Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

Zahid Rahman Wed, 08 Jan 2020 19:33:34 -0800

The second technique is to use the  *.nix command.
The result is as below
diff a.out b.out I draw your attention to third line in FILE b.out


5,7c5,7
< SSLEnabled="true" scheme="https" secure="true"
< keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
< clientAuth="false" sslProtocol="TLS" />
---
> SSLEnabled="true" scheme="https" secure="true">
> <SSLHostConfig ciphers="[REDACTED]"
> certificateVerification="none" sslProtocol="TLS">


*cat a.out*
<Connector port="8443" proxyPort="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="[REDACTED]"
maxThreads="1000" socket.appReadBufSize="1024"
socket.appWriteBufSize="1024" bufferSize="1024"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
clientAuth="false" sslProtocol="TLS" />

*cat b.out*
<Connector port="8443" proxyPort="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="[REDACTED]"
maxThreads="1000" socket.appReadBufSize="1024"
socket.appWriteBufSize="1024" bufferSize="1024"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig ciphers="[REDACTED]"
certificateVerification="none" sslProtocol="TLS">


www.backbutton.co.uk
♡۶¯\_(ツ)_/¯ ♡۶
Marriage of loose and tight coupling
-> healthy applications
              ♡۶
java -cp classpath class-path


On Wed, 8 Jan 2020 at 23:59, James H. H. Lampert <jam...@touchtonecorp.com>
wrote:

> I wrote:
> > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt"
> > and ".key" files directly, instead of the Java Keystore file?
>
> On 12/30/19 1:41 PM, Peter Kreuser wrote:
> > Correct!
>
> I tried an experiment this afternoon:
>
> I made a copy of the existing server.xml file, and I changed the active
> connector from this (keystore file and alias redacted for privacy,
> ciphers and compressibleMimeTypes clauses redacted because they're quite
> long, and not relevant here):
> > <Connector port="8443" proxyPort="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >  compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> >  compressableMimeType="[REDACTED]"
> >  maxThreads="1000" socket.appReadBufSize="1024"
> socket.appWriteBufSize="1024" bufferSize="1024"
> >  SSLEnabled="true" scheme="https" secure="true"
> >  keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
> >  clientAuth="false" sslProtocol="TLS" />
>
> to this:
> > <Connector port="8443" proxyPort="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >  compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> >  compressableMimeType="[REDACTED]"
> >  maxThreads="1000" socket.appReadBufSize="1024"
> socket.appWriteBufSize="1024" bufferSize="1024"
> >  SSLEnabled="true" scheme="https" secure="true">
> >   <SSLHostConfig ciphers="[REDACTED]"
> >                certificateVerification="none" sslProtocol="TLS">
> >     <Certificate certificateFile="[REDACTED].cer"
> certificateKeyFile="[REDACTED].key"
> >      certificateChainFile="[REDACTED].ca.crt" />
> >   </SSLHostConfig>
> > </Connector>
>
> and restarted Tomcat, and it failed to open the port, producing this in
> catalina.out:
> > 08-Jan-2020 23:14:09.026 SEVERE [main]
> org.apache.catalina.core.StandardService.initInternal Failed to initialize
> connector [Connector[HTTP/1.1-8443]]
> >  org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> >         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> >         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
> >         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> >         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
> >         at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >         at java.lang.reflect.Method.invoke(Method.java:498)
> >         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
> >         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
> > Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> >         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
> >         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         ... 12 more
> > Caused by: java.lang.IllegalArgumentException: Cannot store
> non-PrivateKeys
> >         at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
> >         at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
> >         at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:244)
> >         at org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1105)
> >         at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
> >         at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> >         at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
> >         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
> >         ... 13 more
> > Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
> >         at
> sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
> >         at
> sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
> >         at
> sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
> >         at
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
> >         at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
> >         at org.apache.tomcat.util.net
> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
> >         at org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
> >         at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
> >         ... 20 more
>
> Can anybody explain what I did wrong? These are fully-qualified paths to
> the certificate, chain, and key files. [REDACTED].ca.crt contains a
> certificate chain; [REDACTED].cer contains a certificate, and
> [REDACTED].key contains a private key, and they all work in Apache
> httpd, on the same box.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

Reply via email to