Ok thank you for the replies. It may take me some time to be able to test rev21 on the production server with its keystore (but maybe I can test it locally too - if it at least starts up). Any other info you need from me to help identify the issues needing resolution?
On Fri, Sep 22, 2017 at 1:46 AM, Mark Thomas <ma...@apache.org> wrote: > On 22 September 2017 00:41:04 BST, "André Warnier (tomcat)" <a...@ice-sa.com> > wrote: > >Hi. > > > >Could this also be the problem on the other thread "tomcat ssl setup" > >(tomcat 9) ? > > Could be, yes. It looks like there are still some problems to iron out > with the fix for keystrokes that contain keys with different passwords. > > Mark > > > > > >log : > > > >08-Sep-2017 15:24:36.300 SEVERE [main] > >org.apache.catalina.util.LifecycleBase.handleSubClassException Failed > >to initialize > >component [Connector[HTTP/1.1-8443]] > >org.apache.catalina.LifecycleException: Protocol handler initialization > >failed > >... > >Caused by: java.lang.IllegalArgumentException: > >java.security.KeyStoreException: Cannot > >store non-PrivateKeys > > at > >org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext( > AbstractJsseEndpoint.java:113) > > > > > > > > > > > >-------- Forwarded Message -------- > >Subject: Re: "Cannot store non-PrivateKeys" exception moving from > >8.0.37 to 8.5.20 - Linux > >Date: Thu, 21 Sep 2017 23:39:09 +0100 > >From: Mark Thomas <ma...@apache.org> > >Reply-To: Tomcat Users List <users@tomcat.apache.org> > >To: Tomcat Users List <users@tomcat.apache.org> > > > >On 21/09/17 17:19, Sean Dawson wrote: > >> Hello, > >> > >> We migrated our application that was running fine on 8.0.37 to 8.5.20 > >and > >> on startup we receive: > >> > >> java.lang.IllegalArgumentException: java.security.KeyStoreException: > >Cannot > >> store non-PrivateKeys > > > >Try 8.5.21. It is on the mirrors but you'll need to follow the browse > >link on the download page to find it. > > > >Mark > > > >> > >> I unfortunately deleted the logs and under time pressure we had to go > >back > >> to 8.0.37 so I don't have the full stacktrace. But I didn't see > >anything > >> else in them that looked helpful. > >> > >> I've googled and couldn't really get any good answers that applied to > >> us.This seemed a bit similar but we do have sslEnabled set (and the > >issue > >> is apparently fixed)... > >> > >> http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html > >> > >> I've tried modifying the connector based off the current 8.5 > >> documentation. But always get the above. > >> > >> We're on: CentOS release 6.9 (Final), > >> Java version "1.8.0_144" > >> > >> <Connector port="443" > >protocol="org.apache.coyote.http11.Http11NioProtocol" > >> maxThreads="150" SSLEnabled="true" > >asyncTimeout="60000" > >> compression="on" > >> scheme="https" secure="true" > > >> <SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > >> TLS_RSA_WITH_3DES_EDE_CBC_SHA, > >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > >> TLS_RSA_WITH_AES_128_CBC_SHA, > >> TLS_ECDHE_RSA_WITH_RC4_128_SHA, > >> TLS_RSA_WITH_RC4_128_SHA, > >> TLS_RSA_WITH_RC4_128_MD5" > >> sslEnabledProtocols="TLSv1,TSLv1.1,TLSv1.2" > >> sslProtocol="TLS" > >> certificateVerification="false" > > >> <Certificate certificateKeystoreFile="masked" > >> certificateKeystorePassword="masked" > >> type="RSA" /> > >> </SSLHostConfig> > >> </Connector> > >> > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
