Ellis
>
>  >
>
>  > 405.285.2500 office
>
>  >
>
>  >
>
>  >
>
>  >
>
>  > http://biz-e.io
>
>  >
>
>  >
>
>  > -Original Message-
>
>  > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>
>  > Sent: Wednesday, September 20, 2017 10:02 AM
>
>  > To: users@tomcat.apache.org 
>
>  > Subject: Re: tomcat ssl setup
>
>  >
>
>  > On 20.09.2017 15:20, John Ellis wrote:
>
>  >> Andre can you tell me which log file you are saying tells where 
> the
>
>  >> problem is?
>
>  >
>
>  > That's the one you uploaded to the dropbox :
>
>  >   >>
>
>  > 
> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0
>
>  >
>
>  > I have of course no idea at this point, which tomcat or which
>
>  > server.xml this was related to, but i suppose you do.
>
>  >
>
>  > I am not seeing it but I may not be even looking for the right thing.
>
>  > I
>
>  >> did open the server.xml file up in an XML file editor program and 
> it
>
>  >> didn't give any errors.
>
>  >
>
>  > Then it must be that this tomcat who wrote the logfile, is not 
> looking
>
>  > at the same server.xml file than the one you're looking at.
>
>  > (Or else your XML file editor is not really good)
>
>  >
>
>  > How do you start this tomcat, on your server ?
>
>  > And where did you get this tomcat from ? Is it the one from the 
> tomcat
>
>  > website ?
>
>  >
>
>  >>
>
>  >> John Ellis
>
>  >>
>
>  >> 405.285.2500 office
>
>  >>
>
>  >>
>
>  >>
>
>  >>
>
>  >> http://biz-e.io
>
>  >>
>
>  >>
>
>  >> -Original Message-
>
>  >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>
>  >> Sent: Tuesday, September 19, 2017 3:47 PM
>
>  >> To: users@tomcat.apache.org 
>
>  >> Subject: Re: tomcat ssl setup
>
>  >>
>
>  >>

Re: tomcat ssl setup

2017-09-21 Thread tomcat 



On 21.09.2017 16:43, John Ellis wrote:

Thanks so much for the quick reply Andre. There doesn't appear to be anything 
on line 87
but there is on line 114. See the screenshot I took of the server.xml file 
below-



Unfortunately, this list strips most attachments, and in fact asks for 
text-only messages.
(and to avoid top-posting)

See : http://tomcat.apache.org/lists.html#tomcat-users  --> Important

Please paste the corresponding lines directly, as text, in your next message.



John Ellis

405.285.2500 office

http://biz-e.io

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, September 20, 2017 10:41 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 20.09.2017 17:07, John Ellis wrote:

 > All of what I have done so far has been in Tomcat version 9, which I

 > downloaded from the Apache Tomcat website. The way I start tomcat is

 > by running the command ./startup.sh from within the

 > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the

 > command ./shutdown.sh from the same directory.

 >

Ok, perfect. So there is only one tomcat9 we can be talking about, and one 
server.xml
file. And since this is a "standard tomcat", that server.xml must be in .. let 
me look at
the logfile again) ..

08-Sep-2017 10:05:02.911 INFO [main]

org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory
[/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]

so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml

and considering this :

08-Sep-2017 11:31:21.952 SEVERE [main] 
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 87 column 6: The content of elements must consist of 
well-formed
character data or markup.

   org.xml.sax.SAXParseException; systemId:

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; 
columnNumber:

6; The content of elements must consist of well-formed character data or markup.

there is something on line 87, position 6, that he does not like.

And further down also :

08-Sep-2017 13:17:36.947 SEVERE [main] 
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 114 column 6: The string "--" is not permitted within 
comments.

   org.xml.sax.SAXParseException; systemId:

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; 
columnNumber:

6; The string "--" is not permitted within comments.

but maybe this is not in the server.xml file itself, but in something else that 
the
server.xml references there (like an external "XML entity" or something).

