All,
Anyone ever seen this before?
I'm using an older Tomcat (7.0.x) on an older Java (1.7.0_80) along with
a certificate from Let's Encrypt. This was the server I used to
initially develop my "Let's Encrypt Apache Tomcat" presentation and
scripts, so I am familiar with the process and everything that needs to
happen.
I was updating the script to use the new snap-based certbot instead of
the older one which is fraught with dependency issues, etc. and I'm able
to renew the certificate just fine, but after assembling the PKCS12
keystore, I'm getting this error when Tomcat attempts to start the HTTPS
connector.
My old script first converted from raw PEM files to PKCS12 using the
"openssl pkcs12" command, then converted to JKS using Java's "keytool".
I decided to cut-out the middle-man and use PKCS12 files directly this time.
Here is my (sanitized) <Connector> configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="${catalina.base}/keystore.p12"
keystoreType="PKCS12"
keystorePass="changeit"
keyPass="changeit"
truststoreType="PKCS12"
URIEncoding="UTF-8"
sslProtocol="SSL"
SSLEnabled="true"
scheme="https"
secure="true"
bindOnInit="false"
ciphers="
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA
"
sslEnabledProtocols="TLSv1.2" />
I added the "truststoreType" just in case Tomcat was using the
keystoreType as the truststoreType, and defaulting to using the keystore
as the truststore. None of those things are true, but I left it in the
configuration.
When using "keytool" on the command-line to dump the certs, I get no
errors and the keystore contains the expected data.
Here is the command I use to assemble the pkcs12 file:
openssl pkcs12 -export -in "${LE_BASE}/cert.pem" -inkey
"${LE_BASE}/privkey.pem" \
-certfile "${LE_BASE}/fullchain.pem" \
-out "${CATALINA_BASE}/${HOSTNAME}.p12" -name tomcat \
-passout "pass:changeit"
Here is the complete stack trace of the error:
Aug 16, 2021 10:22:23 AM org.apache.coyote.AbstractProtocol start
SEVERE: Failed to start end point associated with ProtocolHandler
["http-nio-8443"]
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.<init>(DerValue.java:320)
at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
at java.security.KeyStore.load(KeyStore.java:1226)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
at
org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Aug 16, 2021 10:22:23 AM org.apache.catalina.core.StandardService
startInternal
SEVERE: Failed to start connector
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Failed to start component
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: org.apache.catalina.LifecycleException: service.getName():
"Catalina"; Protocol handler start failed
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1014)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more
Caused by: java.io.IOException: DerInputStream.getLength():
lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.<init>(DerValue.java:320)
at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
at java.security.KeyStore.load(KeyStore.java:1226)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
at
org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
... 12 more
Any help would be appreciated.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
