On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > William, > > On 10/21/16 4:37 PM, William Boyd wrote: > > Hello, > > > > I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was > > working great until I enabled SSL with a self-signed certificate. I > > am able to recreated the issue on 8.5.5. I finally had to down > > graded to 8.5.4 to get SSL working with identical configuration and > > cert. > > > > I want to be sure that this is not a known issue and that I'm not > > doing something wrong before I create a bug report. > > > > Server version: Apache Tomcat/8.5.5 64-bit OS Name: > > Windows 7 JVM Version: 1.8.0_102-b14 > > > > The cert was generated with this command: keytool -genkeypair > > -keyalg RSA -alias tomcat -keystore "C:/keys/keystore.jsk" > > -storepass changeit -validity 360 -keysize 2048 -dname > > CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA > > > > Configuration includes adding > > -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS > > I think this might be the problem. Tomcat doesn't use > javax.net.ssl.trustStore except as a backup in case you haven't > specified a trust store in your <Connector>. You have pointed that > system property at a keystore, not a trust store. Technically, they > are the same format, but they are used for different things. > > If you need that for making your own outgoing TLS connections then > leave it in there and we'll try to get it to work, otherwise it's just > confusing and might cause Tomcat to do weird things. > > > and using this connector config > > > > <Connector port="8002" protocol="HTTP/1.1" > > connectionTimeout="60000" maxThreads="200" minSpareThreads="4" > > enableLookups="false" compression="on" server="Apache" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit" > > keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"/> > > Looks good so far. > > > Here is the exception I get at startup > > > > 13-Oct-2016 15:05:17.309 SEVERE [main] > > org.apache.coyote.AbstractProtocol.init Failed to initialize end > > point associated with ProtocolHandler ["https-openssl-nio-8001"] > > java.lang.IllegalArgumentException: > > java.security.InvalidAlgorithmParameterException: the trustAnchors > > parameter must be non-empty at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:103) > > > > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract > JsseEndpoint.java:81) > > > > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java > :866) > > > > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo > int.java:213) > > > > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro > tocol.java:65) > > > > > at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 > 44) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService. > java:549) > > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja > va:873) > > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at > > org.apache.catalina.startup.Catalina.load(Catalina.java:629) at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j > ava:62) > > > > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess > orImpl.java:43) > > > > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > > Caused by: java.security.InvalidAlgorithmParameterException: the > > trustAnchors parameter must be non-empty at > > java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java: > 200) > > > > > at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > > at > > java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters. > java:130) > > > > > at > > org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:3 > 41) > > > > > at > > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav > a:273) > > > > > at > > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSS > LUtil.java:93) > > > > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:101) > > > > > ... 20 more > > Tomcat is choking when trying to load the trust managers, which is > synonymous with loading the data from the "trust store". You don't > need a "trust store", otherwise you'd have specified is in the > <Connector>. > > Try just removing that system property and see what happens. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYCoL9AAoJEBzwKT+lPKRY/U8P/jcDIEa5NGYMTGLdG3d3lfpC > 1fFHqFRubEK4HLo+NxT2MSZJMsVN2cHr8CJ5WZ2RuGQcU9ETDHbFFBbAFopTC4Qb > pjLZ6n3B5ATRQ4kkt2vCFqsubkZLXYBhXx559YyprEDgDmDt1HYHoeTnU5mRv+nn > ieQSlBTBXV5Cds1R7/BLFYQqvEtuMnVYTIem173Wi/WOKU4IvZk3qG2Xq/46pB+b > NfbntVMfCSRCYNEePmbr3NufyhgeMTC6VMXQSaPy3Yk3uupz7DXE94xykQP2gf7d > RtjkPkZstypMWwSgDX5v4mOdO+ndRUzEyJD2arvjCCuZACW94V7mjuO5kEg0P3kK > JSnfHO2G7/g/JdMuhCjuJnjDZSMDLPQxFbmnQSmqwe9DlodZC1MswUy5FId8z+Lw > 8jzZl1gxqhncUXc8ZqUos3gcztkvl2dCdHF+aLHXEgR4d/NPod8C/qUXLU6vV8xP > Zzq3k2OJL+HcG+MbU+05w/n0pCtGjeJSFkW9/2usAjn+UMaS2WypY2cQLZ1gnpX3 > Zn4rl//swfNIszKIzfWi0y2jTF63OBGojH9xnfrsdZqYZ1K0ICb3H2rkz6p7e3R1 > UFOyRpEIgajI3SVxBGVXT8ndiUWh8QAn9besOxAWEvgnT66ltsWZhoWG8eHxKiRQ > WZknowyaMfqy58v3e+6o > =ReMj > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Christopher, Thanks for the quick response. I tried your suggestion but when I connect to the site via https, tomcat returns a blank page with the SSLHandshakeException in it. I’m not entirely sure but this may be a result of our use of AXIS for communication between WARs in the deployed application. Caught Exception (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target): ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target The catalina log contains this stacktrace 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207] - org.apache.axis.AxisFault: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) ~[axis-1.4.jar:na] at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) ~[axis-1.4.jar:na] : : Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_102] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_102] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_102] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_102] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_102] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_102] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_102] at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_102] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_102] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_102] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_102] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_102] at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) ~[axis-1.4.jar:na] at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) ~[axis-1.4.jar:na] at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) ~[axis-1.4.jar:na] at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) ~[axis-1.4.jar:na] ... 38 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_102] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_102] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_102] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_102] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_102] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_102] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_102] ... 49 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_102] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_102] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_102] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_102] ... 55 common frames omitted Regards Will