Why don't you get those 2 lines from your server.xml and paste them here :

...

 > John Ellis

 >

 > 405.285.2500 office

 >

 >

 >

 >

 > http://biz-e.io

 >

 >

 > -Original Message-

 > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]

 > Sent: Wednesday, September 20, 2017 10:02 AM

 > To: users@tomcat.apache.org 

 > Subject: Re: tomcat ssl setup

 >

 > On 20.09.2017 15:20, John Ellis wrote:

 >> Andre can you tell me which log file you are saying tells where the

 >> problem is?

 >

 > That's the one you uploaded to the dropbox :

 >   >>

 > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

 >

 > I have of course no idea at this point, which tomcat or which

 > server.xml this was related to, but i suppose you do.

 >

 > I am not seeing it but I may not be even looking for the right thing.

 > I

 >> did open the server.xml file up in an XML file editor program and it

 >> didn't give any errors.

 >

 > Then it must be that this tomcat who wrote the logfile, is not looking

 > at the same server.xml file than the one you're looking at.

 > (Or else your XML file editor is not really good)

 >

 > How do you start this tomcat, on your server ?

 > And where did you get this tomcat from ? Is it the one from the tomcat

 > website ?

 >

 >>

 >> John Ellis

 >>

 >> 405.285.2500 office

 >>

 >>

 >>

 >>

 >> http://biz-e.io

 >>

 >>

 >> -Original Message-

 >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]

 >> Sent: Tuesday, September 19, 2017 3:47 PM

 >> To: users@tomcat.apache.org 

 >> Subject: Re: tomcat ssl setup

 >>

 >> On 19.09.2017 20:17, John Ellis wrote:

 >>> Here are the tomcat 9 log file DropBox links-

 >>>

 >>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl

 >>> =

 >>> 0

 >>

 >> Well, there you go. It tells you explicitly where you made the

 >> mistakes, up to the file and line  numbers.

 >> I can't see your server.xml, but I would bet that you have modified

 >> it, by surrounding some XML comment sections by another comment pair

 >>  That crashes because XML does not allow that.

 >> You cannot have this kind of thing :

 >>

 >>   -->

 >>

 >>

 >>>

 >>> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-

 >>> 0

 >>> 9

 >>> -19.t

RE: tomcat ssl setup

2017-09-21 Thread John Ellis 
Thanks so much for the quick reply Andre. There doesn't appear to be
anything on line 87 but there is on line 114. See the screenshot I took of
the server.xml file below-

 



 

John Ellis

 

405.285.2500 office

 

 



 

http://biz-e.io

 

 

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Wednesday, September 20, 2017 10:41 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

 

On 20.09.2017 17:07, John Ellis wrote:

> All of what I have done so far has been in Tomcat version 9, which I 

> downloaded from the Apache Tomcat website. The way I start tomcat is 

> by running the command ./startup.sh from within the 

> apache-tomcat-9.0.0.M26/bin directory. I stop it by running the 

> command ./shutdown.sh from the same directory.

> 

 

Ok, perfect. So there is only one tomcat9 we can be talking about, and one
server.xml file. And since this is a "standard tomcat", that server.xml must
be in .. let me look at the logfile again) ..

 

08-Sep-2017 10:05:02.911 INFO [main]

org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]

 

so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml

 

and considering this :

08-Sep-2017 11:31:21.952 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 87 column 6: The content of elements must consist
of well-formed character data or markup.

  org.xml.sax.SAXParseException; systemId: 

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87;
columnNumber: 

6; The content of elements must consist of well-formed character data or
markup.

 

there is something on line 87, position 6, that he does not like.

 

And further down also :

08-Sep-2017 13:17:36.947 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError

Parse Fatal Error at line 114 column 6: The string "--" is not permitted
within comments.

  org.xml.sax.SAXParseException; systemId: 

file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114;
columnNumber: 

6; The string "--" is not permitted within comments.

