-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 William,
On 10/21/16 4:37 PM, William Boyd wrote: > Hello, > > I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was > working great until I enabled SSL with a self-signed certificate. I > am able to recreated the issue on 8.5.5. I finally had to down > graded to 8.5.4 to get SSL working with identical configuration and > cert. > > I want to be sure that this is not a known issue and that I'm not > doing something wrong before I create a bug report. > > Server version: Apache Tomcat/8.5.5 64-bit OS Name: > Windows 7 JVM Version: 1.8.0_102-b14 > > The cert was generated with this command: keytool -genkeypair > -keyalg RSA -alias tomcat -keystore "C:/keys/keystore.jsk" > -storepass changeit -validity 360 -keysize 2048 -dname > CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA > > Configuration includes adding > -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS I think this might be the problem. Tomcat doesn't use javax.net.ssl.trustStore except as a backup in case you haven't specified a trust store in your <Connector>. You have pointed that system property at a keystore, not a trust store. Technically, they are the same format, but they are used for different things. If you need that for making your own outgoing TLS connections then leave it in there and we'll try to get it to work, otherwise it's just confusing and might cause Tomcat to do weird things. > and using this connector config > > <Connector port="8002" protocol="HTTP/1.1" > connectionTimeout="60000" maxThreads="200" minSpareThreads="4" > enableLookups="false" compression="on" server="Apache" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit" > keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"/> Looks good so far. > Here is the exception I get at startup > > 13-Oct-2016 15:05:17.309 SEVERE [main] > org.apache.coyote.AbstractProtocol.init Failed to initialize end > point associated with ProtocolHandler ["https-openssl-nio-8001"] > java.lang.IllegalArgumentException: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr actJsseEndpoint.java:103) > > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract JsseEndpoint.java:81) > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java :866) > > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo int.java:213) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro tocol.java:65) > > at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 44) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > org.apache.catalina.core.StandardService.initInternal(StandardService. java:549) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja va:873) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at > org.apache.catalina.startup.Catalina.load(Catalina.java:629) at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j ava:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess orImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: java.security.InvalidAlgorithmParameterException: the > trustAnchors parameter must be non-empty at > java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java: 200) > > at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > at > java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters. java:130) > > at > org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:3 41) > > at > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav a:273) > > at > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSS LUtil.java:93) > > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr actJsseEndpoint.java:101) > > ... 20 more Tomcat is choking when trying to load the trust managers, which is synonymous with loading the data from the "trust store". You don't need a "trust store", otherwise you'd have specified is in the <Connector>. Try just removing that system property and see what happens. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYCoL9AAoJEBzwKT+lPKRY/U8P/jcDIEa5NGYMTGLdG3d3lfpC 1fFHqFRubEK4HLo+NxT2MSZJMsVN2cHr8CJ5WZ2RuGQcU9ETDHbFFBbAFopTC4Qb pjLZ6n3B5ATRQ4kkt2vCFqsubkZLXYBhXx559YyprEDgDmDt1HYHoeTnU5mRv+nn ieQSlBTBXV5Cds1R7/BLFYQqvEtuMnVYTIem173Wi/WOKU4IvZk3qG2Xq/46pB+b NfbntVMfCSRCYNEePmbr3NufyhgeMTC6VMXQSaPy3Yk3uupz7DXE94xykQP2gf7d RtjkPkZstypMWwSgDX5v4mOdO+ndRUzEyJD2arvjCCuZACW94V7mjuO5kEg0P3kK JSnfHO2G7/g/JdMuhCjuJnjDZSMDLPQxFbmnQSmqwe9DlodZC1MswUy5FId8z+Lw 8jzZl1gxqhncUXc8ZqUos3gcztkvl2dCdHF+aLHXEgR4d/NPod8C/qUXLU6vV8xP Zzq3k2OJL+HcG+MbU+05w/n0pCtGjeJSFkW9/2usAjn+UMaS2WypY2cQLZ1gnpX3 Zn4rl//swfNIszKIzfWi0y2jTF63OBGojH9xnfrsdZqYZ1K0ICb3H2rkz6p7e3R1 UFOyRpEIgajI3SVxBGVXT8ndiUWh8QAn9besOxAWEvgnT66ltsWZhoWG8eHxKiRQ WZknowyaMfqy58v3e+6o =ReMj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
