Let's Encrypt cert worked fine in 8.5.57, but connector fails in 8.5.40

Wed, 05 Aug 2020 16:47:07 -0700 

Ladies and Gentlemen:
I've now proceeded to the "real" server, with the Tomcat portion of the procedure refined to give me plenty of "undo" capability. And it turns out I need it. 


It seems that with the unwanted update to 7.0.57 that happened on 
launching the test spot instances, the Let's Encrypt certs worked just fine.



But applying the procedure to the *real* development instance (7.0.40) 
blew up in my face, failing to open the connectors. Here is an excerpt 
from catalina.out, showing the stacktraces.



05-Aug-2020 23:00:52.038 WARNING [main] 
org.apache.catalina.startup.SetAllPropertiesRule.begin 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'bufferSize' 
to '1024' did not find a matching property.
05-Aug-2020 23:00:52.085 WARNING [main] 
org.apache.catalina.startup.SetAllPropertiesRule.begin 
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'bufferSize' 
to '1024' did not find a matching property.
05-Aug-2020 23:00:52.189 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version:        
Apache Tomcat/8.5.40
05-Aug-2020 23:00:52.189 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:          
May 2 2019 18:02:51 UTC
05-Aug-2020 23:00:52.194 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server number:         
8.5.40.0
05-Aug-2020 23:00:52.194 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:               
Linux
05-Aug-2020 23:00:52.194 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:            
4.14.121-85.96.amzn1.x86_64
05-Aug-2020 23:00:52.194 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:          
amd64
05-Aug-2020 23:00:52.195 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home:             
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-0.43.amzn1.x86_64/jre
05-Aug-2020 23:00:52.195 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           
1.8.0_201-b09
05-Aug-2020 23:00:52.195 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            
Oracle Corporation
05-Aug-2020 23:00:52.195 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         
/usr/share/tomcat8
05-Aug-2020 23:00:52.196 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         
/usr/share/tomcat8
05-Aug-2020 23:00:52.196 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.base=/usr/share/tomcat8
05-Aug-2020 23:00:52.196 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.home=/usr/share/tomcat8
05-Aug-2020 23:00:52.197 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.endorsed.dirs=
05-Aug-2020 23:00:52.197 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.io.tmpdir=/var/cache/tomcat8/temp
05-Aug-2020 23:00:52.197 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.config.file=/usr/share/tomcat8/conf/logging.properties
05-Aug-2020 23:00:52.197 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
05-Aug-2020 23:00:52.198 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based 
Apache Tomcat Native library which allows optimal performance in production 
environments was not found on the java.library.path: 
[/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
05-Aug-2020 23:00:52.422 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing 
ProtocolHandler ["https-jsse-nio-8443"]
05-Aug-2020 23:00:52.848 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
        at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
        at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
        at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
        ... 20 more

05-Aug-2020 23:00:52.857 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing 
ProtocolHandler ["https-jsse-nio-7443"]
05-Aug-2020 23:00:52.861 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[HTTP/1.1-7443]]
 org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-7443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
        at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
        at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
        at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
        ... 20 more





I suspect that I will need to bring the Tomcat up to 8.5.57 here, too, 
before it will work. Presumably, that means tripping the same process 
that made the mess on the test spot instance.


It seems that when the unwanted update happened,


1. /etc/tomcat8/server.xml was left at least relatively undisturbed: our 
connectors were undamaged.


2. /etc/tomcat8/tomcat-users.xml was also left undisturbed.


3. /var/lib/tomcat8/webapps/manager/WEB-INF/web.xml was also left at 
least relatively undisturbed: because of the size of our WAR files, we 
increase the max-file-size and max-request-size from 50MB to 500M, and 
that was as we left it.



4. /var/lib/tomcat8/webapps/manager/META-INF/context.xml, however, was 
reset to the "factory" state, with the RemoteAddrValve active.



5. The default ROOT context overlaid our ROOT context, leaving 
/var/lib/tomcat8/webapps/ROOT filled with both our files and the default 
ones. Our ROOT.war, on the other hand, was left intact, and if I stop 
Tomcat, remove the ROOT context directory, and then restart Tomcat, it 
does unpack our ROOT.war correctly.



6. The /var/lib/tomcat8/webapps/examples context directory, which we 
always remove, was reinstalled.



Can anybody make sense of why some things changed, while others were 
left alone?


--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to