 

but maybe this is not in the server.xml file itself, but in something else
that the server.xml references there (like an external "XML entity" or
something).

 

Why don't you get those 2 lines from your server.xml and paste them here :

 

...

 

 

 

 

 

> John Ellis

> 

> 405.285.2500 office

> 

> 

> 

> 

>   http://biz-e.io

> 

> 

> -Original Message-

> From: André Warnier (tomcat) [ 
mailto:a...@ice-sa.com]

> Sent: Wednesday, September 20, 2017 10:02 AM

> To:   users@tomcat.apache.org

> Subject: Re: tomcat ssl setup

> 

> On 20.09.2017 15:20, John Ellis wrote:

>> Andre can you tell me which log file you are saying tells where the 

>> problem is?

> 

> That's the one you uploaded to the dropbox :

>   >> 

>  
https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

> 

> I have of course no idea at this point, which tomcat or which 

> server.xml this was related to, but i suppose you do.

> 

> I am not seeing it but I may not be even looking for the right thing. 

> I

>> did open the server.xml file up in an XML file editor program and it 

>> didn't give any errors.

> 

> Then it must be that this tomcat who wrote the logfile, is not looking 

> at the same server.xml file than the one you're looking at.

> (Or else your XML file editor is not really good)

> 

> How do you start this tomcat, on your server ?

> And where did you get this tomcat from ? Is it the one from the tomcat 

> website ?

> 

>> 

>> John Ellis

>> 

>> 405.285.2500 office

>> 

>> 

>> 

>> 

>>   http://biz-e.io

>> 

>> 

>> -Original Message-

>> From: André Warnier (tomcat) [ 
mailto:a...@ice-sa.com]

>> Sent: Tuesday, September 19, 2017 3:47 PM

>> To:   users@tomcat.apache.org

>> Subject: Re: tomcat ssl setup

>> 

>> On 19.09.2017 20:17, John Ellis wrote:

>>> Here are the tomcat 9 log file DropBox links-

>>> 

>>>  
https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl

>>> =

>>> 0

>> 

>> Well, there you go. It tells you explicitly where you made the 

>> mistakes, up to the file and line  numbers.

>> I can't see your server.xml, but I would bet that you have modified 

>> it, by surrounding some XML comment sections by another comment pair

>>  That crashes because XML does not allow that.

>> You cannot have this kind of thing :

>> 

>>   -->

>> 

>> 

>>> 

>>>  
https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-

>>>

Re: Need help on Tomcat 9.0.x release

2017-09-21 Thread Violeta Georgieva 
2017-09-21 16:17 GMT+03:00 Rémy Maucherat :
>
> On Thu, Sep 21, 2017 at 3:12 PM, Mark Thomas  wrote:
>
> > On 21/09/17 10:35, Inderjeet Banwait wrote:
> > > Hi Mark,
> > >
> > > Java EE 8 is already released .Can we expect a stable release by the
end
> > of September 2017?
> >
> > Servlet 4.0 was released on 5 September 2017.
> > Java EE 8 platform was released on 18 September 2017.
> >
> > It would have been helpful if Oracle had mentioned either of those
> > releases to the Servlet EG members.
> >
> > I've taken a very quick look and the relevant specifications for Tomcat
> > are:
> > - Java 8(complete)
> > - Servlet 4.0   (should be complete but need to check for last minute
> >  changes)
> > - JSP 2.3   (no change from Java EE 7 / Tomcat 8.x)
> > - EL 3.0(no change from Java EE 7 / Tomcat 8.x)
> > - WebSocket 1.1 (no change from Tomcat 8.x)
> > - JASPIC 1.1(no change from Java EE 7 / Tomcat 8.x)
> >
> >
> > The Tomcat team is a little busy elsewhere at the moment. A stable
> > Tomcat 9 release in September is highly unlikely.
> >
> > Releases are typically on a monthly basis with the process starting at
> > the beginning of the month. The September releases are complete for
> > 9.0.x and 8.5.x and would have been announced if it wasn't for
> > CVE-2017-12617.
> >
>
> Since we'll revote, we could include the option to vote the new 9.0 build
> as beta. Since it's very close to 8.5, I don't see any problem with that.


