-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 William,
On 10/21/16 6:08 PM, William Boyd wrote: > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > William, > > On 10/21/16 4:37 PM, William Boyd wrote: >>>> Hello, >>>> >>>> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything >>>> was working great until I enabled SSL with a self-signed >>>> certificate. I am able to recreated the issue on 8.5.5. I >>>> finally had to down graded to 8.5.4 to get SSL working with >>>> identical configuration and cert. >>>> >>>> I want to be sure that this is not a known issue and that I'm >>>> not doing something wrong before I create a bug report. >>>> >>>> Server version: Apache Tomcat/8.5.5 64-bit OS Name: >>>> Windows 7 JVM Version: 1.8.0_102-b14 >>>> >>>> The cert was generated with this command: keytool >>>> -genkeypair -keyalg RSA -alias tomcat -keystore >>>> "C:/keys/keystore.jsk" -storepass changeit -validity 360 >>>> -keysize 2048 -dname >>>> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA >>>> >>>> Configuration includes adding >>>> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS > > I think this might be the problem. Tomcat doesn't use > javax.net.ssl.trustStore except as a backup in case you haven't > specified a trust store in your <Connector>. You have pointed that > system property at a keystore, not a trust store. Technically, > they are the same format, but they are used for different things. > > If you need that for making your own outgoing TLS connections then > leave it in there and we'll try to get it to work, otherwise it's > just confusing and might cause Tomcat to do weird things. > >>>> and using this connector config >>>> >>>> <Connector port="8002" protocol="HTTP/1.1" >>>> connectionTimeout="60000" maxThreads="200" >>>> minSpareThreads="4" enableLookups="false" compression="on" >>>> server="Apache" scheme="https" secure="true" >>>> SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk" >>>> keystorePass="changeit" keyAlias="tomcat" clientAuth="false" >>>> sslProtocol="TLS"/> > > Looks good so far. > >>>> Here is the exception I get at startup >>>> >>>> 13-Oct-2016 15:05:17.309 SEVERE [main] >>>> org.apache.coyote.AbstractProtocol.init Failed to initialize >>>> end point associated with ProtocolHandler >>>> ["https-openssl-nio-8001"] >>>> java.lang.IllegalArgumentException: >>>> java.security.InvalidAlgorithmParameterException: the >>>> trustAnchors parameter must be non-empty at >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab str > >>>> actJsseEndpoint.java:103) >>>> >>>> > at >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr act > >>>> JsseEndpoint.java:81) >>>> >>>> > at > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) >>>> at >>>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j ava > >>>> :866) >>>> >>>> > at >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn dpo > >>>> int.java:213) >>>> >>>> > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) >>>> at >>>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11 Pro > >>>> tocol.java:65) >>>> >>>> > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:9 > > 44) >>>> at >>>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>>> >>>> > >>>> at >>>> org.apache.catalina.core.StandardService.initInternal(StandardServi ce. > >>>> java:549) >>>> >>>> > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>>> > at >>>> org.apache.catalina.core.StandardServer.initInternal(StandardServer .ja > >>>> va:873) >>>> >>>> > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>>> > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at >>>> org.apache.catalina.startup.Catalina.load(Catalina.java:629) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>> Method) at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp l.j > >>>> ava:62) >>>> >>>> > at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc ess > >>>> orImpl.java:43) >>>> >>>> > at java.lang.reflect.Method.invoke(Method.java:498) >>>> at >>>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >>>> >>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >>>> Caused by: java.security.InvalidAlgorithmParameterException: >>>> the trustAnchors parameter must be non-empty at >>>> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.ja va: > >>>> 200) >>>> >>>> > at > java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) >>>> at >>>> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParamete rs. > >>>> java:130) >>>> >>>> > at >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.jav a:3 > >>>> 41) >>>> >>>> > at >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil. jav > >>>> a:273) >>>> >>>> > at >>>> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(Ope nSS > >>>> LUtil.java:93) >>>> >>>> > at >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab str > >>>> actJsseEndpoint.java:101) >>>> >>>> > ... 20 more > > Tomcat is choking when trying to load the trust managers, which is > synonymous with loading the data from the "trust store". You don't > need a "trust store", otherwise you'd have specified is in the > <Connector>. > > Try just removing that system property and see what happens. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > Hi Christopher, > > Thanks for the quick response. > > I tried your suggestion but when I connect to the site via https, > tomcat returns a blank page with the SSLHandshakeException in it. > I’m not entirely sure but this may be a result of our use of AXIS > for communication between WARs in the deployed application. > > Caught Exception (javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target): ; > nested exception is: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > The catalina log contains this stacktrace > > 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207] > - org.apache.axis.AxisFault: ; nested exception is: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target at > org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > ~[axis-1.4.jar:na] at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) > > ~[axis-1.4.jar:na] > : : Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target at > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > ~[na:1.8.0_102] at > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > ~[na:1.8.0_102] at > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > ~[na:1.8.0_102] at > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > ~[na:1.8.0_102] at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j ava:1509) > > ~[na:1.8.0_102] > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java :216) > > ~[na:1.8.0_102] > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > ~[na:1.8.0_102] at > sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > ~[na:1.8.0_102] at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > ~[na:1.8.0_102] at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j ava:1375) > > ~[na:1.8.0_102] > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > > ~[na:1.8.0_102] > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > > ~[na:1.8.0_102] > at > org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFact ory.java:186) > > ~[axis-1.4.jar:na] > at > org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:19 1) > > ~[axis-1.4.jar:na] > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.jav a:404) > > ~[axis-1.4.jar:na] > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) > > ~[axis-1.4.jar:na] > ... 38 common frames omitted Caused by: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > > ~[na:1.8.0_102] > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java :292) > > ~[na:1.8.0_102] > at sun.security.validator.Validator.validate(Validator.java:260) > ~[na:1.8.0_102] at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.ja va:324) > > ~[na:1.8.0_102] > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImp l.java:229) > > ~[na:1.8.0_102] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMana gerImpl.java:124) > > ~[na:1.8.0_102] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j ava:1491) > > ~[na:1.8.0_102] > ... 49 common frames omitted Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui lder.java:141) > > ~[na:1.8.0_102] > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertP athBuilder.java:126) > > ~[na:1.8.0_102] > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > ~[na:1.8.0_102] at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > > ~[na:1.8.0_102] > ... 55 common frames omitted If you need to make outgoing TLS connections to servers with certificates not trusted by Java's stock trust store, you'll have to supply your own. Do you have anything in the trust store other than the server's key and certificate? Are you making loopback connections? I'm surprised that this either worked in the past or is failing now. I'm not sure which makes more sense. There's no particular reason why I "keystore" couldn't be used as a "truststore"... the only difference is that "keystores" usually contain keys and certs, while "truststores" usually only contain certificates. I wonder if it has something to do with the aliases used or something. If in fact using the keystore as a trust store is tripping-up Tomcat, I'd say that's a bug that needs to be fixed. Try this: whatever certificate you need to TRUST needs to be in your trust store. Try creating a new keystore that contains nothing but the certificate you expect to trust, then configure *that* as your trust store (system property), leaving the keystore as-is -- configured as Tomcat's keystore. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYDTaRAAoJEBzwKT+lPKRYFy4QAI5vHVUofkmImGCO3gth+fQ6 tYk2FatDLqGk332UGZnzLbrJxPXNE+DazzPjOyaIMETFzxInY9z32ABqQqWIZRp0 ItZtLPuUsQTh108UIGU1yVaEG2XhFAE90QfO63JEI5r/d6gzI+lNj6Kfv0aEMNNG dgvTxUIjBCrEzBekoEPwP3XtYZSGtr2u+CxxO+OMKNKiLLWEGQQHk/CRZjAgosPy iHsEjAQiDvkqkRaJTMyqpbx43CM/eS5X1facftvWsdYiVTsXgzwgEH3vQXLTuByw XGjH4IwFsvT92AJ/0C1FgQHcXasGF6HwYKkPMHI/s1cZWMwKmFaDT0EeMdrxC9ll EbrXui6VQi8Hf3ya5nFWRwrvlN51PshortQ7eEx2MOP7XQFeHr6i8k+5LCmeQBcQ +STseFmbSIFyUu2SjDKIDluIUWppJhGodIH84hJMj8UCtXlGbE9u2D7wIloQz1El GzJuooYP6P+Rm5PWaGuT5WNnVAfNkAJ0h9B8CRBc+KQkXYDBFlD3XFx1zL46iU+x aFWi2UqJJhNKXW3j111HP31CA77XJCHHsbJpwotqEwO3+1ChToK7WV+3tUBzax3w i8UB+b38e7y2ZlT0B2D5wHu/aPJ+Sx2w/ThJmz5wgpU7EshNkSUW1TBmz7MCFvgW fJ071CkiXAb1UnBxchZT =VMdG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
