I was under the impressions that as of 8.5.3 you could do JSSE with OpenSSL from this page:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File Excerpt: "Tomcat can use three different implementations of SSL: JSSE implementation provided as part of the Java runtime JSSE implementation that uses OpenSSL APR implementation, which uses the OpenSSL engine by default" I originally attempted using OpenSSL directly after viewing this post and this is what my configuration is based off of: https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/39 If it isn't supported, it is just odd that it did work with 8.5.3. On Mon, Aug 22, 2016 at 1:08 PM, Kreuser, Peter <pkreu...@airplus.com> wrote: > Chuck, > > > > Hello, > > > > I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL. It seems > > that my config from 8.5.3 is not working with 8.5.4 when using the same > > exact file. The majority of the server.xml is stock, but here what I > > manually have changed and it is where I am encountering my problem.... > > .... > > <Connector port="8443" protocol="org.apache.coyote. > http11.Http11NioProtocol" > > scheme="https" secure="true" maxThreads="750" > > SSLEnabled="true"> > > <SSLHostConfig> > > <Certificate > > certificateFile="/opt/ssl/cert.pem" > > certificateChainFile="/opt/ssl/chain.pem" > > certificateKeyFile="/opt/ssl/privkey.pem" > > type="RSA" /> > > </SSLHostConfig> > > </Connector> > > .... > > This worked fine with 8.5.3, but I get the following errors in > catalina.out > > on 8.5.4.... > > > > 22-Aug-2016 12:16:21.139 INFO [main] > > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler > > ["https-jsse-nio-8443"] > > 22-Aug-2016 12:16:22.119 SEVERE [main] > > org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore > > type [JKS] with path [/home/tomcat8/.keystore] due to > > [/home/tomcat8/.keystore (No such file or directory)] > > java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or > > directory) > <snip> > > > > I am attempting to use Let's Encrypts certs on Ubuntu 16.04. My setup is > > pretty simple and the things I am changing is a sym link between the > 8.5.3 > > directory and 8.5.4, with 8.5.3 the ssl connector starts, but with > 8.5.4, I > > get not ssl with the above error in my logs. Am I missing something? > Any > > pointers or help would be greatly appreciated! > > > > It seems to me, that tomcat requests JKS certificates but you give openssl > options (certificateFile, certificateChainFile, certificateKeyFile). > > Documentation says: > " If the installation uses APR - i.e. you have installed the Tomcat native > library - then it will use the JSSE OpenSSL implementation, otherwise it > will use the Java JSSE implementation." Or > " Note: If tomcat-native is installed, the configuration will use JSSE > with an OpenSSL implementation, which supports either this configuration or > the APR configuration example given below. > > The APR connector uses different attributes for many SSL settings, > particularly keys and certificates. An example of an APR configuration is:" > > So are you using TC Native? > > Best regards > > Peter > > > > >