+1

Regards, Violeta

Re: Need help on Tomcat 9.0.x release

2017-09-21 Thread Rémy Maucherat 
On Thu, Sep 21, 2017 at 3:12 PM, Mark Thomas  wrote:

> On 21/09/17 10:35, Inderjeet Banwait wrote:
> > Hi Mark,
> >
> > Java EE 8 is already released .Can we expect a stable release by the end
> of September 2017?
>
> Servlet 4.0 was released on 5 September 2017.
> Java EE 8 platform was released on 18 September 2017.
>
> It would have been helpful if Oracle had mentioned either of those
> releases to the Servlet EG members.
>
> I've taken a very quick look and the relevant specifications for Tomcat
> are:
> - Java 8(complete)
> - Servlet 4.0   (should be complete but need to check for last minute
>  changes)
> - JSP 2.3   (no change from Java EE 7 / Tomcat 8.x)
> - EL 3.0(no change from Java EE 7 / Tomcat 8.x)
> - WebSocket 1.1 (no change from Tomcat 8.x)
> - JASPIC 1.1(no change from Java EE 7 / Tomcat 8.x)
>
>
> The Tomcat team is a little busy elsewhere at the moment. A stable
> Tomcat 9 release in September is highly unlikely.
>
> Releases are typically on a monthly basis with the process starting at
> the beginning of the month. The September releases are complete for
> 9.0.x and 8.5.x and would have been announced if it wasn't for
> CVE-2017-12617.
>

Since we'll revote, we could include the option to vote the new 9.0 build
as beta. Since it's very close to 8.5, I don't see any problem with that.

Rémy


>
> Assuming that there have been no / trivial changes to the Servlet API
> since the EG last saw it, I'd expect the October release to be either
> beta or stable depending on how the community votes. If it is beta, the
> community will consider whether to change that to stable for each
> subsequent release until we have a first stable release. My personal
> view is that we could get to a stable release pretty quickly. But I am
> only one voice and this is a decision that the community makes.
>
> Mark
>
>
>
> >
> > Thanks,
> > Inderjeet
> >
> > -Original Message-
> > From: Mark Thomas [mailto:ma...@apache.org]
> > Sent: Thursday, September 21, 2017 1:58 PM
> > To: Tomcat Users List
> > Subject: Re: Need help on Tomcat 9.0.x release
> >
> > On 21/09/17 08:57, Inderjeet Banwait wrote:
> >> Hi,
> >>
> >>
> >>
> >> We are Oracle Knowledge team from Oracle and want to upgrade our
> product to support Tomcat 9.0.x but as per the version pages from Tomcat
> wiki it is not stable.
> >>
> >> We want to know when we can have a stable Tomcat 9.0.x release?
> >
> > Shortly after Oracle release Java EE 8.
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help on Tomcat 9.0.x release

2017-09-21 Thread Mark Thomas 
On 21/09/17 10:35, Inderjeet Banwait wrote:
> Hi Mark,
> 
> Java EE 8 is already released .Can we expect a stable release by the end of 
> September 2017?

Servlet 4.0 was released on 5 September 2017.
Java EE 8 platform was released on 18 September 2017.

It would have been helpful if Oracle had mentioned either of those
releases to the Servlet EG members.

