On Tue, Nov 15, 2016 at 10:50 AM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > William, > > On 11/14/16 7:18 PM, William Boyd wrote: > > First, I'd like to thank everyone for the help. > > > > Is it now safe to say that the behaviour we've been taking > > advantage of is undocumented and will no long be supported? > > > > Also, for those that hit this thread and need to get HTTPS working > > with a *self-signed* certificate in a dev environment... > > > > Here's what worked for me: 1. Copy > > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) > > 2. Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool > > -genkeypair -keyalg RSA -alias myAlias -keystore > > "C:\keystore\keystore.jsk" -storepass changeit -validity 360 > > -keysize 2048 -dname > > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export > > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias > > myAlias -keystore C:\keystore\keystore.jsk -rfc -file > > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your > > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias > > myAlias -keystore C:\keystore\cacerts -file > > C:\keystore\myAlias.cer 5. Add this to setclasspath.bat in tomcat: > > set JAVA_OPTS=%JAVA_OPTS% > > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml, > > add these attributes to the Connector element > > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" > > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true" > > clientAuth="false" sslProtocol="TLS" > > > > Now you should be good to go in with HTTPS in Tomcat 8.5.5 + > > This is exactly what I suggested, except that you set the trust store > using a system property instead of using truststoreFile in the > <Connector>. You do not need to duplicate the JRE's trust store. You > only need your own single certificate in your local truststore. > > Can you use keystoreFile and truststoreFile separately pointing to > those files and re-check that it works? Perhaps Tomcat chokes when > using the same file for both. That's what I'd like to verify. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX > ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwrU > kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+ > 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+ > GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2 > SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu > FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDff > YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cWN > yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrTJ > k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn > FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3 > 2J2O1AQA7tfew10t3F4K > =a+Um > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Christopher, Thanks, I'm glad to hear I'm heading in the right direction. :) I tested some more configuration. Firstly, I removed the system property but retained these Connector attributes keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" Then I tried the following: 1. adding truststoreFile="C:\keystore\cacerts" to my Connector and got the following error in an IE11 browser Caught Exception (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target): ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2. adding truststoreFile="C:\keystore\myAlias.cer" to my Connector and got the following error at startup 15-Nov-2016 12:34:57.379 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8001"] java.lang.IllegalArgumentException: java.io.IOException: Invalid keystore format at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) : Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136) ... 20 more 3. adding truststoreFile="C:\keystore\keystore.jsk" to my Connector and got the following error at startup 15-Nov-2016 12:45:58.625 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8001"] java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) : Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:332) at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:264) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ... 20 more 4. I generated a new trustStore using “keytool -import -file myAlias.cer -alias myAlias -keystore MyTrustStore” then I adding truststoreFile="C:\keystore\MyTrustStore" to my Connector and got the same PKIX error as 1 above. 5. finally I removed the truststoreFile attribute and used -Djavax.net.ssl.trustStore="C:\keystore\MyTrustStore" This worked... Let me know if I've miss understanding your request or if there's something else you'd like me to try. Regards Will