I've taken a very quick look and the relevant specifications for Tomcat are:
- Java 8(complete)
- Servlet 4.0   (should be complete but need to check for last minute
 changes)
- JSP 2.3   (no change from Java EE 7 / Tomcat 8.x)
- EL 3.0(no change from Java EE 7 / Tomcat 8.x)
- WebSocket 1.1 (no change from Tomcat 8.x)
- JASPIC 1.1(no change from Java EE 7 / Tomcat 8.x)


The Tomcat team is a little busy elsewhere at the moment. A stable
Tomcat 9 release in September is highly unlikely.

Releases are typically on a monthly basis with the process starting at
the beginning of the month. The September releases are complete for
9.0.x and 8.5.x and would have been announced if it wasn't for
CVE-2017-12617.

Assuming that there have been no / trivial changes to the Servlet API
since the EG last saw it, I'd expect the October release to be either
beta or stable depending on how the community votes. If it is beta, the
community will consider whether to change that to stable for each
subsequent release until we have a first stable release. My personal
view is that we could get to a stable release pretty quickly. But I am
only one voice and this is a decision that the community makes.

Mark



> 
> Thanks,
> Inderjeet 
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Thursday, September 21, 2017 1:58 PM
> To: Tomcat Users List
> Subject: Re: Need help on Tomcat 9.0.x release
> 
> On 21/09/17 08:57, Inderjeet Banwait wrote:
>> Hi,
>>
>>  
>>
>> We are Oracle Knowledge team from Oracle and want to upgrade our product to 
>> support Tomcat 9.0.x but as per the version pages from Tomcat wiki it is not 
>> stable.
>>
>> We want to know when we can have a stable Tomcat 9.0.x release?
> 
> Shortly after Oracle release Java EE 8.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Need help on Tomcat 9.0.x release

2017-09-21 Thread Inderjeet Banwait 
Hi Mark,

Java EE 8 is already released .Can we expect a stable release by the end of 
September 2017?

Thanks,
Inderjeet 

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, September 21, 2017 1:58 PM
To: Tomcat Users List
Subject: Re: Need help on Tomcat 9.0.x release

On 21/09/17 08:57, Inderjeet Banwait wrote:
> Hi,
> 
>  
> 
> We are Oracle Knowledge team from Oracle and want to upgrade our product to 
> support Tomcat 9.0.x but as per the version pages from Tomcat wiki it is not 
> stable.
> 
> We want to know when we can have a stable Tomcat 9.0.x release?

Shortly after Oracle release Java EE 8.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help on Tomcat 9.0.x release

2017-09-21 Thread Mark Thomas 
On 21/09/17 08:57, Inderjeet Banwait wrote:
> Hi,
> 
>  
> 
> We are Oracle Knowledge team from Oracle and want to upgrade our product to 
> support Tomcat 9.0.x but as per the version pages from Tomcat wiki it is not 
> stable.
> 
> We want to know when we can have a stable Tomcat 9.0.x release?

Shortly after Oracle release Java EE 8.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7/8/9 context path restrictions/validation

2017-09-21 Thread Mark Thomas 
On 20/09/17 10:47, Konstantin Ryadov wrote:
> 
> Hello!
> Could you explain context path (e.g. described on  
> https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set in 
> server.xml limitations?
> Does it exist any context path validation (unescaped symbols, whitespaces and 
> so on)?
> Is first “/” always required in context path value? What is the difference 
> between value with first “/” and without?

A leading "/" is required unless it is the root context in which case
the path is "".

"/" and "/ROOT" are both always converted to "".


"/" and "#" are reserved since they have special meanings.

Other than that, anything goes. If you use characters that are not
permitted in a URL then you'll need to use %nn escaping when writing the
request URL. The OS may also limit the characters that can be used.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Need help on Tomcat 9.0.x release

2017-09-21 Thread Inderjeet Banwait 
Hi,

 

We are Oracle Knowledge team from Oracle and want to upgrade our product to 
support Tomcat 9.0.x but as per the version pages from Tomcat wiki it is not 
stable.

We want to know when we can have a stable Tomcat 9.0.x release?

 

Thanks,

Inderjeet